diff --git a/.github/workflows/publish-doc.yaml b/.github/workflows/publish-doc.yaml
index 77c3d70f..4d32a4d6 100644
--- a/.github/workflows/publish-doc.yaml
+++ b/.github/workflows/publish-doc.yaml
@@ -4,6 +4,7 @@ on:
push:
branches:
- main
+ - 'release-v*.*.*'
jobs:
publish-docs:
runs-on: ubuntu-latest
@@ -24,10 +25,14 @@ jobs:
run: |
python -m pip install --upgrade pip
pip install mkdocs-material mike
- - name: Build
+ - name: Deploy to Mike
run: |
- mike deploy 1.0.5 latest --update-aliases --push
- mike set-default latest --allow-empty --push
-
-
-
+ if [[ ${{ github.ref }} == refs/heads/main ]]; then
+ # Deploy to the mike doc version `dev` and update the `latest` alias for the main branch new git commits
+ mike deploy dev latest --update-aliases --push
+ elif [[ ${{ github.ref }} == refs/heads/release-v* ]]; then
+ # Deploy to the mike doc version `vx.x.x` for the new git branches `release-vx.x.x`
+ branch_name=${{ github.ref }}
+ version=${branch_name##refs/heads/release-}
+ mike deploy $version --push
+ fi
diff --git a/.gitignore b/.gitignore
index 28cbe8f4..0c239275 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,7 +16,7 @@ go.work*
# gomock generated prog.go
pkg/aws/services/gomock_reflect_*
-
+mocks/controller-runtime/client/gomock_reflect_*
pkg/**/prog.*
# Image build tarballed bundles
diff --git a/docs/api-types/target-group-policy.md b/docs/api-types/target-group-policy.md
index 5601ecd6..93acfc0c 100644
--- a/docs/api-types/target-group-policy.md
+++ b/docs/api-types/target-group-policy.md
@@ -3,35 +3,39 @@
## Introduction
By default, AWS Gateway API Controller assumes plaintext HTTP/1 traffic for backend Kubernetes resources.
-TargetGroupPolicy is a CRD that can be attached to a Service, which allows the users to define protocol and
-health check configurations of those backend resources.
+TargetGroupPolicy is a CRD that can be attached to Service or ServiceExport, which allows the users to define protocol, protocol version and
+health check configurations of those backend resources.
When attaching a policy to a resource, the following restrictions apply:
-- A policy can be only attached to `Service` resources.
-- The attached resource can only be `backendRef` of `HTTPRoute` and `GRPCRoute`.
+- A policy can be attached to `Service` that being `backendRef` of `HTTPRoute`, `GRPCRoute` and `TLSRoute`.
+- A policy can be attached to `ServiceExport`.
- The attached resource should exist in the same namespace as the policy resource.
The policy will not take effect if:
-
- The resource does not exist
- The resource is not referenced by any route
- The resource is referenced by a route of unsupported type
+- The ProtocolVersion is non-empty if the TargetGroupPolicy protocol is TCP
+
+Please check the TargetGroupPolicy API Reference for more details. [TargetGroupPolicy API Reference](../api-reference.md#application-networking.k8s.aws/v1alpha1.TargetGroupPolicy)
+
These restrictions are not forced; for example, users may create a policy that targets a service that is not created yet.
However, the policy will not take effect unless the target is valid.
+
+
### Limitations and Considerations
-- Attaching TargetGroupPolicy to a resource that is already referenced by a route will result in a replacement
+- Attaching TargetGroupPolicy to a Service that is already referenced by a route will result in a replacement
of VPC Lattice TargetGroup resource, except for health check updates.
+- Attaching TargetGroupPolicy to a ServiceExport will result in a replacement of VPC Lattice TargetGroup resource, except for health check updates.
- Removing TargetGroupPolicy of a resource will roll back protocol configuration to default setting. (HTTP1/HTTP plaintext)
## Example Configuration
-This will enable TLS traffic between the gateway and Kubernetes service, with customized health check configuration.
