diff --git a/linkerd.io/serviceprofile_v1alpha1.json b/linkerd.io/serviceprofile_v1alpha1.json new file mode 100644 index 00000000..a281b63b --- /dev/null +++ b/linkerd.io/serviceprofile_v1alpha1.json @@ -0,0 +1,189 @@ +{ + "properties": { + "spec": { + "description": "Spec is the custom resource spec", + "properties": { + "dstOverrides": { + "items": { + "description": "WeightedDst is a weighted alternate destination.", + "properties": { + "authority": { + "type": "string" + }, + "weight": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", + "x-kubernetes-int-or-string": true + } + }, + "type": "object", + "additionalProperties": false + }, + "required": [ + "authority", + "weight" + ], + "type": "array" + }, + "opaquePorts": { + "items": { + "type": "string" + }, + "type": "array" + }, + "retryBudget": { + "description": "RetryBudget describes the maximum number of retries that should be issued to this service.", + "properties": { + "minRetriesPerSecond": { + "format": "int32", + "type": "integer" + }, + "retryRatio": { + "format": "float", + "type": "number" + }, + "ttl": { + "type": "string" + } + }, + "required": [ + "minRetriesPerSecond", + "retryRatio", + "ttl" + ], + "type": "object", + "additionalProperties": false + }, + "routes": { + "items": { + "description": "RouteSpec specifies a Route resource.", + "properties": { + "condition": { + "description": "RequestMatch describes the conditions under which to match a Route.", + "properties": { + "all": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "any": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "method": { + "type": "string" + }, + "not": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "pathRegex": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "isRetryable": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "responseClasses": { + "items": { + "description": "ResponseClass describes how to classify a response (e.g. success or failures).", + "properties": { + "condition": { + "description": "ResponseMatch describes the conditions under which to classify a response.", + "properties": { + "all": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "any": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "not": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "status": { + "description": "Range describes a range of integers (e.g. status codes).", + "properties": { + "max": { + "format": "int32", + "type": "integer" + }, + "min": { + "format": "int32", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "isFailure": { + "type": "boolean" + } + }, + "required": [ + "condition" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "timeout": { + "type": "string" + } + }, + "required": [ + "condition", + "name" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "required": [ + "routes" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/linkerd.io/serviceprofile_v1alpha2.json b/linkerd.io/serviceprofile_v1alpha2.json new file mode 100644 index 00000000..e7232efe --- /dev/null +++ b/linkerd.io/serviceprofile_v1alpha2.json @@ -0,0 +1,186 @@ +{ + "properties": { + "spec": { + "description": "Spec is the custom resource spec", + "properties": { + "dstOverrides": { + "items": { + "description": "WeightedDst is a weighted alternate destination.", + "properties": { + "authority": { + "type": "string" + }, + "weight": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", + "x-kubernetes-int-or-string": true + } + }, + "type": "object", + "additionalProperties": false + }, + "required": [ + "authority", + "weight" + ], + "type": "array" + }, + "opaquePorts": { + "items": { + "type": "string" + }, + "type": "array" + }, + "retryBudget": { + "description": "RetryBudget describes the maximum number of retries that should be issued to this service.", + "properties": { + "minRetriesPerSecond": { + "format": "int32", + "type": "integer" + }, + "retryRatio": { + "format": "float", + "type": "number" + }, + "ttl": { + "type": "string" + } + }, + "required": [ + "minRetriesPerSecond", + "retryRatio", + "ttl" + ], + "type": "object", + "additionalProperties": false + }, + "routes": { + "items": { + "description": "RouteSpec specifies a Route resource.", + "properties": { + "condition": { + "description": "RequestMatch describes the conditions under which to match a Route.", + "properties": { + "all": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "any": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "method": { + "type": "string" + }, + "not": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "pathRegex": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "isRetryable": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "responseClasses": { + "items": { + "description": "ResponseClass describes how to classify a response (e.g. success or failures).", + "properties": { + "condition": { + "description": "ResponseMatch describes the conditions under which to classify a response.", + "properties": { + "all": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "any": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "not": { + "items": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + }, + "type": "array" + }, + "status": { + "description": "Range describes a range of integers (e.g. status codes).", + "properties": { + "max": { + "format": "int32", + "type": "integer" + }, + "min": { + "format": "int32", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "isFailure": { + "type": "boolean" + } + }, + "required": [ + "condition" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "timeout": { + "type": "string" + } + }, + "required": [ + "condition", + "name" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/policy.linkerd.io/authorizationpolicy_v1alpha1.json b/policy.linkerd.io/authorizationpolicy_v1alpha1.json new file mode 100644 index 00000000..4d95f2c0 --- /dev/null +++ b/policy.linkerd.io/authorizationpolicy_v1alpha1.json @@ -0,0 +1,87 @@ +{ + "properties": { + "spec": { + "description": "Authorizes clients to communicate with Linkerd-proxied server resources.", + "properties": { + "requiredAuthenticationRefs": { + "description": "RequiredAuthenticationRefs enumerates a set of required authentications. ALL authentications must be satisfied for the authorization to apply. If any of the referred objects cannot be found, the authorization will be ignored.", + "items": { + "properties": { + "group": { + "description": "Group is the group of the referent. When empty, the Kubernetes core API group is inferred.\"", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "description": "Kind is the kind of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Name is the name of the referent. When unspecified, this authentication refers to the local namespace.", + "maxLength": 253, + "type": "string" + } + }, + "required": [ + "kind", + "name" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "targetRef": { + "description": "TargetRef references a resource to which the authorization policy applies.", + "properties": { + "group": { + "description": "Group is the group of the referent. When empty, the Kubernetes core API group is inferred.", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "description": "Kind is the kind of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "kind", + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "targetRef", + "requiredAuthenticationRefs" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/httproute_v1.json b/policy.linkerd.io/httproute_v1.json new file mode 100644 index 00000000..64481a22 --- /dev/null +++ b/policy.linkerd.io/httproute_v1.json @@ -0,0 +1,1586 @@ +{ + "description": "HTTPRoute provides a way to route HTTP requests. This includes the capability\nto match requests by hostname, path, header, or query param. Filters can be\nused to specify additional processing steps. Backends specify where matching\nrequests should be routed.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "Spec defines the desired state of HTTPRoute.", + "properties": { + "hostnames": { + "description": "Hostnames defines a set of hostnames that should match against the HTTP Host\nheader to select a HTTPRoute used to process the request. Implementations\nMUST ignore any port value specified in the HTTP Host header while\nperforming a match and (absent of any applicable header modification\nconfiguration) MUST forward this header unmodified to the backend.\n\nValid values for Hostnames are determined by RFC 1123 definition of a\nhostname with 2 notable exceptions:\n\n1. IPs are not allowed.\n2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\n label must appear by itself as the first label.\n\nIf a hostname is specified by both the Listener and HTTPRoute, there\nmust be at least one intersecting hostname for the HTTPRoute to be\nattached to the Listener. For example:\n\n* A Listener with `test.example.com` as the hostname matches HTTPRoutes\n that have either not specified any hostnames, or have specified at\n least one of `test.example.com` or `*.example.com`.\n* A Listener with `*.example.com` as the hostname matches HTTPRoutes\n that have either not specified any hostnames or have specified at least\n one hostname that matches the Listener hostname. For example,\n `*.example.com`, `test.example.com`, and `foo.test.example.com` would\n all match. On the other hand, `example.com` and `test.example.net` would\n not match.\n\nHostnames that are prefixed with a wildcard label (`*.`) are interpreted\nas a suffix match. That means that a match for `*.example.com` would match\nboth `test.example.com`, and `foo.test.example.com`, but not `example.com`.\n\nIf both the Listener and HTTPRoute have specified hostnames, any\nHTTPRoute hostnames that do not match the Listener hostname MUST be\nignored. For example, if a Listener specified `*.example.com`, and the\nHTTPRoute specified `test.example.com` and `test.example.net`,\n`test.example.net` must not be considered for a match.\n\nIf both the Listener and HTTPRoute have specified hostnames, and none\nmatch with the criteria above, then the HTTPRoute is not accepted. The\nimplementation must raise an 'Accepted' Condition with a status of\n`False` in the corresponding RouteParentStatus.\n\nIn the event that multiple HTTPRoutes specify intersecting hostnames (e.g.\noverlapping wildcard matching and exact matching hostnames), precedence must\nbe given to rules from the HTTPRoute with the largest number of:\n\n* Characters in a matching non-wildcard hostname.\n* Characters in a matching hostname.\n\nIf ties exist across multiple Routes, the matching precedence rules for\nHTTPRouteMatches takes over.\n\nSupport: Core", + "items": { + "description": "Hostname is the fully qualified domain name of a network host. This matches\nthe RFC 1123 definition of a hostname with 2 notable exceptions:\n\n 1. IPs are not allowed.\n 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\n label must appear by itself as the first label.\n\nHostname can be \"precise\" which is a domain name without the terminating\ndot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a\ndomain name prefixed with a single wildcard label (e.g. `*.example.com`).\n\nNote that as per RFC1035 and RFC1123, a *label* must consist of lower case\nalphanumeric characters or '-', and must start and end with an alphanumeric\ncharacter. No other punctuation is allowed.", + "maxLength": 253, + "minLength": 1, + "pattern": "^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "parentRefs": { + "description": "ParentRefs references the resources (usually Gateways) that a Route wants\nto be attached to. Note that the referenced parent resource needs to\nallow this for the attachment to be complete. For Gateways, that means\nthe Gateway needs to allow attachment from Routes of this kind and\nnamespace. For Services, that means the Service must either be in the same\nnamespace for a \"producer\" route, or the mesh implementation must support\nand allow \"consumer\" routes for the referenced Service. ReferenceGrant is\nnot applicable for governing ParentRefs to Services - it is not possible to\ncreate a \"producer\" route for a Service in a different namespace from the\nRoute.\n\nThere are two kinds of parent resources with \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nThis API may be extended in the future to support additional kinds of parent\nresources.\n\nParentRefs must be _distinct_. This means either that:\n\n* They select different objects. If this is the case, then parentRef\n entries are distinct. In terms of fields, this means that the\n multi-part key defined by `group`, `kind`, `namespace`, and `name` must\n be unique across all parentRef entries in the Route.\n* They do not select different objects, but for each optional field used,\n each ParentRef that selects the same object must set the same set of\n optional fields to different values. If one ParentRef sets a\n combination of optional fields, all must set the same combination.\n\nSome examples:\n\n* If one ParentRef sets `sectionName`, all ParentRefs referencing the\n same object must also set `sectionName`.\n* If one ParentRef sets `port`, all ParentRefs referencing the same\n object must also set `port`.\n* If one ParentRef sets `sectionName` and `port`, all ParentRefs\n referencing the same object must also set `sectionName` and `port`.\n\nIt is possible to separately reference multiple distinct objects that may\nbe collapsed by an implementation. For example, some implementations may\nchoose to merge compatible Gateway Listeners together. If that is the\ncase, the list of routes attached to those resources should also be\nmerged.\n\nNote that for ParentRefs that cross namespace boundaries, there are specific\nrules. Cross-namespace references are only valid if they are explicitly\nallowed by something in the namespace they are referring to. For example,\nGateway has the AllowedRoutes field, and ReferenceGrant provides a\ngeneric way to enable other kinds of cross-namespace reference.\n\n\n\n\n\n\n", + "items": { + "description": "ParentReference identifies an API object (usually a Gateway) that can be considered\na parent of this resource (usually a route). There are two kinds of parent resources\nwith \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nThis API may be extended in the future to support additional kinds of parent\nresources.\n\nThe API object must be valid in the cluster; the Group and Kind must\nbe registered in the cluster for this reference to be valid.", + "properties": { + "group": { + "default": "gateway.networking.k8s.io", + "description": "Group is the group of the referent.\nWhen unspecified, \"gateway.networking.k8s.io\" is inferred.\nTo set the core API group (such as for a \"Service\" kind referent),\nGroup must be explicitly set to \"\" (empty string).\n\nSupport: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent.\n\nThere are two kinds of parent resources with \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nSupport for other resources is Implementation-Specific.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.\n\nSupport: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified, this refers\nto the local namespace of the Route.\n\nNote that there are specific rules for ParentRefs which cross namespace\nboundaries. Cross-namespace references are only valid if they are explicitly\nallowed by something in the namespace they are referring to. For example:\nGateway has the AllowedRoutes field, and ReferenceGrant provides a\ngeneric way to enable any other kind of cross-namespace reference.