generated from kubernetes/kubernetes-template-project
-
Notifications
You must be signed in to change notification settings - Fork 468
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add BackendTLSPolicy implementation and make generate
Signed-off-by: Nick Young <nick@isovalent.com>
- Loading branch information
Showing
17 changed files
with
1,409 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,157 @@ | ||
/* | ||
Copyright 2023 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package v1alpha2 | ||
|
||
import ( | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"sigs.k8s.io/gateway-api/apis/v1beta1" | ||
) | ||
|
||
// +genclient | ||
// +kubebuilder:object:root=true | ||
// +kubebuilder:subresource:status | ||
// +kubebuilder:storageversion | ||
// +kubebuilder:resource:categories=gateway-api,shortName=btlspolicy | ||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` | ||
|
||
// BackendTLSPolicy provides a way to publish TLS configuration | ||
// that enables a gateway client to connect to a backend pod. | ||
type BackendTLSPolicy struct { | ||
metav1.TypeMeta `json:",inline"` | ||
metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
||
// Spec defines the desired state of BackendTLSPolicy. | ||
Spec BackendTLSPolicySpec `json:"spec"` | ||
|
||
// Status defines the current state of BackendTLSPolicy. | ||
Status PolicyStatus `json:"status,omitempty"` | ||
} | ||
|
||
// +kubebuilder:object:root=true | ||
// BackendTLSPolicyList contains a list of TCPRoute | ||
type BackendTLSPolicyList struct { | ||
metav1.TypeMeta `json:",inline"` | ||
metav1.ListMeta `json:"metadata,omitempty"` | ||
Items []BackendTLSPolicy `json:"items"` | ||
} | ||
|
||
// BackendTLSPolicySpec defines the desired state of | ||
// BackendTLSPolicy. | ||
// Note: there is no Override or Default policy configuration. | ||
// | ||
// Support: Extended | ||
type BackendTLSPolicySpec struct { | ||
// TargetRef identifies an API object to apply policy to. | ||
// Services are the only valid API target references. | ||
// Note that this config applies to the entire referenced resource | ||
// by default, but this default may change in the future to provide | ||
// a more granular application of the policy. | ||
TargetRef PolicyTargetReference `json:"targetRef"` | ||
|
||
// TLS contains backend TLS policy configuration. | ||
TLS *BackendTLSPolicyConfig `json:"tls"` | ||
} | ||
|
||
// BackendTLSPolicyConfig contains backend TLS policy configuration. | ||
// +kubebuilder:validation:XValidation:message="must not contain both CertRefs and StandardCerts",rule="(has(self.certRefs) && size(self.certRefs > 0) && has(self.standardCerts) && self.standardCerts != '')" | ||
// +kubebuilder:validation:XValidation:message="must specify either CertRefs or StandardCerts",rule="!(has(self.certRefs) && size(self.certRefs > 0) || has(self.standardCerts) && self.standardCerts != '')" | ||
type BackendTLSPolicyConfig struct { | ||
// CertRefs contains one or more references to | ||
// Kubernetes objects that contain PEM-encoded TLS certificates, | ||
// which are used to establish a TLS handshake between the gateway | ||
// and backend pod. | ||
// | ||
// If CertRefs is empty or unspecified, then StandardCerts must | ||
// be specified. Only one of CertRefs or StandardCerts may be | ||
// specified, not both. | ||
// | ||
// If CertRefs is empty or unspecified, then system trusted | ||
// certificates should be used. If there are none, or the | ||
// implementation doesn't define system trusted certificates, | ||
// then a TLS connection must fail. | ||
// | ||
// References to a resource in a different namespace are | ||
// invalid. | ||
// | ||
// A single CertRef to a Kubernetes ConfigMap kind has "Core" | ||
// support. Implementations MAY choose to support attaching | ||
// multiple certificates to a backend, but this behavior is | ||
// implementation-specific. Also implementation-specific is | ||
// a CertRef of other object kinds, e.g. Secret. | ||
// | ||
// Support: Core - An optional single reference to a Kubernetes | ||
// ConfigMap. | ||
// | ||
// Support: Implementation-specific (No reference, more than one | ||
// reference, or resource types other than ConfigMaps. | ||
// Service mesh may ignore.) | ||
// | ||
// +kubebuilder:validation:MaxItems=8 | ||
// +optional | ||
CertRefs []v1beta1.ConfigMapObjectReference `json:"certRefs,omitempty"` | ||
|
||
// StandardCerts specifies whether system CA certificates may | ||
// be used in the TLS handshake between the gateway and | ||
// backend pod. | ||
// | ||
// If StandardCerts is unspecified or set to "", then CertRefs must | ||
// be specified with at least one entry for a valid configuration. | ||
// If StandardCerts is unspecified or set to "", then CertRefs must | ||
// be specified. Only one of CertRefs or StandardCerts may be | ||
// specified, not both. | ||
// | ||
// StandardCerts must be set to "System" when CertRefs is unspecified. | ||
// | ||
// If StandardCerts is set to "System", then the system trusted | ||
// certificates should be used. If there are none, or the | ||
// implementation doesn't define system trusted certificates, | ||
// then a TLS connection must fail. | ||
// | ||
// Support: Core - An optional value to specify whether to use | ||
// system certificates or not. | ||
// | ||
// Support: Implementation-specific (In the absence of support | ||
// for usable system certs, may be ignored. Service mesh may ignore.) | ||
// | ||
// +optional | ||
StandardCerts *StandardCertType `json:"standardCerts,omitempty"` | ||
|
||
// Hostname is the Server Name Indication that the Gateway uses to | ||
// connect to the backend. It represents the fully qualified domain | ||
// name of a network host, as defined by RFC1123 - except that numeric | ||
// IP addresses are not allowed. Each label of the FQDN must consist | ||
// of lower case alphanumeric characters or '-', and must start and | ||
// end with an alphanumeric character. No other punctuation is allowed. | ||
// Wildcard domain names are specifically disallowed. | ||
// | ||
// It specifies the hostname that may authenticate, and must be in the | ||
// certificate served by the matching backend. | ||
// | ||
// Support: Core - A required value used by the Gateway to connect to | ||
// the backend when a BackendTLSPolicy is specified. | ||
Hostname v1beta1.PreciseHostname `json:"hostname"` | ||
} | ||
|
||
// StandardCertType is the type of CA certificate that will be used when | ||
// the TLS.certRefs is unspecified. | ||
// +kubebuilder:validation:Enum=System | ||
type StandardCertType string | ||
|
||
const ( | ||
StandardCertSystem StandardCertType = "System" | ||
) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.