-
-Note that the TLS traffic is always terminated at the gateway, so it will be re-encrypted in this case. The gateway does not perform any certificate validations to the certificate on targets.
+This will enable HTTPS traffic between the gateway and Kubernetes service, with customized health check configuration.
```
apiVersion: application-networking.k8s.aws/v1alpha1
diff --git a/docs/api-types/tls-route.md b/docs/api-types/tls-route.md
new file mode 100644
index 00000000..0f0fd77f
--- /dev/null
+++ b/docs/api-types/tls-route.md
@@ -0,0 +1,62 @@
+# TLSRoute API Reference
+
+## Introduction
+
+With integration of the Gateway API, AWS Gateway API Controller supports `TLSRoute`.
+This allows you to define and manage end-to-end TLS encrypted traffic routing to your Kubernetes clusters.
+
+### TLSRoute Key Features & Limitations
+
+**Features**:
+
+- **Routing Traffic**: Enables routing end-to-end TLS encrypted traffic from your client workload to server workload.
+
+
+**Limitations**:
+
+- **Listener Protocol**: The `TLSRoute` sectionName must refer to an TLS protocol listener with mode: Passthrough in the parent `Gateway`.
+
+- `TLSRoute` only supports to have one rule.
+- `TLSRoute` don't support `matches` field in the rule.
+- The `hostnames` field with exactly one host name is required. This domain name is used as a vpc lattice's Service Name Indication (SNI) match.
+
+
+## Example Configuration
+
+Here is a sample configuration that demonstrates how to set up a `TLSRoute` resource to route end-to-end TLS encrypted traffic to a nginx service:
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+ name: nginx-tls-route
+spec:
+ hostnames:
+ - nginx-test.my-test.com
+ parentRefs:
+ - name: my-hotel-tls-passthrough
+ sectionName: tls
+ rules:
+ - backendRefs:
+ - name: nginx-tls
+ kind: Service
+ port: 443
+```
+
+In this example:
+
+- The `TLSRoute` is named ` nginx-tls-route` and is associated with a parent gateway named `my-hotel-tls-passthrough` that has
+ a listener section named `tls`:
+```
+ - name: tls
+ protocol: TLS
+ port: 443
+ tls:
+ mode: Passthrough
+```
+- The `TLSRoute` is configured to route traffic to a k8s service named `nginx-tls` on port 443.
+- The `hostnames` field is set to `nginx-test.my-test.com`. The customer must use this domain name to send traffic to the nginx service.
+
+This `TLSRoute` documentation provides a detailed introduction, feature set, and a basic example of how to configure
+and use the resource within AWS Gateway API Controller project. For in-depth details and specifications, you can refer to the
+official [Gateway API documentation](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute).
\ No newline at end of file
diff --git a/docs/guides/tls-passthrough.md b/docs/guides/tls-passthrough.md
new file mode 100644
index 00000000..ef9abd3f
--- /dev/null
+++ b/docs/guides/tls-passthrough.md
@@ -0,0 +1,257 @@
+# TLS Passthrough Support
+
+[Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/guides/tls/) lays out the general guidelines on how to configure TLS passthrough. Here are examples on how to use them against AWS Gateway Api controller and VPC Lattice.
+
+## Install Gateway API TLSRoute CRD
+
+The TLSRoute CRD already included in the helm chart and deployment.yaml, If you are using these 2 methods to install the controller no extra steps are needed.
+If you want to install the CRD manually by yourself:
+```
+# Install CRD
+kubectl apply -f config/crds/bases/gateway.networking.k8s.io_tlsroutes.yaml
+# Verfiy TLSRoute CRD
+kubectl get crd tlsroutes.gateway.networking.k8s.io
+NAME CREATED AT
+tlsroutes.gateway.networking.k8s.io 2024-03-07T23:16:22Z
+```
+
+## Setup TLS Passthrough Connectivity in a single cluster
+
+### 1. Configure TLS Passthrough Listener on Gateway
+
+```
+kubectl apply -f files/examples/gateway-tls-passthrough.yaml
+```
+
+```
+# tls listener config snips:
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: my-hotel-tls-passthrough
+spec:
+ gatewayClassName: amazon-vpc-lattice
+ listeners:
+ ...
