gateway.networking.x-k8s.io / v1alpha1 / XListenerSet

• string

  .apiVersion

  APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

• string

  .kind

  Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

• object

  .metadata

• object required

  .spec

  Spec defines the desired state of ListenerSet.

• array required

  .spec .listeners

  Listeners associated with this ListenerSet. Listeners define logical endpoints that are bound on this referenced parent Gateway’s addresses.

  Listeners in a Gateway and their attached ListenerSets are concatenated as a list when programming the underlying infrastructure. Each listener name does not need to be unique across the Gateway and ListenerSets. See ListenerEntry.Name for more details.

  Implementations MUST treat the parent Gateway as having the merged list of all listeners from itself and attached ListenerSets using the following precedence:

  1. “parent” Gateway
  2. ListenerSet ordered by creation time (oldest first)
  3. ListenerSet ordered alphabetically by “{namespace}/{name}”.

  An implementation MAY reject listeners by setting the ListenerEntryStatus Accepted`` condition to False with the Reason TooManyListeners`

  If a listener has a conflict, this will be reported in the Status.ListenerEntryStatus setting the Conflicted condition to True.

  Implementations SHOULD be cautious about what information from the parent or siblings are reported to avoid accidentally leaking sensitive information that the child would not otherwise have access to. This can include contents of secrets etc.

• object

  .spec .listeners[] .allowedRoutes

  AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present.

  Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria:

  • The most specific match as defined by the Route type.
  • The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
  • If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz.

  All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported.

• array

  .spec .listeners[] .allowedRoutes .kinds

  Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol.

  A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener’s Protocol field. If an implementation does not support or recognize this resource type, it MUST set the “ResolvedRefs” condition to False for this Listener with the “InvalidRouteKinds” reason.

  Support: Core

• string

  .spec .listeners[] .allowedRoutes .kinds[] .group

  Group is the group of the Route.

• string required

  .spec .listeners[] .allowedRoutes .kinds[] .kind

  Kind is the kind of the Route.

• object

  .spec .listeners[] .allowedRoutes .namespaces

  Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default.

  Support: Core

• string

  .spec .listeners[] .allowedRoutes .namespaces .from

  From indicates where Routes will be selected for this Gateway. Possible values are:

  • All: Routes in all namespaces may be used by this Gateway.
  • Selector: Routes in namespaces selected by the selector may be used by this Gateway.
  • Same: Only Routes in the same namespace may be used by this Gateway.

  Support: Core

• object

  .spec .listeners[] .allowedRoutes .namespaces .selector

  Selector must be specified when From is set to “Selector”. In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of “From”.

  Support: Core

• array

  .spec .listeners[] .allowedRoutes .namespaces .selector .matchExpressions

  matchExpressions is a list of label selector requirements. The requirements are ANDed.

• string required

  .spec .listeners[] .allowedRoutes .namespaces .selector .matchExpressions[] .key

  key is the label key that the selector applies to.

• string required

  .spec .listeners[] .allowedRoutes .namespaces .selector .matchExpressions[] .operator

  operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

• array

  .spec .listeners[] .allowedRoutes .namespaces .selector .matchExpressions[] .values

  values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

• object

  .spec .listeners[] .allowedRoutes .namespaces .selector .matchLabels

  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.

• string

  .spec .listeners[] .hostname

  Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don’t require hostname based matching.

  Implementations MUST apply Hostname matching appropriately for each of the following protocols:

  • TLS: The Listener Hostname MUST match the SNI.
  • HTTP: The Listener Hostname MUST match the Host header of the request.
  • HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that.

  For HTTPRoute and TLSRoute resources, there is an interaction with the spec.hostnames array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation.

  Hostnames that are prefixed with a wildcard label (*.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com.

• string required

  .spec .listeners[] .name

  Name is the name of the Listener. This name MUST be unique within a ListenerSet.

  Name is not required to be unique across a Gateway and ListenerSets. Routes can attach to a Listener by having a ListenerSet as a parentRef and setting the SectionName

• integer required

  .spec .listeners[] .port

  Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.

• string required

  .spec .listeners[] .protocol

  Protocol specifies the network protocol this listener expects to receive.

• object

  .spec .listeners[] .tls

  TLS is the TLS configuration for the Listener. This field is required if the Protocol field is “HTTPS” or “TLS”. It is invalid to set this field if the Protocol field is “HTTP”, “TCP”, or “UDP”.

  The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener.

  The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake.

• array

  .spec .listeners[] .tls .certificateRefs

  CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener.

  A single CertificateRef to a Kubernetes Secret has “Core” support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific.

  References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the “ResolvedRefs” condition MUST be set to False for this listener with the “RefNotPermitted” reason.

  This field is required to have at least one element when the mode is set to “Terminate” (default) and is optional otherwise.

  CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources.

  Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls

  Support: Implementation-specific (More than one reference or other resource types)

• string

  .spec .listeners[] .tls .certificateRefs[] .group

  Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred.

• string

  .spec .listeners[] .tls .certificateRefs[] .kind

  Kind is kind of the referent. For example “Secret”.

• string required

  .spec .listeners[] .tls .certificateRefs[] .name

  Name is the name of the referent.