\n\n\n\nSupport: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port is the network port this Route targets. It can be interpreted\ndifferently based on the type of parent resource.\n\nWhen the parent resource is a Gateway, this targets all listeners\nlistening on the specified port that also support this kind of Route(and\nselect this Route). It's not recommended to set `Port` unless the\nnetworking behaviors specified in a Route must apply to a specific port\nas opposed to a listener(s) whose port(s) may be changed. When both Port\nand SectionName are specified, the name and port of the selected listener\nmust match both specified values.\n\n\n\nImplementations MAY choose to support other parent resources.\nImplementations supporting other types of parent resources MUST clearly\ndocument how/if Port is interpreted.\n\nFor the purpose of status, an attachment is considered successful as\nlong as the parent resource accepts it partially. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment\nfrom the referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route,\nthe Route MUST be considered detached from the Gateway.\n\nSupport: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the\nfollowing resources, SectionName is interpreted as the following:\n\n* Gateway: Listener name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n* Service: Port name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n\nImplementations MAY choose to support attaching Routes to other resources.\nIf that is the case, they MUST clearly document how SectionName is\ninterpreted.\n\nWhen unspecified (empty string), this will reference the entire resource.\nFor the purpose of status, an attachment is considered successful if at\nleast one section in the parent resource accepts it. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\nthe referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route, the\nRoute MUST be considered detached from the Gateway.\n\nSupport: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array", + "x-kubernetes-validations": [ + { + "message": "sectionName must be specified when parentRefs includes 2 or more references to the same parent", + "rule": "self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) || p1.sectionName == '') == (!has(p2.sectionName) || p2.sectionName == '')) : true))" + }, + { + "message": "sectionName must be unique when parentRefs includes 2 or more references to the same parent", + "rule": "self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName))))" + } + ] + }, + "rules": { + "default": [ + { + "matches": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ] + } + ], + "description": "Rules are a list of HTTP matchers, filters and actions.\n\n", + "items": { + "description": "HTTPRouteRule defines semantics for matching an HTTP request based on\nconditions (matches), processing it (filters), and forwarding the request to\nan API object (backendRefs).", + "properties": { + "backendRefs": { + "description": "BackendRefs defines the backend(s) where matching requests should be\nsent.\n\nFailure behavior here depends on how many BackendRefs are specified and\nhow many are invalid.\n\nIf *all* entries in BackendRefs are invalid, and there are also no filters\nspecified in this route rule, *all* traffic which matches this rule MUST\nreceive a 500 status code.\n\nSee the HTTPBackendRef definition for the rules about what makes a single\nHTTPBackendRef invalid.\n\nWhen a HTTPBackendRef is invalid, 500 status codes MUST be returned for\nrequests that would have otherwise been routed to an invalid backend. If\nmultiple backends are specified, and some are invalid, the proportion of\nrequests that would otherwise have been routed to an invalid backend\nMUST receive a 500 status code.\n\nFor example, if two backends are specified with equal weights, and one is\ninvalid, 50 percent of traffic must receive a 500. Implementations may\nchoose how that 50 percent is determined.\n\nWhen a HTTPBackendRef refers to a Service that has no ready endpoints,\nimplementations SHOULD return a 503 for requests to that backend instead.\nIf an implementation chooses to do this, all of the above rules for 500 responses\nMUST also apply for responses that return a 503.\n\nSupport: Core for Kubernetes Service\n\nSupport: Extended for Kubernetes ServiceImport\n\nSupport: Implementation-specific for any other resource\n\nSupport for weight: Core", + "items": { + "description": "HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.\n\nNote that when a namespace different than the local namespace is specified, a\nReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\n\n\nWhen the BackendRef points to a Kubernetes Service, implementations SHOULD\nhonor the appProtocol field if it is set for the target Service Port.\n\nImplementations supporting appProtocol SHOULD recognize the Kubernetes\nStandard Application Protocols defined in KEP-3726.\n\nIf a Service appProtocol isn't specified, an implementation MAY infer the\nbackend protocol through its own means. Implementations MAY infer the\nprotocol from the Route type referring to the backend Service.\n\nIf a Route is not able to send traffic to the backend using the specified\nprotocol then the backend is considered invalid. Implementations MUST set the\n\"ResolvedRefs\" condition to \"False\" with the \"UnsupportedProtocol\" reason.\n\n", + "properties": { + "filters": { + "description": "Filters defined at this level should be executed if and only if the\nrequest is being forwarded to the backend defined here.\n\nSupport: Implementation-specific (For broader support of filters, use the\nFilters field in HTTPRouteRule.)", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the\nrequest or response lifecycle. HTTPRouteFilters are meant as an extension\npoint to express processing that may be done in Gateway implementations. Some\nexamples include request or response modification, implementing\nauthentication strategies, rate-limiting, and traffic shaping. API\nguarantee/conformance is defined based on the type of the filter.", + "properties": { + "extensionRef": { + "description": "ExtensionRef is an optional, implementation-specific extension to the\n\"filter\" behavior. For example, resource \"myroutefilter\" in group\n\"networking.example.net\"). ExtensionRef MUST NOT be used for core and\nextended filters.\n\nThis filter can be used multiple times within the same rule.\n\nSupport: Implementation-specific", + "properties": { + "group": { + "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "description": "Kind is kind of the referent. For example \"HTTPRoute\" or \"Service\".", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "group", + "kind", + "name" + ], + "type": "object", + "additionalProperties": false + }, + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request\nheaders.\n\nSupport: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request\nbefore the action. It appends to any existing values associated\nwith the header name.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n add:\n - name: \"my-header\"\n value: \"bar,baz\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The\nvalue of Remove is a list of HTTP header names. Note that the header\nnames are case-insensitive (see\nhttps://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\n\nInput:\n GET /foo HTTP/1.1\n my-header1: foo\n my-header2: bar\n my-header3: baz\n\nConfig:\n remove: [\"my-header1\", \"my-header3\"]\n\nOutput:\n GET /foo HTTP/1.1\n my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-type": "set" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value)\nbefore the action.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n set:\n - name: \"my-header\"\n value: \"bar\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestMirror": { + "description": "RequestMirror defines a schema for a filter that mirrors requests.\nRequests are sent to the specified destination, but responses from\nthat destination are ignored.\n\nThis filter can be used multiple times within the same rule. Note that\nnot all implementations will be able to support mirroring to multiple\nbackends.\n\nSupport: Extended\n\n", + "properties": { + "backendRef": { + "description": "BackendRef references a resource where mirrored requests are sent.\n\nMirrored requests must be sent only to a single destination endpoint\nwithin this BackendRef, irrespective of how many endpoints are present\nwithin this BackendRef.\n\nIf the referent cannot be found, this BackendRef is invalid and must be\ndropped from the Gateway. The controller must ensure the \"ResolvedRefs\"\ncondition on the Route status is set to `status: False` and not configure\nthis backend in the underlying implementation.\n\nIf there is a cross-namespace reference to an *existing* object\nthat is not allowed by a ReferenceGrant, the controller must ensure the\n\"ResolvedRefs\" condition on the Route is set to `status: False`,\nwith the \"RefNotPermitted\" reason and not configure this backend in the\nunderlying implementation.\n\nIn either error case, the Message of the `ResolvedRefs` Condition\nshould be used to provide more detail about the problem.\n\nSupport: Extended for Kubernetes Service\n\nSupport: Implementation-specific for any other resource", + "properties": { + "group": { + "default": "", + "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Service", + "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "name" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "Must have port for Service reference", + "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" + } + ], + "additionalProperties": false + } + }, + "required": [ + "backendRef" + ], + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the\nrequest with an HTTP redirection.\n\nSupport: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location`\nheader in the response.\nWhen empty, the hostname in the `Host` header of the request is used.\n\nSupport: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request.\nThe modified path is then used to construct the `Location` header. When\nempty, the request path is used as-is.\n\nSupport: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path\nof a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix\nmatch of a request during a rewrite or redirect. For example, a request\nto \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch\nof \"/xyz\" would be modified to \"/xyz/bar\".\n\nNote that this matches the behavior of the PathPrefix match type. This\nmatches full path elements. A path element refers to the list of labels\nin the path split by the `/` separator. When specified, a trailing `/` is\nignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\nmatch the prefix `/abc`, but the path `/abcd` would not.\n\nReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\nUsing any other HTTPRouteMatch type on the same HTTPRouteRule will result in\nthe implementation setting the Accepted Condition for the Route to `status: False`.\n\nRequest Path | Prefix Match | Replace Prefix | Modified Path", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be\nadded in a future release of the API.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "replaceFullPath must be specified when type is set to 'ReplaceFullPath'", + "rule": "self.type == 'ReplaceFullPath' ? has(self.replaceFullPath) : true" + }, + { + "message": "type must be 'ReplaceFullPath' when replaceFullPath is set", + "rule": "has(self.replaceFullPath) ? self.type == 'ReplaceFullPath' : true" + }, + { + "message": "replacePrefixMatch must be specified when type is set to 'ReplacePrefixMatch'", + "rule": "self.type == 'ReplacePrefixMatch' ? has(self.replacePrefixMatch) : true" + }, + { + "message": "type must be 'ReplacePrefixMatch' when replacePrefixMatch is set", + "rule": "has(self.replacePrefixMatch) ? self.type == 'ReplacePrefixMatch' : true" + } + ], + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location`\nheader in the response.\n\nIf no port is specified, the redirect port MUST be derived using the\nfollowing rules:\n\n* If redirect scheme is not-empty, the redirect port MUST be the well-known\n port associated with the redirect scheme. Specifically \"http\" to port 80\n and \"https\" to port 443. If the redirect scheme does not have a\n well-known port, the listener port of the Gateway SHOULD be used.\n* If redirect scheme is empty, the redirect port MUST be the Gateway\n Listener port.\n\nImplementations SHOULD NOT add the port number in the 'Location'\nheader in the following cases:\n\n* A Location header that will use HTTP (whether that is determined via\n the Listener protocol or the Scheme field) _and_ use port 80.\n* A Location header that will use HTTPS (whether that is determined via\n the Listener protocol or the Scheme field) _and_ use port 443.\n\nSupport: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in\nthe response. When empty, the scheme of the request is used.\n\nScheme redirects can affect the port of the redirect, for more information,\nrefer to the documentation for the port field of this filter.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.\n\nSupport: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.\n\nSupport: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "responseHeaderModifier": { + "description": "ResponseHeaderModifier defines a schema for a filter that modifies response\nheaders.\n\nSupport: Extended", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request\nbefore the action. It appends to any existing values associated\nwith the header name.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n add:\n - name: \"my-header\"\n value: \"bar,baz\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The\nvalue of Remove is a list of HTTP header names. Note that the header\nnames are case-insensitive (see\nhttps://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\n\nInput:\n GET /foo HTTP/1.1\n my-header1: foo\n my-header2: bar\n my-header3: baz\n\nConfig:\n remove: [\"my-header1\", \"my-header3\"]\n\nOutput:\n GET /foo HTTP/1.1\n my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-type": "set" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value)\nbefore the action.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n set:\n - name: \"my-header\"\n value: \"bar\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields,\ntypes are classified into three conformance levels:\n\n- Core: Filter types and their corresponding configuration defined by\n \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All\n implementations must support core filters.\n\n- Extended: Filter types and their corresponding configuration defined by\n \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers\n are encouraged to support extended filters.\n\n- Implementation-specific: Filters that are defined and supported by\n specific vendors.\n In the future, filters showing convergence in behavior across multiple\n implementations will be considered for inclusion in extended or core\n conformance levels. Filter-specific configuration for such filters\n is specified using the ExtensionRef field. `Type` should be set to\n \"ExtensionRef\" for custom filters.