+ - name: tls
+ protocol: TLS
+ port: 443
+ tls:
+ mode: Passthrough
+ ...
+```
+
+### 2. Configure TLSRoute
+
+```
+# Suppose in the below example, we use the "parking" service as the client pod to test the TLS passthrough traffic.
+kubectl apply -f files/examples/parking.yaml
+
+# Configure nginx backend service (This nginx image includes a self-signed certificate)
+kubectl apply -f files/example/nginx-server-tls-passthrough.yaml
+
+# configure nginx tls route
+kubectl apply -f files/examples/tlsroute-nginx.yaml
+
+```
+
+### 3. Verify the controller has reconciled nginx-tls route
+
+Make sure the TLSRoute has the `application-networking.k8s.aws/lattice-assigned-domain-name` annotation and status `Accepted: True`
+```
+kubectl get tlsroute nginx-tls -o yaml
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+ annotations:
+ application-networking.k8s.aws/lattice-assigned-domain-name: nginx-tls-default-0af995120af2711bc.7d67968.vpc-lattice-svcs.us-west-2.on.aws
+ ...
+ name: nginx-tls
+ namespace: default
+ ...
+
+status:
+ parents:
+ - conditions:
+ - lastTransitionTime: .....
+ message: ""
+ observedGeneration: 1
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: .....
+ message: ""
+ observedGeneration: 1
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: application-networking.k8s.aws/gateway-api-controller
+
+```
+
+### 4. Verify TLS Passthrough Traffic
+
+```
+kubectl get deployment nginx-tls
+NAME READY UP-TO-DATE AVAILABLE AGE
+nginx-tls 2/2 2 2 1d
+
+kubectl exec deployments/parking -- curl -kv https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:169.254.171.0
+
+* Trying 169.254.171.0:443...
+* Connected to nginx-test.my-test.com (169.254.171.0) port 443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+* successfully set certificate verify locations:
+* CAfile: /etc/pki/tls/certs/ca-bundle.crt
+* CApath: none
+* TLSv1.2 (OUT), TLS header, Certificate Status (22):
+* TLSv1.2 (OUT), TLS handshake, Client hello (1):
+* TLSv1.2 (IN), TLS handshake, Server hello (2):
+* TLSv1.2 (IN), TLS handshake, Certificate (11):
+* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
+* TLSv1.2 (IN), TLS handshake, Server finished (14):
+* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
+* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.2 (OUT), TLS handshake, Finished (20):
+* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
+* TLSv1.2 (IN), TLS handshake, Finished (20):
+* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
+* ALPN, server accepted to use h2
+* Server certificate:
+* subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; emailAddress=liwenwu@amazon.com
+* start date: Mar 5 21:26:24 2024 GMT
+# use customer defined name
+curl -k -v https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:169.254.171.32
+* Added nginx-test.my-test.com:443:169.254.171.32 to DNS cache
+* Hostname nginx-test.my-test.com was found in DNS cache
+* Trying 169.254.171.0:443...
+* Connected to nginx-test.my-test.com (169.254.171.0) port 443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+* successfully set certificate verify locations:
+* CAfile: /etc/pki/tls/certs/ca-bundle.crt
+* CApath: none
+* TLSv1.2 (OUT), TLS header, Certificate Status (22):
+* TLSv1.2 (OUT), TLS handshake, Client hello (1):
+* TLSv1.2 (IN), TLS handshake, Server hello (2):
+* TLSv1.2 (IN), TLS handshake, Certificate (11):
+* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
+* TLSv1.2 (IN), TLS handshake, Server finished (14):
+* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
+* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.2 (OUT), TLS handshake, Finished (20):
+* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
+* TLSv1.2 (IN), TLS handshake, Finished (20):
+* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
+* ALPN, server accepted to use h2
+* Server certificate:
+* subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; emailAddress=liwenwu@amazon.com
+
+....
