diff --git a/apis/applyconfiguration/apis/v1alpha2/backendtlspolicyconfig.go b/apis/applyconfiguration/apis/v1alpha2/backendtlspolicyconfig.go
deleted file mode 100644
index 8743f69655..0000000000
--- a/apis/applyconfiguration/apis/v1alpha2/backendtlspolicyconfig.go
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha2
-
-import (
- v1 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1"
- apisv1 "sigs.k8s.io/gateway-api/apis/v1"
- v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-)
-
-// BackendTLSPolicyConfigApplyConfiguration represents an declarative configuration of the BackendTLSPolicyConfig type for use
-// with apply.
-type BackendTLSPolicyConfigApplyConfiguration struct {
- CACertRefs []v1.LocalObjectReferenceApplyConfiguration `json:"caCertRefs,omitempty"`
- WellKnownCACerts *v1alpha2.WellKnownCACertType `json:"wellKnownCACerts,omitempty"`
- Hostname *apisv1.PreciseHostname `json:"hostname,omitempty"`
-}
-
-// BackendTLSPolicyConfigApplyConfiguration constructs an declarative configuration of the BackendTLSPolicyConfig type for use with
-// apply.
-func BackendTLSPolicyConfig() *BackendTLSPolicyConfigApplyConfiguration {
- return &BackendTLSPolicyConfigApplyConfiguration{}
-}
-
-// WithCACertRefs adds the given value to the CACertRefs field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the CACertRefs field.
-func (b *BackendTLSPolicyConfigApplyConfiguration) WithCACertRefs(values ...*v1.LocalObjectReferenceApplyConfiguration) *BackendTLSPolicyConfigApplyConfiguration {
- for i := range values {
- if values[i] == nil {
- panic("nil value passed to WithCACertRefs")
- }
- b.CACertRefs = append(b.CACertRefs, *values[i])
- }
- return b
-}
-
-// WithWellKnownCACerts sets the WellKnownCACerts field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the WellKnownCACerts field is set to the value of the last call.
-func (b *BackendTLSPolicyConfigApplyConfiguration) WithWellKnownCACerts(value v1alpha2.WellKnownCACertType) *BackendTLSPolicyConfigApplyConfiguration {
- b.WellKnownCACerts = &value
- return b
-}
-
-// WithHostname sets the Hostname field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Hostname field is set to the value of the last call.
-func (b *BackendTLSPolicyConfigApplyConfiguration) WithHostname(value apisv1.PreciseHostname) *BackendTLSPolicyConfigApplyConfiguration {
- b.Hostname = &value
- return b
-}
diff --git a/apis/applyconfiguration/apis/v1alpha2/backendtlspolicyspec.go b/apis/applyconfiguration/apis/v1alpha2/backendtlspolicyspec.go
deleted file mode 100644
index ecea72e39b..0000000000
--- a/apis/applyconfiguration/apis/v1alpha2/backendtlspolicyspec.go
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha2
-
-// BackendTLSPolicySpecApplyConfiguration represents an declarative configuration of the BackendTLSPolicySpec type for use
-// with apply.
-type BackendTLSPolicySpecApplyConfiguration struct {
- TargetRef *LocalPolicyTargetReferenceWithSectionNameApplyConfiguration `json:"targetRef,omitempty"`
- TLS *BackendTLSPolicyConfigApplyConfiguration `json:"tls,omitempty"`
-}
-
-// BackendTLSPolicySpecApplyConfiguration constructs an declarative configuration of the BackendTLSPolicySpec type for use with
-// apply.
-func BackendTLSPolicySpec() *BackendTLSPolicySpecApplyConfiguration {
- return &BackendTLSPolicySpecApplyConfiguration{}
-}
-
-// WithTargetRef sets the TargetRef field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the TargetRef field is set to the value of the last call.
-func (b *BackendTLSPolicySpecApplyConfiguration) WithTargetRef(value *LocalPolicyTargetReferenceWithSectionNameApplyConfiguration) *BackendTLSPolicySpecApplyConfiguration {
- b.TargetRef = value
- return b
-}
-
-// WithTLS sets the TLS field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the TLS field is set to the value of the last call.