\n\nImplementers are encouraged to define custom implementation types to\nextend the core API with implementation-specific behavior.\n\nIf a reference to a custom filter type cannot be resolved, the filter\nMUST NOT be skipped. Instead, requests that would have been processed by\nthat filter MUST receive a HTTP error response.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.", + "enum": [ + "RequestHeaderModifier", + "ResponseHeaderModifier", + "RequestMirror", + "RequestRedirect", + "URLRewrite", + "ExtensionRef" + ], + "type": "string" + }, + "urlRewrite": { + "description": "URLRewrite defines a schema for a filter that modifies a request during forwarding.\n\nSupport: Extended", + "properties": { + "hostname": { + "description": "Hostname is the value to be used to replace the Host header value during\nforwarding.\n\nSupport: Extended", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines a path rewrite.\n\nSupport: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path\nof a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix\nmatch of a request during a rewrite or redirect. For example, a request\nto \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch\nof \"/xyz\" would be modified to \"/xyz/bar\".\n\nNote that this matches the behavior of the PathPrefix match type. This\nmatches full path elements. A path element refers to the list of labels\nin the path split by the `/` separator. When specified, a trailing `/` is\nignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\nmatch the prefix `/abc`, but the path `/abcd` would not.\n\nReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\nUsing any other HTTPRouteMatch type on the same HTTPRouteRule will result in\nthe implementation setting the Accepted Condition for the Route to `status: False`.\n\nRequest Path | Prefix Match | Replace Prefix | Modified Path", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be\nadded in a future release of the API.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "replaceFullPath must be specified when type is set to 'ReplaceFullPath'", + "rule": "self.type == 'ReplaceFullPath' ? has(self.replaceFullPath) : true" + }, + { + "message": "type must be 'ReplaceFullPath' when replaceFullPath is set", + "rule": "has(self.replaceFullPath) ? self.type == 'ReplaceFullPath' : true" + }, + { + "message": "replacePrefixMatch must be specified when type is set to 'ReplacePrefixMatch'", + "rule": "self.type == 'ReplacePrefixMatch' ? has(self.replacePrefixMatch) : true" + }, + { + "message": "type must be 'ReplacePrefixMatch' when replacePrefixMatch is set", + "rule": "has(self.replacePrefixMatch) ? self.type == 'ReplacePrefixMatch' : true" + } + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "type" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier", + "rule": "!(has(self.requestHeaderModifier) && self.type != 'RequestHeaderModifier')" + }, + { + "message": "filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type", + "rule": "!(!has(self.requestHeaderModifier) && self.type == 'RequestHeaderModifier')" + }, + { + "message": "filter.responseHeaderModifier must be nil if the filter.type is not ResponseHeaderModifier", + "rule": "!(has(self.responseHeaderModifier) && self.type != 'ResponseHeaderModifier')" + }, + { + "message": "filter.responseHeaderModifier must be specified for ResponseHeaderModifier filter.type", + "rule": "!(!has(self.responseHeaderModifier) && self.type == 'ResponseHeaderModifier')" + }, + { + "message": "filter.requestMirror must be nil if the filter.type is not RequestMirror", + "rule": "!(has(self.requestMirror) && self.type != 'RequestMirror')" + }, + { + "message": "filter.requestMirror must be specified for RequestMirror filter.type", + "rule": "!(!has(self.requestMirror) && self.type == 'RequestMirror')" + }, + { + "message": "filter.requestRedirect must be nil if the filter.type is not RequestRedirect", + "rule": "!(has(self.requestRedirect) && self.type != 'RequestRedirect')" + }, + { + "message": "filter.requestRedirect must be specified for RequestRedirect filter.type", + "rule": "!(!has(self.requestRedirect) && self.type == 'RequestRedirect')" + }, + { + "message": "filter.urlRewrite must be nil if the filter.type is not URLRewrite", + "rule": "!(has(self.urlRewrite) && self.type != 'URLRewrite')" + }, + { + "message": "filter.urlRewrite must be specified for URLRewrite filter.type", + "rule": "!(!has(self.urlRewrite) && self.type == 'URLRewrite')" + }, + { + "message": "filter.extensionRef must be nil if the filter.type is not ExtensionRef", + "rule": "!(has(self.extensionRef) && self.type != 'ExtensionRef')" + }, + { + "message": "filter.extensionRef must be specified for ExtensionRef filter.type", + "rule": "!(!has(self.extensionRef) && self.type == 'ExtensionRef')" + } + ], + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-validations": [ + { + "message": "May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both", + "rule": "!(self.exists(f, f.type == 'RequestRedirect') && self.exists(f, f.type == 'URLRewrite'))" + }, + { + "message": "May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both", + "rule": "!(self.exists(f, f.type == 'RequestRedirect') && self.exists(f, f.type == 'URLRewrite'))" + }, + { + "message": "RequestHeaderModifier filter cannot be repeated", + "rule": "self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1" + }, + { + "message": "ResponseHeaderModifier filter cannot be repeated", + "rule": "self.filter(f, f.type == 'ResponseHeaderModifier').size() <= 1" + }, + { + "message": "RequestRedirect filter cannot be repeated", + "rule": "self.filter(f, f.type == 'RequestRedirect').size() <= 1" + }, + { + "message": "URLRewrite filter cannot be repeated", + "rule": "self.filter(f, f.type == 'URLRewrite').size() <= 1" + } + ] + }, + "group": { + "default": "", + "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Service", + "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "weight": { + "default": 1, + "description": "Weight specifies the proportion of requests forwarded to the referenced\nbackend. This is computed as weight/(sum of all weights in this\nBackendRefs list). For non-zero values, there may be some epsilon from\nthe exact proportion defined here depending on the precision an\nimplementation supports. Weight is not a percentage and the sum of\nweights does not need to equal 100.\n\nIf only one backend is specified and it has a weight greater than 0, 100%\nof the traffic is forwarded to that backend. If weight is set to 0, no\ntraffic should be forwarded for this entry. If unspecified, weight\ndefaults to 1.\n\nSupport for this field varies based on the context where used.", + "format": "int32", + "maximum": 1000000, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "name" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "Must have port for Service reference", + "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" + } + ], + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "filters": { + "description": "Filters define the filters that are applied to requests that match\nthis rule.\n\nWherever possible, implementations SHOULD implement filters in the order\nthey are specified.\n\nImplementations MAY choose to implement this ordering strictly, rejecting\nany combination or order of filters that can not be supported. If implementations\nchoose a strict interpretation of filter ordering, they MUST clearly document\nthat behavior.\n\nTo reject an invalid combination or order of filters, implementations SHOULD\nconsider the Route Rules with this configuration invalid. If all Route Rules\nin a Route are invalid, the entire Route would be considered invalid. If only\na portion of Route Rules are invalid, implementations MUST set the\n\"PartiallyInvalid\" condition for the Route.\n\nConformance-levels at this level are defined based on the type of filter:\n\n- ALL core filters MUST be supported by all implementations.\n- Implementers are encouraged to support extended filters.\n- Implementation-specific custom filters have no API guarantees across\n implementations.\n\nSpecifying the same filter multiple times is not supported unless explicitly\nindicated in the filter.\n\nAll filters are expected to be compatible with each other except for the\nURLRewrite and RequestRedirect filters, which may not be combined. If an\nimplementation can not support other combinations of filters, they must clearly\ndocument that limitation. In cases where incompatible or unsupported\nfilters are specified and cause the `Accepted` condition to be set to status\n`False`, implementations may use the `IncompatibleFilters` reason to specify\nthis configuration error.\n\nSupport: Core", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the\nrequest or response lifecycle. HTTPRouteFilters are meant as an extension\npoint to express processing that may be done in Gateway implementations. Some\nexamples include request or response modification, implementing\nauthentication strategies, rate-limiting, and traffic shaping. API\nguarantee/conformance is defined based on the type of the filter.", + "properties": { + "extensionRef": { + "description": "ExtensionRef is an optional, implementation-specific extension to the\n\"filter\" behavior. For example, resource \"myroutefilter\" in group\n\"networking.example.net\"). ExtensionRef MUST NOT be used for core and\nextended filters.\n\nThis filter can be used multiple times within the same rule.\n\nSupport: Implementation-specific", + "properties": { + "group": { + "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "description": "Kind is kind of the referent. For example \"HTTPRoute\" or \"Service\".", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "group", + "kind", + "name" + ], + "type": "object", + "additionalProperties": false + }, + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request\nheaders.\n\nSupport: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request\nbefore the action. It appends to any existing values associated\nwith the header name.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n add:\n - name: \"my-header\"\n value: \"bar,baz\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The\nvalue of Remove is a list of HTTP header names. Note that the header\nnames are case-insensitive (see\nhttps://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\n\nInput:\n GET /foo HTTP/1.1\n my-header1: foo\n my-header2: bar\n my-header3: baz\n\nConfig:\n remove: [\"my-header1\", \"my-header3\"]\n\nOutput:\n GET /foo HTTP/1.1\n my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-type": "set" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value)\nbefore the action.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n set:\n - name: \"my-header\"\n value: \"bar\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestMirror": { + "description": "RequestMirror defines a schema for a filter that mirrors requests.\nRequests are sent to the specified destination, but responses from\nthat destination are ignored.\n\nThis filter can be used multiple times within the same rule. Note that\nnot all implementations will be able to support mirroring to multiple\nbackends.\n\nSupport: Extended\n\n", + "properties": { + "backendRef": { + "description": "BackendRef references a resource where mirrored requests are sent.\n\nMirrored requests must be sent only to a single destination endpoint\nwithin this BackendRef, irrespective of how many endpoints are present\nwithin this BackendRef.\n\nIf the referent cannot be found, this BackendRef is invalid and must be\ndropped from the Gateway. The controller must ensure the \"ResolvedRefs\"\ncondition on the Route status is set to `status: False` and not configure\nthis backend in the underlying implementation.\n\nIf there is a cross-namespace reference to an *existing* object\nthat is not allowed by a ReferenceGrant, the controller must ensure the\n\"ResolvedRefs\" condition on the Route is set to `status: False`,\nwith the \"RefNotPermitted\" reason and not configure this backend in the\nunderlying implementation.\n\nIn either error case, the Message of the `ResolvedRefs` Condition\nshould be used to provide more detail about the problem.\n\nSupport: Extended for Kubernetes Service\n\nSupport: Implementation-specific for any other resource", + "properties": { + "group": { + "default": "", + "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Service", + "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "name" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "Must have port for Service reference", + "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" + } + ], + "additionalProperties": false + } + }, + "required": [ + "backendRef" + ], + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the\nrequest with an HTTP redirection.\n\nSupport: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location`\nheader in the response.\nWhen empty, the hostname in the `Host` header of the request is used.\n\nSupport: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request.\nThe modified path is then used to construct the `Location` header. When\nempty, the request path is used as-is.\n\nSupport: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path\nof a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix\nmatch of a request during a rewrite or redirect. For example, a request\nto \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch\nof \"/xyz\" would be modified to \"/xyz/bar\".\n\nNote that this matches the behavior of the PathPrefix match type. This\nmatches full path elements. A path element refers to the list of labels\nin the path split by the `/` separator. When specified, a trailing `/` is\nignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\nmatch the prefix `/abc`, but the path `/abcd` would not.\n\nReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\nUsing any other HTTPRouteMatch type on the same HTTPRouteRule will result in\nthe implementation setting the Accepted Condition for the Route to `status: False`.\n\nRequest Path | Prefix Match | Replace Prefix | Modified Path", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be\nadded in a future release of the API.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "replaceFullPath must be specified when type is set to 'ReplaceFullPath'", + "rule": "self.type == 'ReplaceFullPath' ? has(self.replaceFullPath) : true" + }, + { + "message": "type must be 'ReplaceFullPath' when replaceFullPath is set", + "rule": "has(self.replaceFullPath) ? self.type == 'ReplaceFullPath' : true" + }, + { + "message": "replacePrefixMatch must be specified when type is set to 'ReplacePrefixMatch'", + "rule": "self.type == 'ReplacePrefixMatch' ? has(self.replacePrefixMatch) : true" + }, + { + "message": "type must be 'ReplacePrefixMatch' when replacePrefixMatch is set", + "rule": "has(self.replacePrefixMatch) ? self.type == 'ReplacePrefixMatch' : true" + } + ], + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location`\nheader in the response.\n\nIf no port is specified, the redirect port MUST be derived using the\nfollowing rules:\n\n* If redirect scheme is not-empty, the redirect port MUST be the well-known\n port associated with the redirect scheme. Specifically \"http\" to port 80\n and \"https\" to port 443. If the redirect scheme does not have a\n well-known port, the listener port of the Gateway SHOULD be used.