+
+Welcome to nginx!
+If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.
+....
+
+```
+
+## Setup TLS Passthrough Connectivity spanning multiple clusters
+
+
+
+
+### 1. In this example we still use the "parking" Kubernetes service as the client pod to test the cross cluster TLS passthrough traffic.
+```
+kubectl apply -f files/examples/parking.yaml
+```
+
+### 2. In cluster-1, create `tls-rate1` Kubernetes Service:
+```
+kubectl apply -f files/examples/tls-rate1.yaml
+```
+
+### 3. Configure ServieExport with TargetGroupPolicy `protocol:TCP` in cluster-2
+
+```
+# Create tls-rate2 Kubernetes Service in cluster-2
+kubectl apply -f files/examples/tls-rate2.yaml
+# Create serviceexport in cluster-2
+kubectl apply -f files/examples/tls-rate2-export.yaml
+# Create targetgroup policy to configure TCP protocol for tls-rate2 in cluster-2
+kubectl apply -f files/examples/tls-rate2-targetgrouppolicy.yaml
+```
+
+```
+# Snips of serviceexport config
+apiVersion: application-networking.k8s.aws/v1alpha1
+kind: ServiceExport
+metadata:
+ name: tls-rate-2
+ annotations:
+ application-networking.k8s.aws/federation: "amazon-vpc-lattice"
+# Snips of targetgroup policy config
+apiVersion: application-networking.k8s.aws/v1alpha1
+kind: TargetGroupPolicy
+metadata:
+ name: tls-rate2
+spec:
+ targetRef:
+ group: "application-networking.k8s.aws"
+ kind: ServiceExport
+ name: tls-rate2
+ protocol: TCP
+```
+
+### 4. Configure ServiceImport in cluster1
+
+```
+kubectl apply -f files/examples/tls-rate2-import.yaml
+```
+
+### 5. Configure TLSRoute for bluegreen deployment
+
+```
+kubectl apply -f files/examples/rate-tlsroute-bluegreen.yaml
+
+# snips of TLSRoute span multiple Kubernetes Clusters
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+ name: tls-rate
+spec:
+ hostnames:
+ - tls-rate.my-test.com
+ parentRefs:
+ - name: my-hotel-tls
+ sectionName: tls
+ rules:
+ - backendRefs:
+ - name: tls-rate1 <---------- to Kubernetes Cluster-1
+ kind: Service
+ port: 443
+ weight: 10
+ - name: tls-rate2 <---------- to Kubernetes Cluster-2
+ kind: ServiceImport
+ port: 443
+ weight: 90
+```
+### 6. Verify cross-cluster TLS passthrough traffic
+
+Expected to receive the weighted traffic route to tls-rate1 service(10%) and tls-rate2 service(90%), if you curl the `tls-rate.my-test.com` from the client pod multiple times:
+```
+kubectl exec deploy/parking -- sh -c 'for ((i=1; i<=30; i++)); do curl -k https://tls-rate.my-test.com --resolve tls-rate.my-test.com:443:169.254.171.0 2>/dev/null; done'
+
+Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod <----> k8s service in cluster-2
+Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod
+Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod
+Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod
+Requsting to TLS Pod(tls-rate1-98cc7fd87a-642zw): tls-rate1 handler pod <----> k8s service in cluster-1
+Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod
+Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod
+Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod
+Requsting to TLS Pod(tls-rate1-98cc7fd87a-642zw): tls-rate1 handler pod
+```
diff --git a/docs/images/tlsroute-multi-cluster.png b/docs/images/tlsroute-multi-cluster.png
new file mode 100644
index 00000000..ba7b6c28
Binary files /dev/null and b/docs/images/tlsroute-multi-cluster.png differ
diff --git a/files/examples/my-gateway-tls-passthrough.yaml b/files/examples/my-gateway-tls-passthrough.yaml
new file mode 100644
index 00000000..79cff561
--- /dev/null
+++ b/files/examples/my-gateway-tls-passthrough.yaml
@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: my-hotel-tls-passthrough
+spec:
+ gatewayClassName: amazon-vpc-lattice
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ - name: tls