• string

  .spec .listeners[] .tls .certificateRefs[] .namespace

  Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred.

  Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

  Support: Core

• object

  .spec .listeners[] .tls .frontendValidation

  FrontendValidation holds configuration information for validating the frontend (client). Setting this field will require clients to send a client certificate required for validation during the TLS handshake. In browsers this may result in a dialog appearing that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific.

  Support: Extended

• array

  .spec .listeners[] .tls .frontendValidation .caCertificateRefs

  CACertificateRefs contains one or more references to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client.

  A single CA certificate reference to a Kubernetes ConfigMap has “Core” support. Implementations MAY choose to support attaching multiple CA certificates to a Listener, but this behavior is implementation-specific.

  Support: Core - A single reference to a Kubernetes ConfigMap with the CA certificate in a key named ca.crt.

  Support: Implementation-specific (More than one reference, or other kinds of resources).

  References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the “ResolvedRefs” condition MUST be set to False for this listener with the “RefNotPermitted” reason.

• string required

  .spec .listeners[] .tls .frontendValidation .caCertificateRefs[] .group

  Group is the group of the referent. For example, “gateway.networking.k8s.io”. When set to the empty string, core API group is inferred.

• string required

  .spec .listeners[] .tls .frontendValidation .caCertificateRefs[] .kind

  Kind is kind of the referent. For example “ConfigMap” or “Service”.

• string required

  .spec .listeners[] .tls .frontendValidation .caCertificateRefs[] .name

  Name is the name of the referent.

• string

  .spec .listeners[] .tls .frontendValidation .caCertificateRefs[] .namespace

  Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred.

  Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

  Support: Core

• string

  .spec .listeners[] .tls .mode

  Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes:

  • Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificates to be specified in some way, such as populating the certificateRefs field.
  • Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can’t decipher the TLS stream except for the ClientHello message of the TLS protocol. The certificateRefs field is ignored in this mode.

  Support: Core

• object

  .spec .listeners[] .tls .options

  Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites.

  A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as example.com/my-custom-option. Un-prefixed names are reserved for key names defined by Gateway API.

  Support: Implementation-specific

• object required

  .spec .parentRef

  ParentRef references the Gateway that the listeners are attached to.

• string

  .spec .parentRef .group

  Group is the group of the referent.

• string

  .spec .parentRef .kind

  Kind is kind of the referent. For example “Gateway”.

• string required

  .spec .parentRef .name

  Name is the name of the referent.

• string

  .spec .parentRef .namespace

  Namespace is the namespace of the referent. If not present, the namespace of the referent is assumed to be the same as the namespace of the referring object.

• object

  .status

  Status defines the current state of ListenerSet.

• array

  .status .conditions

  Conditions describe the current conditions of the ListenerSet.

  Implementations MUST express ListenerSet conditions using the ListenerSetConditionType and ListenerSetConditionReason constants so that operators and tools can converge on a common vocabulary to describe ListenerSet state.

  Known condition types are:

  • “Accepted”
  • “Programmed”
• string required

  .status .conditions[] .lastTransitionTime

  lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

• string required

  .status .conditions[] .message

  message is a human readable message indicating details about the transition. This may be an empty string.

• integer

  .status .conditions[] .observedGeneration

  observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

• string required

  .status .conditions[] .reason

  reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

• string required

  .status .conditions[] .status

  status of the condition, one of True, False, Unknown.

• string required

  .status .conditions[] .type

  type of condition in CamelCase or in foo.example.com/CamelCase.

• array

  .status .listeners

  Listeners provide status for each unique listener port defined in the Spec.

• integer required

  .status .listeners[] .attachedRoutes

  AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener.

  Successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route’s ParentRefs field. A Route is successfully attached to a Listener when it is selected by the Listener’s AllowedRoutes field AND the Route has a valid ParentRef selecting the whole Gateway resource or a specific Listener as a parent resource (more detail on attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set for Listeners with condition Accepted: false and MUST count successfully attached Routes that may themselves have Accepted: false conditions.

  Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener.

• array required

  .status .listeners[] .conditions

  Conditions describe the current condition of this listener.

• string required

  .status .listeners[] .conditions[] .lastTransitionTime

  lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

• string required

  .status .listeners[] .conditions[] .message

  message is a human readable message indicating details about the transition. This may be an empty string.

• integer

  .status .listeners[] .conditions[] .observedGeneration

  observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

• string required

  .status .listeners[] .conditions[] .reason

  reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

• string required

  .status .listeners[] .conditions[] .status

  status of the condition, one of True, False, Unknown.

• string required

  .status .listeners[] .conditions[] .type

  type of condition in CamelCase or in foo.example.com/CamelCase.

• string required

  .status .listeners[] .name

  Name is the name of the Listener that this status corresponds to.

• integer required

  .status .listeners[] .port

  Port is the network port the listener is configured to listen on.

• array required

  .status .listeners[] .supportedKinds

  SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration.

  If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the “ResolvedRefs” condition to “False” with the “InvalidRouteKinds” reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified.

• string

  .status .listeners[] .supportedKinds[] .group

  Group is the group of the Route.

• string required

  .status .listeners[] .supportedKinds[] .kind

  Kind is the kind of the Route.