-func (b *BackendTLSPolicySpecApplyConfiguration) WithTLS(value *BackendTLSPolicyConfigApplyConfiguration) *BackendTLSPolicySpecApplyConfiguration {
- b.TLS = value
- return b
-}
diff --git a/apis/applyconfiguration/apis/v1alpha2/backendtlspolicy.go b/apis/applyconfiguration/apis/v1alpha3/backendtlspolicy.go
similarity index 93%
rename from apis/applyconfiguration/apis/v1alpha2/backendtlspolicy.go
rename to apis/applyconfiguration/apis/v1alpha3/backendtlspolicy.go
index 54cde34197..9ba8b1f046 100644
--- a/apis/applyconfiguration/apis/v1alpha2/backendtlspolicy.go
+++ b/apis/applyconfiguration/apis/v1alpha3/backendtlspolicy.go
@@ -16,15 +16,16 @@ limitations under the License.
// Code generated by applyconfiguration-gen. DO NOT EDIT.
-package v1alpha2
+package v1alpha3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+ v1alpha2 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1alpha2"
internal "sigs.k8s.io/gateway-api/apis/applyconfiguration/internal"
- apisv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+ apisv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
)
// BackendTLSPolicyApplyConfiguration represents an declarative configuration of the BackendTLSPolicy type for use
@@ -32,8 +33,8 @@ import (
type BackendTLSPolicyApplyConfiguration struct {
v1.TypeMetaApplyConfiguration `json:",inline"`
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
- Spec *BackendTLSPolicySpecApplyConfiguration `json:"spec,omitempty"`
- Status *PolicyStatusApplyConfiguration `json:"status,omitempty"`
+ Spec *BackendTLSPolicySpecApplyConfiguration `json:"spec,omitempty"`
+ Status *v1alpha2.PolicyStatusApplyConfiguration `json:"status,omitempty"`
}
// BackendTLSPolicy constructs an declarative configuration of the BackendTLSPolicy type for use with
@@ -43,7 +44,7 @@ func BackendTLSPolicy(name, namespace string) *BackendTLSPolicyApplyConfiguratio
b.WithName(name)
b.WithNamespace(namespace)
b.WithKind("BackendTLSPolicy")
- b.WithAPIVersion("gateway.networking.k8s.io/v1alpha2")
+ b.WithAPIVersion("gateway.networking.k8s.io/v1alpha3")
return b
}
@@ -58,20 +59,20 @@ func BackendTLSPolicy(name, namespace string) *BackendTLSPolicyApplyConfiguratio
// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
// applied if another fieldManager has updated or force applied any of the previously applied fields.
// Experimental!
-func ExtractBackendTLSPolicy(backendTLSPolicy *apisv1alpha2.BackendTLSPolicy, fieldManager string) (*BackendTLSPolicyApplyConfiguration, error) {
+func ExtractBackendTLSPolicy(backendTLSPolicy *apisv1alpha3.BackendTLSPolicy, fieldManager string) (*BackendTLSPolicyApplyConfiguration, error) {
return extractBackendTLSPolicy(backendTLSPolicy, fieldManager, "")
}
// ExtractBackendTLSPolicyStatus is the same as ExtractBackendTLSPolicy except
// that it extracts the status subresource applied configuration.
// Experimental!