+ protocol: TLS
+ port: 443
+ tls:
+ mode: Passthrough
\ No newline at end of file
diff --git a/files/examples/nginx-server-tls-passthrough.yaml b/files/examples/nginx-server-tls-passthrough.yaml
new file mode 100644
index 00000000..4833d8cb
--- /dev/null
+++ b/files/examples/nginx-server-tls-passthrough.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx-tls
+spec:
+ selector:
+ matchLabels:
+ app: nginx-tls
+ replicas: 2
+ template:
+ metadata:
+ labels:
+ app: nginx-tls
+ spec:
+ containers:
+ - name: nginx-tls
+ image: public.ecr.aws/x2j8p8w7/lattice-test-server:latest
+ ports:
+ - containerPort: 443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: nginx-tls
+spec:
+ selector:
+ app: nginx-tls
+ ports:
+ - protocol: TCP
+ port: 443
+ targetPort: 443
+
diff --git a/files/examples/rate-tlsroute-bluegreen.yaml b/files/examples/rate-tlsroute-bluegreen.yaml
new file mode 100644
index 00000000..9a7a02eb
--- /dev/null
+++ b/files/examples/rate-tlsroute-bluegreen.yaml
@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+ name: rate-tls-passthrough
+spec:
+ hostnames:
+ - tls-rate.my-test.com
+ parentRefs:
+ - name: my-hotel-tls-passthrough
+ sectionName: tls
+ rules:
+ - backendRefs:
+ - name: tls-rate1
+ kind: Service
+ port: 443
+ weight: 10
+ - name: tls-rate2
+ kind: ServiceImport
+ port: 443
+ weight: 90
\ No newline at end of file
diff --git a/files/examples/tls-rate1.yaml b/files/examples/tls-rate1.yaml
new file mode 100644
index 00000000..677600ed
--- /dev/null
+++ b/files/examples/tls-rate1.yaml
@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tls-rate1
+ labels:
+ app: tls-rate1
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app: tls-rate1
+ template:
+ metadata:
+ labels:
+ app: tls-rate1
+ spec:
+ containers:
+ - name: tls-rate1
+ image: public.ecr.aws/x2j8p8w7/https-server:latest
+ env:
+ - name: PodName
+ value: "tls-rate1 handler pod"
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: tls-rate1
+spec:
+ selector:
+ app: tls-rate1
+ ports:
+ - protocol: TCP
+ port: 443
+ targetPort: 443
\ No newline at end of file
diff --git a/files/examples/tls-rate2-export.yaml b/files/examples/tls-rate2-export.yaml
new file mode 100644
index 00000000..352944fc
--- /dev/null
+++ b/files/examples/tls-rate2-export.yaml
@@ -0,0 +1,6 @@
+apiVersion: application-networking.k8s.aws/v1alpha1
+kind: ServiceExport
+metadata:
+ name: tls-rate2
+ annotations:
+ application-networking.k8s.aws/federation: "amazon-vpc-lattice"
\ No newline at end of file
diff --git a/files/examples/tls-rate2-import.yaml b/files/examples/tls-rate2-import.yaml
new file mode 100644
index 00000000..3faf33e4
--- /dev/null
+++ b/files/examples/tls-rate2-import.yaml
@@ -0,0 +1,9 @@
+apiVersion: application-networking.k8s.aws/v1alpha1
+kind: ServiceImport
+metadata:
+ name: tls-rate2
+spec:
+ type: ClusterSetIP
+ ports:
+ - port: 443
+ protocol: TCP
\ No newline at end of file
diff --git a/files/examples/tls-rate2-targetgrouppolicy.yaml b/files/examples/tls-rate2-targetgrouppolicy.yaml
new file mode 100644
index 00000000..72338ce9
--- /dev/null
+++ b/files/examples/tls-rate2-targetgrouppolicy.yaml
@@ -0,0 +1,12 @@
+apiVersion: application-networking.k8s.aws/v1alpha1
+kind: TargetGroupPolicy
+metadata:
+ name: tls-rate2
+spec:
+ targetRef:
+ group: "application-networking.k8s.aws"
+ kind: ServiceExport
+ name: tls-rate2
+ protocol: TCP
+ healthCheck:
+ enabled: false
\ No newline at end of file
diff --git a/files/examples/tls-rate2.yaml b/files/examples/tls-rate2.yaml
new file mode 100644
index 00000000..c41dffa9
--- /dev/null
+++ b/files/examples/tls-rate2.yaml
@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tls-rate2
+ labels:
+ app: tls-rate2