\n* If redirect scheme is empty, the redirect port MUST be the Gateway\n Listener port.\n\nImplementations SHOULD NOT add the port number in the 'Location'\nheader in the following cases:\n\n* A Location header that will use HTTP (whether that is determined via\n the Listener protocol or the Scheme field) _and_ use port 80.\n* A Location header that will use HTTPS (whether that is determined via\n the Listener protocol or the Scheme field) _and_ use port 443.\n\nSupport: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in\nthe response. When empty, the scheme of the request is used.\n\nScheme redirects can affect the port of the redirect, for more information,\nrefer to the documentation for the port field of this filter.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.\n\nSupport: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.\n\nSupport: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "responseHeaderModifier": { + "description": "ResponseHeaderModifier defines a schema for a filter that modifies response\nheaders.\n\nSupport: Extended", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request\nbefore the action. It appends to any existing values associated\nwith the header name.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n add:\n - name: \"my-header\"\n value: \"bar,baz\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The\nvalue of Remove is a list of HTTP header names. Note that the header\nnames are case-insensitive (see\nhttps://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\n\nInput:\n GET /foo HTTP/1.1\n my-header1: foo\n my-header2: bar\n my-header3: baz\n\nConfig:\n remove: [\"my-header1\", \"my-header3\"]\n\nOutput:\n GET /foo HTTP/1.1\n my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-type": "set" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value)\nbefore the action.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n set:\n - name: \"my-header\"\n value: \"bar\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields,\ntypes are classified into three conformance levels:\n\n- Core: Filter types and their corresponding configuration defined by\n \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All\n implementations must support core filters.\n\n- Extended: Filter types and their corresponding configuration defined by\n \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers\n are encouraged to support extended filters.\n\n- Implementation-specific: Filters that are defined and supported by\n specific vendors.\n In the future, filters showing convergence in behavior across multiple\n implementations will be considered for inclusion in extended or core\n conformance levels. Filter-specific configuration for such filters\n is specified using the ExtensionRef field. `Type` should be set to\n \"ExtensionRef\" for custom filters.\n\nImplementers are encouraged to define custom implementation types to\nextend the core API with implementation-specific behavior.\n\nIf a reference to a custom filter type cannot be resolved, the filter\nMUST NOT be skipped. Instead, requests that would have been processed by\nthat filter MUST receive a HTTP error response.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.", + "enum": [ + "RequestHeaderModifier", + "ResponseHeaderModifier", + "RequestMirror", + "RequestRedirect", + "URLRewrite", + "ExtensionRef" + ], + "type": "string" + }, + "urlRewrite": { + "description": "URLRewrite defines a schema for a filter that modifies a request during forwarding.\n\nSupport: Extended", + "properties": { + "hostname": { + "description": "Hostname is the value to be used to replace the Host header value during\nforwarding.\n\nSupport: Extended", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines a path rewrite.\n\nSupport: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path\nof a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix\nmatch of a request during a rewrite or redirect. For example, a request\nto \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch\nof \"/xyz\" would be modified to \"/xyz/bar\".\n\nNote that this matches the behavior of the PathPrefix match type. This\nmatches full path elements. A path element refers to the list of labels\nin the path split by the `/` separator. When specified, a trailing `/` is\nignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\nmatch the prefix `/abc`, but the path `/abcd` would not.\n\nReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\nUsing any other HTTPRouteMatch type on the same HTTPRouteRule will result in\nthe implementation setting the Accepted Condition for the Route to `status: False`.\n\nRequest Path | Prefix Match | Replace Prefix | Modified Path", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be\nadded in a future release of the API.\n\nNote that values may be added to this enum, implementations\nmust ensure that unknown values will not cause a crash.\n\nUnknown values here must result in the implementation setting the\nAccepted Condition for the Route to `status: False`, with a\nReason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "replaceFullPath must be specified when type is set to 'ReplaceFullPath'", + "rule": "self.type == 'ReplaceFullPath' ? has(self.replaceFullPath) : true" + }, + { + "message": "type must be 'ReplaceFullPath' when replaceFullPath is set", + "rule": "has(self.replaceFullPath) ? self.type == 'ReplaceFullPath' : true" + }, + { + "message": "replacePrefixMatch must be specified when type is set to 'ReplacePrefixMatch'", + "rule": "self.type == 'ReplacePrefixMatch' ? has(self.replacePrefixMatch) : true" + }, + { + "message": "type must be 'ReplacePrefixMatch' when replacePrefixMatch is set", + "rule": "has(self.replacePrefixMatch) ? self.type == 'ReplacePrefixMatch' : true" + } + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "type" + ], + "type": "object", + "x-kubernetes-validations": [ + { + "message": "filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier", + "rule": "!(has(self.requestHeaderModifier) && self.type != 'RequestHeaderModifier')" + }, + { + "message": "filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type", + "rule": "!(!has(self.requestHeaderModifier) && self.type == 'RequestHeaderModifier')" + }, + { + "message": "filter.responseHeaderModifier must be nil if the filter.type is not ResponseHeaderModifier", + "rule": "!(has(self.responseHeaderModifier) && self.type != 'ResponseHeaderModifier')" + }, + { + "message": "filter.responseHeaderModifier must be specified for ResponseHeaderModifier filter.type", + "rule": "!(!has(self.responseHeaderModifier) && self.type == 'ResponseHeaderModifier')" + }, + { + "message": "filter.requestMirror must be nil if the filter.type is not RequestMirror", + "rule": "!(has(self.requestMirror) && self.type != 'RequestMirror')" + }, + { + "message": "filter.requestMirror must be specified for RequestMirror filter.type", + "rule": "!(!has(self.requestMirror) && self.type == 'RequestMirror')" + }, + { + "message": "filter.requestRedirect must be nil if the filter.type is not RequestRedirect", + "rule": "!(has(self.requestRedirect) && self.type != 'RequestRedirect')" + }, + { + "message": "filter.requestRedirect must be specified for RequestRedirect filter.type", + "rule": "!(!has(self.requestRedirect) && self.type == 'RequestRedirect')" + }, + { + "message": "filter.urlRewrite must be nil if the filter.type is not URLRewrite", + "rule": "!(has(self.urlRewrite) && self.type != 'URLRewrite')" + }, + { + "message": "filter.urlRewrite must be specified for URLRewrite filter.type", + "rule": "!(!has(self.urlRewrite) && self.type == 'URLRewrite')" + }, + { + "message": "filter.extensionRef must be nil if the filter.type is not ExtensionRef", + "rule": "!(has(self.extensionRef) && self.type != 'ExtensionRef')" + }, + { + "message": "filter.extensionRef must be specified for ExtensionRef filter.type", + "rule": "!(!has(self.extensionRef) && self.type == 'ExtensionRef')" + } + ], + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-validations": [ + { + "message": "May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both", + "rule": "!(self.exists(f, f.type == 'RequestRedirect') && self.exists(f, f.type == 'URLRewrite'))" + }, + { + "message": "RequestHeaderModifier filter cannot be repeated", + "rule": "self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1" + }, + { + "message": "ResponseHeaderModifier filter cannot be repeated", + "rule": "self.filter(f, f.type == 'ResponseHeaderModifier').size() <= 1" + }, + { + "message": "RequestRedirect filter cannot be repeated", + "rule": "self.filter(f, f.type == 'RequestRedirect').size() <= 1" + }, + { + "message": "URLRewrite filter cannot be repeated", + "rule": "self.filter(f, f.type == 'URLRewrite').size() <= 1" + } + ] + }, + "matches": { + "default": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ], + "description": "Matches define conditions used for matching the rule against incoming\nHTTP requests. Each match is independent, i.e. this rule will be matched\nif **any** one of the matches is satisfied.\n\nFor example, take the following matches configuration:\n\n```\nmatches:\n- path:\n value: \"/foo\"\n headers:\n - name: \"version\"\n value: \"v2\"\n- path:\n value: \"/v2/foo\"\n```\n\nFor a request to match against this rule, a request must satisfy\nEITHER of the two conditions:\n\n- path prefixed with `/foo` AND contains the header `version: v2`\n- path prefix of `/v2/foo`\n\nSee the documentation for HTTPRouteMatch on how to specify multiple\nmatch conditions that should be ANDed together.\n\nIf no matches are specified, the default is a prefix\npath match on \"/\", which has the effect of matching every\nHTTP request.\n\nProxy or Load Balancer routing configuration generated from HTTPRoutes\nMUST prioritize matches based on the following criteria, continuing on\nties. Across all rules specified on applicable Routes, precedence must be\ngiven to the match having:\n\n* \"Exact\" path match.\n* \"Prefix\" path match with largest number of characters.\n* Method match.\n* Largest number of header matches.\n* Largest number of query param matches.\n\nNote: The precedence of RegularExpression path matches are implementation-specific.\n\nIf ties still exist across multiple Routes, matching precedence MUST be\ndetermined in order of the following criteria, continuing on ties:\n\n* The oldest Route based on creation timestamp.\n* The Route appearing first in alphabetical order by\n \"{namespace}/{name}\".\n\nIf ties still exist within an HTTPRoute, matching precedence MUST be granted\nto the FIRST matching rule (in list order) with a match meeting the above\ncriteria.\n\nWhen no rules matching a request have been successfully attached to the\nparent a request is coming from, a HTTP 404 status code MUST be returned.", + "items": { + "description": "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true only if all conditions are satisfied.\n\nFor example, the match below will match a HTTP request only if its path\nstarts with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t value \"v1\"\n\n```", + "properties": { + "headers": { + "description": "Headers specifies HTTP request header matchers. Multiple match values are\nANDed together, meaning, a request must match all the specified headers\nto select the route.", + "items": { + "description": "HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request\nheaders.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, only the first\nentry with an equivalent name MUST be considered for a match. Subsequent\nentries with an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.\n\nWhen a header is repeated in an HTTP request, it is\nimplementation-specific behavior as to how this is represented.\nGenerally, proxies should follow the guidance from the RFC:\nhttps://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding\nprocessing a repeated header, with special handling for \"Set-Cookie\".", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the header.\n\nSupport: Core (Exact)\n\nSupport: Implementation-specific (RegularExpression)\n\nSince RegularExpression HeaderMatchType has implementation-specific\nconformance, implementations can support POSIX, PCRE or any other dialects\nof regular expressions. Please read the implementation's documentation to\ndetermine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "method": { + "description": "Method specifies HTTP method matcher.\nWhen specified, this route will be matched only if the request has the\nspecified method.\n\nSupport: Extended", + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "CONNECT", + "OPTIONS", + "TRACE", + "PATCH" + ], + "type": "string" + }, + "path": { + "default": { + "type": "PathPrefix", + "value": "/" + }, + "description": "Path specifies a HTTP request path matcher. If this field is not\nspecified, a default prefix match on the \"/\" path is provided.", + "properties": { + "type": { + "default": "PathPrefix", + "description": "Type specifies how to match against the path Value.\n\nSupport: Core (Exact, PathPrefix)\n\nSupport: Implementation-specific (RegularExpression)", + "enum": [ + "Exact", + "PathPrefix", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "default": "/", + "description": "Value of the HTTP path to match against.", + "maxLength": 1024, + "type": "string" + } + }, + "type": "object", + "x-kubernetes-validations": [ + { + "message": "value must be an absolute path and start with '/' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? self.value.startsWith('/') : true" + }, + { + "message": "must not contain '//' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? !self.value.contains('//') : true" + }, + { + "message": "must not contain '/./' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? !self.value.contains('/./') : true" + }, + { + "message": "must not contain '/../' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? !self.value.contains('/../') : true" + }, + { + "message": "must not contain '%2f' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? !self.value.contains('%2f') : true" + }, + { + "message": "must not contain '%2F' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? !self.value.contains('%2F') : true" + }, + { + "message": "must not contain '#' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? !self.value.contains('#') : true" + }, + { + "message": "must not end with '/..' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? !self.value.endsWith('/..') : true" + }, + { + "message": "must not end with '/.' when type one of ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? !self.value.endsWith('/.') : true" + }, + { + "message": "type must be one of ['Exact', 'PathPrefix', 'RegularExpression']", + "rule": "self.type in ['Exact','PathPrefix'] || self.type == 'RegularExpression'" + }, + { + "message": "must only contain valid characters (matching ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) for types ['Exact', 'PathPrefix']", + "rule": "(self.type in ['Exact','PathPrefix']) ? self.value.matches(r\"\"\"^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$\"\"\") : true" + } + ], + "additionalProperties": false + }, + "queryParams": { + "description": "QueryParams specifies HTTP query parameter matchers. Multiple match\nvalues are ANDed together, meaning, a request must match all the\nspecified query parameters to select the route.