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app: tls-rate2
+ template:
+ metadata:
+ labels:
+ app: tls-rate2
+ spec:
+ containers:
+ - name: tls-rate2
+ image: public.ecr.aws/x2j8p8w7/https-server:latest
+ env:
+ - name: PodName
+ value: "tls-rate2 handler pod"
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: tls-rate2
+spec:
+ selector:
+ app: tls-rate2
+ ports:
+ - protocol: TCP
+ port: 443
+ targetPort: 443
\ No newline at end of file
diff --git a/files/examples/tlsroute-nginx.yaml b/files/examples/tlsroute-nginx.yaml
new file mode 100644
index 00000000..ff63874f
--- /dev/null
+++ b/files/examples/tlsroute-nginx.yaml
@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+ name: nginx-tls-route
+spec:
+ hostnames:
+ - nginx-test.my-test.com
+ parentRefs:
+ - name: my-hotel-tls-passthrough
+ sectionName: tls
+ rules:
+ - backendRefs:
+ - name: nginx-tls
+ kind: Service
+ port: 443
\ No newline at end of file
diff --git a/helm/crds/gateway.networking.k8s.io_tlsroutes.yaml b/helm/crds/gateway.networking.k8s.io_tlsroutes.yaml
new file mode 100644
index 00000000..781db047
--- /dev/null
+++ b/helm/crds/gateway.networking.k8s.io_tlsroutes.yaml
@@ -0,0 +1,894 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997
+ gateway.networking.k8s.io/bundle-version: v1.2.0-dev
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: tlsroutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: TLSRoute
+ listKind: TLSRouteList
+ plural: tlsroutes
+ singular: tlsroute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: |-
+ The TLSRoute resource is similar to TCPRoute, but can be configured
+ to match against TLS-specific metadata. This allows more flexibility
+ in matching streams for a given TLS listener.
+
+
+ If you need to forward traffic to a single target for a TLS listener, you
+ could choose to use a TCPRoute with a TLS listener.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of TLSRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of SNI names that should match against the
+ SNI attribute of TLS ClientHello message in TLS handshake. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+
+ 1. IPs are not allowed in SNI names per RFC 6066.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+
+ If a hostname is specified by both the Listener and TLSRoute, there
+ must be at least one intersecting hostname for the TLSRoute to be
+ attached to the Listener. For example:
+
+
+ * A Listener with `test.example.com` as the hostname matches TLSRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches TLSRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the other
+ hand, `example.com` and `test.example.net` would not match.
+
+
+ If both the Listener and TLSRoute have specified hostnames, any
+ TLSRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ TLSRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+
+ If both the Listener and TLSRoute have specified hostnames, and none
+ match with the criteria above, then the TLSRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+
+ ParentRefs must be _distinct_. This means either that:
+
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+
+ Some examples:
+
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of TLS matchers and actions.
+ items:
+ description: TLSRouteRule is the configuration for a given rule.
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent. If unspecified or invalid (refers to a non-existent resource or
+ a Service with no endpoints), the rule performs no forwarding; if no
+ filters are specified that would result in a response being sent, the
+ underlying implementation must actively reject request attempts to this
+ backend, by rejecting the connection or returning a 500 status code.
+ Request rejections must respect weight; if an invalid backend is
+ requested to have 80% of requests, then 80% of requests must be rejected
+ instead.
+
+
+ Support: Core for Kubernetes Service
+
+
+ Support: Extended for Kubernetes ServiceImport
+
+
+ Support: Implementation-specific for any other resource
+
+
+ Support for weight: Extended
+ items:
+ description: |-
+ BackendRef defines how a Route should forward a request to a Kubernetes
+ resource.
+
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+
+
+
+ Note that when the BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here. See the fields
+ where this struct is used for more information about the exact behavior.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+
+ Defaults to "Service" when not specified.
+
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+
+ Support: Core (Services with a type other than ExternalName)
+
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ minItems: 1
+ type: array
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - rules
+ type: object
+ status:
+ description: Status defines the current state of TLSRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource.\n---\nThis struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example,\n\n\n\ttype FooStatus
+ struct{\n\t // Represents the observations of a foo's
+ current state.\n\t // Known .status.conditions.type are:
+ \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
+ +listType=map\n\t // +listMapKey=type\n\t Conditions
+ []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
+ patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+
+ Example: "example.net/gateway-controller".
+
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index 59a9bed1..ae45612a 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -16,9 +16,10 @@ nav:
- Getting Started: guides/getstarted.md
- Cross-Account Sharing: guides/ram-sharing.md
- Advanced Configurations: guides/advanced-configurations.md
- - TLS: guides/https.md
+ - HTTPS: guides/https.md
- Custom Domain Name: guides/custom-domain-name.md
- GRPC: guides/grpc.md
+ - TLS Passthrough: guides/tls-passthrough.md
- Pod Readiness Gates: guides/pod-readiness-gates.md
- Configuration: guides/environment.md
- API Specification: api-reference.md
diff --git a/mocks/controller-runtime/client/gomock_reflect_318529362/prog.go b/mocks/controller-runtime/client/gomock_reflect_318529362/prog.go
deleted file mode 100644
index a780b9eb..00000000
--- a/mocks/controller-runtime/client/gomock_reflect_318529362/prog.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package main
-
-import (
- "encoding/gob"
- "flag"
- "fmt"
- "os"
- "path"
- "reflect"
-
- "github.com/golang/mock/mockgen/model"
-
- pkg_ "sigs.k8s.io/controller-runtime/pkg/client"
-)
-
-var output = flag.String("output", "", "The output file name, or empty to use stdout.")
-
-func main() {
- flag.Parse()
-
- its := []struct {
- sym string
- typ reflect.Type
- }{
-
- {"Client", reflect.TypeOf((*pkg_.Client)(nil)).Elem()},
- }
- pkg := &model.Package{
- // NOTE: This behaves contrary to documented behaviour if the
- // package name is not the final component of the import path.
- // The reflect package doesn't expose the package name, though.
- Name: path.Base("sigs.k8s.io/controller-runtime/pkg/client"),
- }
-
- for _, it := range its {
- intf, err := model.InterfaceFromInterfaceType(it.typ)
- if err != nil {
- fmt.Fprintf(os.Stderr, "Reflection: %v\n", err)
- os.Exit(1)
- }
- intf.Name = it.sym
- pkg.Interfaces = append(pkg.Interfaces, intf)
- }
-
- outfile := os.Stdout
- if len(*output) != 0 {
- var err error
- outfile, err = os.Create(*output)
- if err != nil {
- fmt.Fprintf(os.Stderr, "failed to open output file %q", *output)
- }
- defer func() {
- if err := outfile.Close(); err != nil {
- fmt.Fprintf(os.Stderr, "failed to close output file %q", *output)
- os.Exit(1)
- }
- }()
- }
-
- if err := gob.NewEncoder(outfile).Encode(pkg); err != nil {
- fmt.Fprintf(os.Stderr, "gob encode: %v\n", err)
- os.Exit(1)
- }
-}