\n\nSupport: Extended", + "items": { + "description": "HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP\nquery parameters.", + "properties": { + "name": { + "description": "Name is the name of the HTTP query param to be matched. This must be an\nexact string match. (See\nhttps://tools.ietf.org/html/rfc7230#section-2.7.3).\n\nIf multiple entries specify equivalent query param names, only the first\nentry with an equivalent name MUST be considered for a match. Subsequent\nentries with an equivalent query param name MUST be ignored.\n\nIf a query param is repeated in an HTTP request, the behavior is\npurposely left undefined, since different data planes have different\ncapabilities. However, it is *recommended* that implementations should\nmatch against the first value of the param if the data plane supports it,\nas this behavior is expected in other load balancing contexts outside of\nthe Gateway API.\n\nUsers SHOULD NOT route traffic based on repeated query params to guard\nthemselves against potential differences in the implementations.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the query parameter.\n\nSupport: Extended (Exact)\n\nSupport: Implementation-specific (RegularExpression)\n\nSince RegularExpression QueryParamMatchType has Implementation-specific\nconformance, implementations can support POSIX, PCRE or any other\ndialects of regular expressions. Please read the implementation's\ndocumentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP query param to be matched.", + "maxLength": 1024, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 64, + "type": "array" + }, + "timeouts": { + "description": "Timeouts defines the timeouts that can be configured for an HTTP request.\n\nSupport: Extended", + "properties": { + "backendRequest": { + "description": "BackendRequest specifies a timeout for an individual request from the gateway\nto a backend. This covers the time from when the request first starts being\nsent from the gateway to when the full response has been received from the backend.\n\nSetting a timeout to the zero duration (e.g. \"0s\") SHOULD disable the timeout\ncompletely. Implementations that cannot completely disable the timeout MUST\ninstead interpret the zero duration as the longest possible value to which\nthe timeout can be set.\n\nAn entire client HTTP transaction with a gateway, covered by the Request timeout,\nmay result in more than one call from the gateway to the destination backend,\nfor example, if automatic retries are supported.\n\nThe value of BackendRequest must be a Gateway API Duration string as defined by\nGEP-2257. When this field is unspecified, its behavior is implementation-specific;\nwhen specified, the value of BackendRequest must be no more than the value of the\nRequest timeout (since the Request timeout encompasses the BackendRequest timeout).\n\nSupport: Extended", + "pattern": "^([0-9]{1,5}(h|m|s|ms)){1,4}$", + "type": "string" + }, + "request": { + "description": "Request specifies the maximum duration for a gateway to respond to an HTTP request.\nIf the gateway has not been able to respond before this deadline is met, the gateway\nMUST return a timeout error.\n\nFor example, setting the `rules.timeouts.request` field to the value `10s` in an\n`HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds\nto complete.\n\nSetting a timeout to the zero duration (e.g. \"0s\") SHOULD disable the timeout\ncompletely. Implementations that cannot completely disable the timeout MUST\ninstead interpret the zero duration as the longest possible value to which\nthe timeout can be set.\n\nThis timeout is intended to cover as close to the whole request-response transaction\nas possible although an implementation MAY choose to start the timeout after the entire\nrequest stream has been received instead of immediately after the transaction is\ninitiated by the client.\n\nThe value of Request is a Gateway API Duration string as defined by GEP-2257. When this\nfield is unspecified, request timeout behavior is implementation-specific.\n\nSupport: Extended", + "pattern": "^([0-9]{1,5}(h|m|s|ms)){1,4}$", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-validations": [ + { + "message": "backendRequest timeout cannot be longer than request timeout", + "rule": "!(has(self.request) && has(self.backendRequest) && duration(self.request) != duration('0s') && duration(self.backendRequest) > duration(self.request))" + } + ], + "additionalProperties": false + } + }, + "type": "object", + "x-kubernetes-validations": [ + { + "message": "RequestRedirect filter must not be used together with backendRefs", + "rule": "(has(self.backendRefs) && size(self.backendRefs) > 0) ? (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): true" + }, + { + "message": "When using RequestRedirect filter with path.replacePrefixMatch, exactly one PathPrefix match must be specified", + "rule": "(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) && has(f.requestRedirect.path) && f.requestRedirect.path.type == 'ReplacePrefixMatch' && has(f.requestRedirect.path.replacePrefixMatch))) ? ((size(self.matches) != 1 || !has(self.matches[0].path) || self.matches[0].path.type != 'PathPrefix') ? false : true) : true" + }, + { + "message": "When using URLRewrite filter with path.replacePrefixMatch, exactly one PathPrefix match must be specified", + "rule": "(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) && has(f.urlRewrite.path) && f.urlRewrite.path.type == 'ReplacePrefixMatch' && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) != 1 || !has(self.matches[0].path) || self.matches[0].path.type != 'PathPrefix') ? false : true) : true" + }, + { + "message": "Within backendRefs, when using RequestRedirect filter with path.replacePrefixMatch, exactly one PathPrefix match must be specified", + "rule": "(has(self.backendRefs) && self.backendRefs.exists_one(b, (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) && has(f.requestRedirect.path) && f.requestRedirect.path.type == 'ReplacePrefixMatch' && has(f.requestRedirect.path.replacePrefixMatch))) )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) || self.matches[0].path.type != 'PathPrefix') ? false : true) : true" + }, + { + "message": "Within backendRefs, When using URLRewrite filter with path.replacePrefixMatch, exactly one PathPrefix match must be specified", + "rule": "(has(self.backendRefs) && self.backendRefs.exists_one(b, (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) && has(f.urlRewrite.path) && f.urlRewrite.path.type == 'ReplacePrefixMatch' && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) || self.matches[0].path.type != 'PathPrefix') ? false : true) : true" + } + ], + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-validations": [ + { + "message": "While 16 rules and 64 matches per rule are allowed, the total number of matches across all rules in a route must be less than 128", + "rule": "(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128" + } + ] + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "Status defines the current state of HTTPRoute.", + "properties": { + "parents": { + "description": "Parents is a list of parent resources (usually Gateways) that are\nassociated with the route, and the status of the route with respect to\neach parent. When this route attaches to a parent, the controller that\nmanages the parent must add an entry to this list when the controller\nfirst sees the route and should update the entry as appropriate when the\nroute or gateway is modified.\n\nNote that parent references that cannot be resolved by an implementation\nof this API will not be added to this list. Implementations of this API\ncan only populate Route status for the Gateways/parent resources they are\nresponsible for.\n\nA maximum of 32 Gateways will be represented in this list. An empty list\nmeans the route has not been attached to any Gateway.", + "items": { + "description": "RouteParentStatus describes the status of a route with respect to an\nassociated Parent.", + "properties": { + "conditions": { + "description": "Conditions describes the status of the route with respect to the Gateway.\nNote that the route's availability is also subject to the Gateway's own\nstatus conditions and listener status.\n\nIf the Route's ParentRef specifies an existing Gateway that supports\nRoutes of this kind AND that Gateway's controller has sufficient access,\nthen that Gateway's controller MUST set the \"Accepted\" condition on the\nRoute, to indicate whether the route has been accepted or rejected by the\nGateway, and why.\n\nA Route MUST be considered \"Accepted\" if at least one of the Route's\nrules is implemented by the Gateway.\n\nThere are a number of cases where the \"Accepted\" condition may not be set\ndue to lack of controller visibility, that includes when:\n\n* The Route refers to a non-existent parent.\n* The Route is of a type that the controller does not support.\n* The Route is in a namespace the controller does not have access to.", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "format": "date-time", + "type": "string" + }, + "message": { + "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", + "maxLength": 32768, + "type": "string" + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", + "format": "int64", + "minimum": 0, + "type": "integer" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", + "type": "string" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "enum": [ + "True", + "False", + "Unknown" + ], + "type": "string" + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", + "type": "string" + } + }, + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "minItems": 1, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "controllerName": { + "description": "ControllerName is a domain/path string that indicates the name of the\ncontroller that wrote this status. This corresponds with the\ncontrollerName field on GatewayClass.\n\nExample: \"example.net/gateway-controller\".\n\nThe format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are\nvalid Kubernetes names\n(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\n\nControllers MUST populate this field when writing status. Controllers should ensure that\nentries to status populated with their ControllerName are cleaned up when they are no\nlonger necessary.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$", + "type": "string" + }, + "parentRef": { + "description": "ParentRef corresponds with a ParentRef in the spec that this\nRouteParentStatus struct describes the status of.", + "properties": { + "group": { + "default": "gateway.networking.k8s.io", + "description": "Group is the group of the referent.\nWhen unspecified, \"gateway.networking.k8s.io\" is inferred.\nTo set the core API group (such as for a \"Service\" kind referent),\nGroup must be explicitly set to \"\" (empty string).\n\nSupport: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent.\n\nThere are two kinds of parent resources with \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nSupport for other resources is Implementation-Specific.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.\n\nSupport: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified, this refers\nto the local namespace of the Route.\n\nNote that there are specific rules for ParentRefs which cross namespace\nboundaries. Cross-namespace references are only valid if they are explicitly\nallowed by something in the namespace they are referring to. For example:\nGateway has the AllowedRoutes field, and ReferenceGrant provides a\ngeneric way to enable any other kind of cross-namespace reference.\n\n\n\nSupport: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port is the network port this Route targets. It can be interpreted\ndifferently based on the type of parent resource.\n\nWhen the parent resource is a Gateway, this targets all listeners\nlistening on the specified port that also support this kind of Route(and\nselect this Route). It's not recommended to set `Port` unless the\nnetworking behaviors specified in a Route must apply to a specific port\nas opposed to a listener(s) whose port(s) may be changed. When both Port\nand SectionName are specified, the name and port of the selected listener\nmust match both specified values.\n\n\n\nImplementations MAY choose to support other parent resources.\nImplementations supporting other types of parent resources MUST clearly\ndocument how/if Port is interpreted.\n\nFor the purpose of status, an attachment is considered successful as\nlong as the parent resource accepts it partially. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment\nfrom the referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route,\nthe Route MUST be considered detached from the Gateway.\n\nSupport: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the\nfollowing resources, SectionName is interpreted as the following:\n\n* Gateway: Listener name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n* Service: Port name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n\nImplementations MAY choose to support attaching Routes to other resources.\nIf that is the case, they MUST clearly document how SectionName is\ninterpreted.\n\nWhen unspecified (empty string), this will reference the entire resource.\nFor the purpose of status, an attachment is considered successful if at\nleast one section in the parent resource accepts it. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\nthe referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route, the\nRoute MUST be considered detached from the Gateway.\n\nSupport: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "controllerName", + "parentRef" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + } + }, + "required": [ + "parents" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/httproute_v1alpha1.json b/policy.linkerd.io/httproute_v1alpha1.json new file mode 100644 index 00000000..a8cb366d --- /dev/null +++ b/policy.linkerd.io/httproute_v1alpha1.json @@ -0,0 +1,843 @@ +{ + "description": "HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "Spec defines the desired state of HTTPRoute.", + "properties": { + "hostnames": { + "description": "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core", + "items": { + "description": "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed.", + "maxLength": 253, + "minLength": 1, + "pattern": "^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "parentRefs": { + "description": "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged.", + "items": { + "description": "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.", + "properties": { + "group": { + "default": "policy.linkerd.io", + "description": "Group is the group of the referent. \n Support: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "port", + "type": "integer" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + }, + "rules": { + "default": [ + { + "matches": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ] + } + ], + "description": "Rules are a list of HTTP matchers, filters and actions.", + "items": { + "description": "HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches) and processing it (filters).", + "properties": { + "backendRefs": { + "items": { + "properties": { + "filters": { + "description": "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.", + "properties": { + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname in the `Host` header of the request is used. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch of \"/xyz\" would be modified to \"/xyz/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n Request Path | Prefix Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- /foo/bar | /foo | /xyz | /xyz/bar /foo/bar | /foo | /xyz/ | /xyz/bar /foo/bar | /foo/ | /xyz | /xyz/bar /foo/bar | /foo/ | /xyz/ | /xyz/bar /foo | /foo | /xyz | /xyz /foo/ | /foo | /xyz | /xyz/ /foo/bar | /foo | | /bar /foo/ | /foo | | / /foo | /foo | | / /foo/ | /foo | / | / /foo | /foo | / | /", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location` header in the response. \n If no port is specified, the redirect port MUST be derived using the following rules: \n * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically \"http\" to port 80 and \"https\" to port 443. If the redirect scheme does not have a well-known port, the listener port of the Gateway SHOULD be used. * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. \n Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: \n * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "responseHeaderModifier": { + "description": "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "RequestHeaderModifier", + "ResponseHeaderModifier", + "RequestRedirect" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "name": { + "type": "string" + }, + "namespace": { + "default": "default", + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "filters": { + "description": "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or custom conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.", + "properties": { + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: foo my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch of \"/xyz\" would be modified to \"/xyz/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n Request Path | Prefix Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- /foo/bar | /foo | /xyz | /xyz/bar /foo/bar | /foo | /xyz/ | /xyz/bar /foo/bar | /foo/ | /xyz | /xyz/bar /foo/bar | /foo/ | /xyz/ | /xyz/bar /foo | /foo | /xyz | /xyz /foo/ | /foo | /xyz | /xyz/ /foo/bar | /foo | | /bar /foo/ | /foo | | / /foo | /foo | | / /foo/ | /foo | / | / /foo | /foo | / | /", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Support: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response. \n Support: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n\n ", + "enum": [ + "RequestHeaderModifier", + "RequestRedirect" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "matches": { + "default": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ], + "description": "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize rules based on the following criteria, continuing on ties. Precedence must be given to the the Rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned.", + "items": { + "description": "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: path: value: \"/foo\" headers: - name: \"version\" value \"v1\" ```", + "properties": { + "headers": { + "description": "Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route.", + "items": { + "description": "HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\".", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Custom (RegularExpression) \n Since RegularExpression HeaderMatchType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "method": { + "description": "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended", + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "CONNECT", + "OPTIONS", + "TRACE", + "PATCH" + ], + "type": "string" + }, + "path": { + "default": { + "type": "PathPrefix", + "value": "/" + }, + "description": "Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the \"/\" path is provided.", + "properties": { + "type": { + "default": "PathPrefix", + "description": "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Custom (RegularExpression)", + "enum": [ + "Exact", + "PathPrefix", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "default": "/", + "description": "Value of the HTTP path to match against.", + "maxLength": 1024, + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "queryParams": { + "description": "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route.", + "items": { + "description": "HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters.", + "properties": { + "name": { + "description": "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).", + "maxLength": 256, + "minLength": 1, + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Custom (RegularExpression) \n Since RegularExpression QueryParamMatchType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP query param to be matched.", + "maxLength": 1024, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "Status defines the current state of HTTPRoute.", + "properties": { + "parents": { + "description": "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway.", + "items": { + "description": "RouteParentStatus describes the status of a route with respect to an associated Parent.", + "properties": { + "conditions": { + "description": "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the the controller does not have access to.", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }", + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "format": "date-time", + "type": "string" + }, + "message": { + "description": "message is a human readable message indicating details about the transition. This may be an empty string.", + "maxLength": 32768, + "type": "string" + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + "format": "int64", + "minimum": 0, + "type": "integer" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", + "type": "string" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "enum": [ + "True", + "False", + "Unknown" + ], + "type": "string" + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", + "type": "string" + } + }, + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "minItems": 1, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "controllerName": { + "description": "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$", + "type": "string" + }, + "parentRef": { + "description": "ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.", + "properties": { + "group": { + "default": "policy.linkerd.io", + "description": "Group is the group of the referent. \n Support: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "controllerName", + "parentRef" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + } + }, + "required": [ + "parents" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/httproute_v1beta1.json b/policy.linkerd.io/httproute_v1beta1.json new file mode 100644 index 00000000..8469a982 --- /dev/null +++ b/policy.linkerd.io/httproute_v1beta1.json @@ -0,0 +1,843 @@ +{ + "description": "HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "Spec defines the desired state of HTTPRoute.", + "properties": { + "hostnames": { + "description": "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core", + "items": { + "description": "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed.", + "maxLength": 253, + "minLength": 1, + "pattern": "^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "parentRefs": { + "description": "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged.", + "items": { + "description": "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.", + "properties": { + "group": { + "default": "policy.linkerd.io", + "description": "Group is the group of the referent. \n Support: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "port", + "type": "integer" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + }, + "rules": { + "default": [ + { + "matches": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ] + } + ], + "description": "Rules are a list of HTTP matchers, filters and actions.", + "items": { + "description": "HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches) and processing it (filters).", + "properties": { + "backendRefs": { + "items": { + "properties": { + "filters": { + "description": "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.", + "properties": { + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname in the `Host` header of the request is used. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch of \"/xyz\" would be modified to \"/xyz/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n Request Path | Prefix Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- /foo/bar | /foo | /xyz | /xyz/bar /foo/bar | /foo | /xyz/ | /xyz/bar /foo/bar | /foo/ | /xyz | /xyz/bar /foo/bar | /foo/ | /xyz/ | /xyz/bar /foo | /foo | /xyz | /xyz /foo/ | /foo | /xyz | /xyz/ /foo/bar | /foo | | /bar /foo/ | /foo | | / /foo | /foo | | / /foo/ | /foo | / | / /foo | /foo | / | /", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location` header in the response. \n If no port is specified, the redirect port MUST be derived using the following rules: \n * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically \"http\" to port 80 and \"https\" to port 443. If the redirect scheme does not have a well-known port, the listener port of the Gateway SHOULD be used. * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. \n Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: \n * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "responseHeaderModifier": { + "description": "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "RequestHeaderModifier", + "ResponseHeaderModifier", + "RequestRedirect" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "name": { + "type": "string" + }, + "namespace": { + "default": "default", + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "filters": { + "description": "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or custom conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.", + "properties": { + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: foo my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch of \"/xyz\" would be modified to \"/xyz/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n Request Path | Prefix Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- /foo/bar | /foo | /xyz | /xyz/bar /foo/bar | /foo | /xyz/ | /xyz/bar /foo/bar | /foo/ | /xyz | /xyz/bar /foo/bar | /foo/ | /xyz/ | /xyz/bar /foo | /foo | /xyz | /xyz /foo/ | /foo | /xyz | /xyz/ /foo/bar | /foo | | /bar /foo/ | /foo | | / /foo | /foo | | / /foo/ | /foo | / | / /foo | /foo | / | /", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Support: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response. \n Support: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\".", + "enum": [ + "RequestHeaderModifier", + "RequestRedirect" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "matches": { + "default": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ], + "description": "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize rules based on the following criteria, continuing on ties. Precedence must be given to the the Rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned.", + "items": { + "description": "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: path: value: \"/foo\" headers: - name: \"version\" value \"v1\" ```", + "properties": { + "headers": { + "description": "Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route.", + "items": { + "description": "HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\".", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Custom (RegularExpression) \n Since RegularExpression HeaderMatchType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "method": { + "description": "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended", + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "CONNECT", + "OPTIONS", + "TRACE", + "PATCH" + ], + "type": "string" + }, + "path": { + "default": { + "type": "PathPrefix", + "value": "/" + }, + "description": "Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the \"/\" path is provided.", + "properties": { + "type": { + "default": "PathPrefix", + "description": "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Custom (RegularExpression)", + "enum": [ + "Exact", + "PathPrefix", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "default": "/", + "description": "Value of the HTTP path to match against.", + "maxLength": 1024, + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "queryParams": { + "description": "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route.", + "items": { + "description": "HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters.", + "properties": { + "name": { + "description": "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).", + "maxLength": 256, + "minLength": 1, + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Custom (RegularExpression) \n Since RegularExpression QueryParamMatchType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP query param to be matched.", + "maxLength": 1024, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "Status defines the current state of HTTPRoute.", + "properties": { + "parents": { + "description": "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway.", + "items": { + "description": "RouteParentStatus describes the status of a route with respect to an associated Parent.", + "properties": { + "conditions": { + "description": "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the the controller does not have access to.", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }", + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "format": "date-time", + "type": "string" + }, + "message": { + "description": "message is a human readable message indicating details about the transition. This may be an empty string.", + "maxLength": 32768, + "type": "string" + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + "format": "int64", + "minimum": 0, + "type": "integer" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", + "type": "string" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "enum": [ + "True", + "False", + "Unknown" + ], + "type": "string" + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", + "type": "string" + } + }, + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "minItems": 1, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "controllerName": { + "description": "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$", + "type": "string" + }, + "parentRef": { + "description": "ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.", + "properties": { + "group": { + "default": "policy.linkerd.io", + "description": "Group is the group of the referent. \n Support: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "controllerName", + "parentRef" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + } + }, + "required": [ + "parents" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/httproute_v1beta2.json b/policy.linkerd.io/httproute_v1beta2.json new file mode 100644 index 00000000..7bccefef --- /dev/null +++ b/policy.linkerd.io/httproute_v1beta2.json @@ -0,0 +1,885 @@ +{ + "description": "HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "Spec defines the desired state of HTTPRoute.", + "properties": { + "hostnames": { + "description": "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core", + "items": { + "description": "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed.", + "maxLength": 253, + "minLength": 1, + "pattern": "^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "parentRefs": { + "description": "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged.", + "items": { + "description": "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.", + "properties": { + "group": { + "default": "policy.linkerd.io", + "description": "Group is the group of the referent. \n Support: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + }, + "rules": { + "default": [ + { + "matches": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ] + } + ], + "description": "Rules are a list of HTTP matchers, filters and actions.", + "items": { + "description": "HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches) and processing it (filters).", + "properties": { + "backendRefs": { + "description": "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core", + "items": { + "description": "HTTPBackendRef defines how a HTTPRoute should forward an HTTP request.", + "properties": { + "filters": { + "description": "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.", + "properties": { + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname in the `Host` header of the request is used. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch of \"/xyz\" would be modified to \"/xyz/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n Request Path | Prefix Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- /foo/bar | /foo | /xyz | /xyz/bar /foo/bar | /foo | /xyz/ | /xyz/bar /foo/bar | /foo/ | /xyz | /xyz/bar /foo/bar | /foo/ | /xyz/ | /xyz/bar /foo | /foo | /xyz | /xyz /foo/ | /foo | /xyz | /xyz/ /foo/bar | /foo | | /bar /foo/ | /foo | | / /foo | /foo | | / /foo/ | /foo | / | / /foo | /foo | / | /", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location` header in the response. \n If no port is specified, the redirect port MUST be derived using the following rules: \n * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically \"http\" to port 80 and \"https\" to port 443. If the redirect scheme does not have a well-known port, the listener port of the Gateway SHOULD be used. * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. \n Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: \n * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "responseHeaderModifier": { + "description": "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "RequestHeaderModifier", + "ResponseHeaderModifier", + "RequestRedirect" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "group": { + "default": "", + "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\". When unspecified or empty string, core API group is inferred.", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Service", + "description": "Kind is kind of the referent. For example \"HTTPRoute\" or \"Service\". Defaults to \"Service\" when not specified.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "weight": { + "default": 1, + "description": "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used.", + "format": "int32", + "maximum": 1000000, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "filters": { + "description": "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or custom conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.", + "properties": { + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: foo my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch of \"/xyz\" would be modified to \"/xyz/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n Request Path | Prefix Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- /foo/bar | /foo | /xyz | /xyz/bar /foo/bar | /foo | /xyz/ | /xyz/bar /foo/bar | /foo/ | /xyz | /xyz/bar /foo/bar | /foo/ | /xyz/ | /xyz/bar /foo | /foo | /xyz | /xyz /foo/ | /foo | /xyz | /xyz/ /foo/bar | /foo | | /bar /foo/ | /foo | | / /foo | /foo | | / /foo/ | /foo | / | / /foo | /foo | / | /", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Support: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response. \n Support: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\".", + "enum": [ + "RequestHeaderModifier", + "RequestRedirect" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "matches": { + "default": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ], + "description": "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize rules based on the following criteria, continuing on ties. Precedence must be given to the the Rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned.", + "items": { + "description": "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: path: value: \"/foo\" headers: - name: \"version\" value \"v1\" ```", + "properties": { + "headers": { + "description": "Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route.", + "items": { + "description": "HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\".", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Custom (RegularExpression) \n Since RegularExpression HeaderMatchType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "method": { + "description": "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended", + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "CONNECT", + "OPTIONS", + "TRACE", + "PATCH" + ], + "type": "string" + }, + "path": { + "default": { + "type": "PathPrefix", + "value": "/" + }, + "description": "Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the \"/\" path is provided.", + "properties": { + "type": { + "default": "PathPrefix", + "description": "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Custom (RegularExpression)", + "enum": [ + "Exact", + "PathPrefix", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "default": "/", + "description": "Value of the HTTP path to match against.", + "maxLength": 1024, + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "queryParams": { + "description": "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route.", + "items": { + "description": "HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters.", + "properties": { + "name": { + "description": "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).", + "maxLength": 256, + "minLength": 1, + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Custom (RegularExpression) \n Since RegularExpression QueryParamMatchType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP query param to be matched.", + "maxLength": 1024, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "Status defines the current state of HTTPRoute.", + "properties": { + "parents": { + "description": "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway.", + "items": { + "description": "RouteParentStatus describes the status of a route with respect to an associated Parent.", + "properties": { + "conditions": { + "description": "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the the controller does not have access to.", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }", + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "format": "date-time", + "type": "string" + }, + "message": { + "description": "message is a human readable message indicating details about the transition. This may be an empty string.", + "maxLength": 32768, + "type": "string" + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + "format": "int64", + "minimum": 0, + "type": "integer" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", + "type": "string" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "enum": [ + "True", + "False", + "Unknown" + ], + "type": "string" + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", + "type": "string" + } + }, + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "minItems": 1, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "controllerName": { + "description": "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$", + "type": "string" + }, + "parentRef": { + "description": "ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.", + "properties": { + "group": { + "default": "policy.linkerd.io", + "description": "Group is the group of the referent. \n Support: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "controllerName", + "parentRef" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + } + }, + "required": [ + "parents" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/httproute_v1beta3.json b/policy.linkerd.io/httproute_v1beta3.json new file mode 100644 index 00000000..653645a2 --- /dev/null +++ b/policy.linkerd.io/httproute_v1beta3.json @@ -0,0 +1,902 @@ +{ + "description": "HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "Spec defines the desired state of HTTPRoute.", + "properties": { + "hostnames": { + "description": "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core", + "items": { + "description": "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed.", + "maxLength": 253, + "minLength": 1, + "pattern": "^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "parentRefs": { + "description": "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged.", + "items": { + "description": "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.", + "properties": { + "group": { + "default": "policy.linkerd.io", + "description": "Group is the group of the referent. \n Support: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + }, + "rules": { + "default": [ + { + "matches": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ] + } + ], + "description": "Rules are a list of HTTP matchers, filters and actions.", + "items": { + "description": "HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches) and processing it (filters).", + "properties": { + "backendRefs": { + "description": "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core", + "items": { + "description": "HTTPBackendRef defines how a HTTPRoute should forward an HTTP request.", + "properties": { + "filters": { + "description": "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.", + "properties": { + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname in the `Host` header of the request is used. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch of \"/xyz\" would be modified to \"/xyz/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n Request Path | Prefix Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- /foo/bar | /foo | /xyz | /xyz/bar /foo/bar | /foo | /xyz/ | /xyz/bar /foo/bar | /foo/ | /xyz | /xyz/bar /foo/bar | /foo/ | /xyz/ | /xyz/bar /foo | /foo | /xyz | /xyz /foo/ | /foo | /xyz | /xyz/ /foo/bar | /foo | | /bar /foo/ | /foo | | / /foo | /foo | | / /foo/ | /foo | / | / /foo | /foo | / | /", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location` header in the response. \n If no port is specified, the redirect port MUST be derived using the following rules: \n * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically \"http\" to port 80 and \"https\" to port 443. If the redirect scheme does not have a well-known port, the listener port of the Gateway SHOULD be used. * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. \n Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: \n * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "responseHeaderModifier": { + "description": "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "RequestHeaderModifier", + "ResponseHeaderModifier", + "RequestRedirect" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "group": { + "default": "", + "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\". When unspecified or empty string, core API group is inferred.", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Service", + "description": "Kind is kind of the referent. For example \"HTTPRoute\" or \"Service\". Defaults to \"Service\" when not specified.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent.", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "port": { + "description": "Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "weight": { + "default": 1, + "description": "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used.", + "format": "int32", + "maximum": 1000000, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "filters": { + "description": "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or custom conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core", + "items": { + "description": "HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.", + "properties": { + "requestHeaderModifier": { + "description": "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core", + "properties": { + "add": { + "description": "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: foo my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "remove": { + "description": "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar", + "items": { + "type": "string" + }, + "maxItems": 16, + "type": "array" + }, + "set": { + "description": "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar", + "items": { + "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent.", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "requestRedirect": { + "description": "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core", + "properties": { + "hostname": { + "description": "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "path": { + "description": "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended", + "properties": { + "replaceFullPath": { + "description": "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.", + "maxLength": 1024, + "type": "string" + }, + "replacePrefixMatch": { + "description": "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" and a ReplacePrefixMatch of \"/xyz\" would be modified to \"/xyz/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n Request Path | Prefix Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- /foo/bar | /foo | /xyz | /xyz/bar /foo/bar | /foo | /xyz/ | /xyz/bar /foo/bar | /foo/ | /xyz | /xyz/bar /foo/bar | /foo/ | /xyz/ | /xyz/bar /foo | /foo | /xyz | /xyz /foo/ | /foo | /xyz | /xyz/ /foo/bar | /foo | | /bar /foo/ | /foo | | / /foo | /foo | | / /foo/ | /foo | / | / /foo | /foo | / | /", + "maxLength": 1024, + "type": "string" + }, + "type": { + "description": "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.", + "enum": [ + "ReplaceFullPath", + "ReplacePrefixMatch" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended", + "format": "int32", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "scheme": { + "description": "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Support: Extended", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "statusCode": { + "default": 302, + "description": "StatusCode is the HTTP status code to be used in response. \n Support: Core", + "enum": [ + 301, + 302 + ], + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\".", + "enum": [ + "RequestHeaderModifier", + "RequestRedirect" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + }, + "matches": { + "default": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ], + "description": "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize rules based on the following criteria, continuing on ties. Precedence must be given to the the Rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned.", + "items": { + "description": "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: path: value: \"/foo\" headers: - name: \"version\" value \"v1\" ```", + "properties": { + "headers": { + "description": "Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route.", + "items": { + "description": "HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers.", + "properties": { + "name": { + "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\".", + "maxLength": 256, + "minLength": 1, + "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Custom (RegularExpression) \n Since RegularExpression HeaderMatchType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP Header to be matched.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "method": { + "description": "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended", + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "CONNECT", + "OPTIONS", + "TRACE", + "PATCH" + ], + "type": "string" + }, + "path": { + "default": { + "type": "PathPrefix", + "value": "/" + }, + "description": "Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the \"/\" path is provided.", + "properties": { + "type": { + "default": "PathPrefix", + "description": "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Custom (RegularExpression)", + "enum": [ + "Exact", + "PathPrefix", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "default": "/", + "description": "Value of the HTTP path to match against.", + "maxLength": 1024, + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "queryParams": { + "description": "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route.", + "items": { + "description": "HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters.", + "properties": { + "name": { + "description": "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).", + "maxLength": 256, + "minLength": 1, + "type": "string" + }, + "type": { + "default": "Exact", + "description": "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Custom (RegularExpression) \n Since RegularExpression QueryParamMatchType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.", + "enum": [ + "Exact", + "RegularExpression" + ], + "type": "string" + }, + "value": { + "description": "Value is the value of HTTP query param to be matched.", + "maxLength": 1024, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array", + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "type": "array" + }, + "timeouts": { + "description": "Timeouts defines the timeouts that can be configured for an HTTP request. \n Support: Core \n ", + "properties": { + "backendRequest": { + "description": "BackendRequest specifies a timeout for an individual request from the gateway to a backend service. Typically used in conjunction with automatic retries, if supported by an implementation. Default is the value of Request timeout. \n Support: Extended", + "format": "duration", + "type": "string" + }, + "request": { + "description": "Request specifies a timeout for responding to client HTTP requests, disabled by default. \n For example, the following rule will timeout if a client request is taking longer than 10 seconds to complete: \n ``` rules: - timeouts: request: 10s backendRefs: ... ``` \n Support: Core", + "format": "duration", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 16, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "Status defines the current state of HTTPRoute.", + "properties": { + "parents": { + "description": "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway.", + "items": { + "description": "RouteParentStatus describes the status of a route with respect to an associated Parent.", + "properties": { + "conditions": { + "description": "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the the controller does not have access to.", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }", + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "format": "date-time", + "type": "string" + }, + "message": { + "description": "message is a human readable message indicating details about the transition. This may be an empty string.", + "maxLength": 32768, + "type": "string" + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + "format": "int64", + "minimum": 0, + "type": "integer" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", + "type": "string" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "enum": [ + "True", + "False", + "Unknown" + ], + "type": "string" + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", + "type": "string" + } + }, + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 8, + "minItems": 1, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "controllerName": { + "description": "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$", + "type": "string" + }, + "parentRef": { + "description": "ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.", + "properties": { + "group": { + "default": "policy.linkerd.io", + "description": "Group is the group of the referent. \n Support: Core", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "default": "Gateway", + "description": "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "sectionName": { + "description": "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "controllerName", + "parentRef" + ], + "type": "object", + "additionalProperties": false + }, + "maxItems": 32, + "type": "array" + } + }, + "required": [ + "parents" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/meshtlsauthentication_v1alpha1.json b/policy.linkerd.io/meshtlsauthentication_v1alpha1.json new file mode 100644 index 00000000..31f9737f --- /dev/null +++ b/policy.linkerd.io/meshtlsauthentication_v1alpha1.json @@ -0,0 +1,73 @@ +{ + "properties": { + "spec": { + "description": "MeshTLSAuthentication defines a list of authenticated client IDs to be referenced by an `AuthorizationPolicy`. If a client connection has the mutually-authenticated identity that matches ANY of the of the provided identities, the connection is considered authenticated.", + "oneOf": [ + { + "required": [ + "identities" + ] + }, + { + "required": [ + "identityRefs" + ] + } + ], + "properties": { + "identities": { + "description": "Authorizes clients with the provided proxy identity strings (as provided via MTLS)\nThe `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized.", + "items": { + "pattern": "^(\\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "identityRefs": { + "items": { + "properties": { + "group": { + "description": "Group is the group of the referent. When empty, the Kubernetes core API group is inferred.\"", + "maxLength": 253, + "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "kind": { + "description": "Kind is the kind of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", + "type": "string" + }, + "name": { + "description": "Name is the name of the referent. When unspecified, this refers to all resources of the specified Group and Kind in the specified namespace.", + "maxLength": 253, + "minLength": 1, + "type": "string" + }, + "namespace": { + "description": "Name is the name of the referent. When unspecified, this authentication refers to the local namespace.", + "maxLength": 253, + "type": "string" + } + }, + "required": [ + "kind" + ], + "type": "object", + "additionalProperties": false + }, + "minItems": 1, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/networkauthentication_v1alpha1.json b/policy.linkerd.io/networkauthentication_v1alpha1.json new file mode 100644 index 00000000..e792ee9a --- /dev/null +++ b/policy.linkerd.io/networkauthentication_v1alpha1.json @@ -0,0 +1,41 @@ +{ + "properties": { + "spec": { + "description": "NetworkAuthentication defines a list of authenticated client networks to be referenced by an `AuthorizationPolicy`. If a client connection originates from ANY of the of the provided networks, the connection is considered authenticated.", + "properties": { + "networks": { + "items": { + "properties": { + "cidr": { + "description": "The CIDR of the network to be authorized.", + "type": "string" + }, + "except": { + "description": "A list of IP networks/addresses not to be included in the above `cidr`.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "cidr" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "required": [ + "networks" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/server_v1alpha1.json b/policy.linkerd.io/server_v1alpha1.json new file mode 100644 index 00000000..c6746c7c --- /dev/null +++ b/policy.linkerd.io/server_v1alpha1.json @@ -0,0 +1,81 @@ +{ + "properties": { + "spec": { + "properties": { + "podSelector": { + "description": "Selects pods in the same namespace.", + "oneOf": [ + { + "required": [ + "matchExpressions" + ] + }, + { + "required": [ + "matchLabels" + ] + } + ], + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ], + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + } + }, + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "A port name or number. Must exist in a pod spec.", + "x-kubernetes-int-or-string": true + }, + "proxyProtocol": { + "default": "unknown", + "description": "Configures protocol discovery for inbound connections.\nSupersedes the `config.linkerd.io/opaque-ports` annotation.", + "type": "string" + } + }, + "required": [ + "podSelector", + "port" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/server_v1beta1.json b/policy.linkerd.io/server_v1beta1.json new file mode 100644 index 00000000..13aedfa6 --- /dev/null +++ b/policy.linkerd.io/server_v1beta1.json @@ -0,0 +1,69 @@ +{ + "properties": { + "spec": { + "properties": { + "podSelector": { + "description": "Selects pods in the same namespace.\nThe result of matchLabels and matchExpressions are ANDed. Selects all if empty.", + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ], + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + } + }, + "type": "object", + "additionalProperties": false + }, + "port": { + "description": "A port name or number. Must exist in a pod spec.", + "x-kubernetes-int-or-string": true + }, + "proxyProtocol": { + "default": "unknown", + "description": "Configures protocol discovery for inbound connections.\nSupersedes the `config.linkerd.io/opaque-ports` annotation.", + "type": "string" + } + }, + "required": [ + "podSelector", + "port" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/serverauthorization_v1alpha1.json b/policy.linkerd.io/serverauthorization_v1alpha1.json new file mode 100644 index 00000000..25c52b75 --- /dev/null +++ b/policy.linkerd.io/serverauthorization_v1alpha1.json @@ -0,0 +1,159 @@ +{ + "properties": { + "spec": { + "description": "Authorizes clients to communicate with Linkerd-proxied servers.", + "properties": { + "client": { + "description": "Describes clients authorized to access a server.", + "properties": { + "meshTLS": { + "properties": { + "identities": { + "description": "Authorizes clients with the provided proxy identity strings (as provided via MTLS)\nThe `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized.", + "items": { + "pattern": "^(\\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "type": "array" + }, + "serviceAccounts": { + "description": "Authorizes clients with the provided proxy identity service accounts (as provided via MTLS)", + "items": { + "properties": { + "name": { + "description": "The ServiceAccount's name.", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "namespace": { + "description": "The ServiceAccount's namespace. If unset, the authorization's namespace is used.", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "unauthenticatedTLS": { + "description": "Indicates that no client identity is required for communication.\nThis is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, + "networks": { + "description": "Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network).", + "items": { + "properties": { + "cidr": { + "type": "string" + }, + "except": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "cidr" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "unauthenticated": { + "description": "Authorizes unauthenticated clients to access a server.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, + "server": { + "description": "Identifies servers in the same namespace for which this authorization applies.\nOnly one of `name` or `selector` may be specified.", + "oneOf": [ + { + "required": [ + "name" + ] + }, + { + "required": [ + "selector" + ] + } + ], + "properties": { + "name": { + "description": "References a `Server` instance by name", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "selector": { + "description": "A label query over servers on which this authorization applies.", + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ], + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "server", + "client" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +} diff --git a/policy.linkerd.io/serverauthorization_v1beta1.json b/policy.linkerd.io/serverauthorization_v1beta1.json new file mode 100644 index 00000000..25c52b75 --- /dev/null +++ b/policy.linkerd.io/serverauthorization_v1beta1.json @@ -0,0 +1,159 @@ +{ + "properties": { + "spec": { + "description": "Authorizes clients to communicate with Linkerd-proxied servers.", + "properties": { + "client": { + "description": "Describes clients authorized to access a server.", + "properties": { + "meshTLS": { + "properties": { + "identities": { + "description": "Authorizes clients with the provided proxy identity strings (as provided via MTLS)\nThe `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized.", + "items": { + "pattern": "^(\\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "type": "array" + }, + "serviceAccounts": { + "description": "Authorizes clients with the provided proxy identity service accounts (as provided via MTLS)", + "items": { + "properties": { + "name": { + "description": "The ServiceAccount's name.", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "namespace": { + "description": "The ServiceAccount's namespace. If unset, the authorization's namespace is used.", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "unauthenticatedTLS": { + "description": "Indicates that no client identity is required for communication.\nThis is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, + "networks": { + "description": "Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network).", + "items": { + "properties": { + "cidr": { + "type": "string" + }, + "except": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "cidr" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "unauthenticated": { + "description": "Authorizes unauthenticated clients to access a server.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, + "server": { + "description": "Identifies servers in the same namespace for which this authorization applies.\nOnly one of `name` or `selector` may be specified.", + "oneOf": [ + { + "required": [ + "name" + ] + }, + { + "required": [ + "selector" + ] + } + ], + "properties": { + "name": { + "description": "References a `Server` instance by name", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "selector": { + "description": "A label query over servers on which this authorization applies.", + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ], + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "type": "object", + "x-kubernetes-preserve-unknown-fields": true + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "server", + "client" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object" +}