-func ExtractBackendTLSPolicyStatus(backendTLSPolicy *apisv1alpha2.BackendTLSPolicy, fieldManager string) (*BackendTLSPolicyApplyConfiguration, error) {
+func ExtractBackendTLSPolicyStatus(backendTLSPolicy *apisv1alpha3.BackendTLSPolicy, fieldManager string) (*BackendTLSPolicyApplyConfiguration, error) {
return extractBackendTLSPolicy(backendTLSPolicy, fieldManager, "status")
}
-func extractBackendTLSPolicy(backendTLSPolicy *apisv1alpha2.BackendTLSPolicy, fieldManager string, subresource string) (*BackendTLSPolicyApplyConfiguration, error) {
+func extractBackendTLSPolicy(backendTLSPolicy *apisv1alpha3.BackendTLSPolicy, fieldManager string, subresource string) (*BackendTLSPolicyApplyConfiguration, error) {
b := &BackendTLSPolicyApplyConfiguration{}
- err := managedfields.ExtractInto(backendTLSPolicy, internal.Parser().Type("io.k8s.sigs.gateway-api.apis.v1alpha2.BackendTLSPolicy"), fieldManager, b, subresource)
+ err := managedfields.ExtractInto(backendTLSPolicy, internal.Parser().Type("io.k8s.sigs.gateway-api.apis.v1alpha3.BackendTLSPolicy"), fieldManager, b, subresource)
if err != nil {
return nil, err
}
@@ -79,7 +80,7 @@ func extractBackendTLSPolicy(backendTLSPolicy *apisv1alpha2.BackendTLSPolicy, fi
b.WithNamespace(backendTLSPolicy.Namespace)
b.WithKind("BackendTLSPolicy")
- b.WithAPIVersion("gateway.networking.k8s.io/v1alpha2")
+ b.WithAPIVersion("gateway.networking.k8s.io/v1alpha3")
return b, nil
}
@@ -252,7 +253,7 @@ func (b *BackendTLSPolicyApplyConfiguration) WithSpec(value *BackendTLSPolicySpe
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
-func (b *BackendTLSPolicyApplyConfiguration) WithStatus(value *PolicyStatusApplyConfiguration) *BackendTLSPolicyApplyConfiguration {
+func (b *BackendTLSPolicyApplyConfiguration) WithStatus(value *v1alpha2.PolicyStatusApplyConfiguration) *BackendTLSPolicyApplyConfiguration {
b.Status = value
return b
}
diff --git a/apis/applyconfiguration/apis/v1alpha3/backendtlspolicyspec.go b/apis/applyconfiguration/apis/v1alpha3/backendtlspolicyspec.go
new file mode 100644
index 0000000000..16b16a8cbc
--- /dev/null
+++ b/apis/applyconfiguration/apis/v1alpha3/backendtlspolicyspec.go
@@ -0,0 +1,57 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ v1alpha2 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1alpha2"
+)
+
+// BackendTLSPolicySpecApplyConfiguration represents an declarative configuration of the BackendTLSPolicySpec type for use
+// with apply.
+type BackendTLSPolicySpecApplyConfiguration struct {
+ TargetRefs []v1alpha2.LocalPolicyTargetReferenceWithSectionNameApplyConfiguration `json:"targetRefs,omitempty"`
+ Validation *BackendTLSPolicyValidationApplyConfiguration `json:"validation,omitempty"`
+}
+
+// BackendTLSPolicySpecApplyConfiguration constructs an declarative configuration of the BackendTLSPolicySpec type for use with
+// apply.
+func BackendTLSPolicySpec() *BackendTLSPolicySpecApplyConfiguration {
+ return &BackendTLSPolicySpecApplyConfiguration{}
+}
+
+// WithTargetRefs adds the given value to the TargetRefs field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the TargetRefs field.
+func (b *BackendTLSPolicySpecApplyConfiguration) WithTargetRefs(values ...*v1alpha2.LocalPolicyTargetReferenceWithSectionNameApplyConfiguration) *BackendTLSPolicySpecApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithTargetRefs")
+ }
+ b.TargetRefs = append(b.TargetRefs, *values[i])
+ }
+ return b
+}
+
+// WithValidation sets the Validation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Validation field is set to the value of the last call.
+func (b *BackendTLSPolicySpecApplyConfiguration) WithValidation(value *BackendTLSPolicyValidationApplyConfiguration) *BackendTLSPolicySpecApplyConfiguration {
+ b.Validation = value
+ return b
+}
diff --git a/apis/applyconfiguration/apis/v1alpha3/backendtlspolicyvalidation.go b/apis/applyconfiguration/apis/v1alpha3/backendtlspolicyvalidation.go
new file mode 100644
index 0000000000..952c5926b6
--- /dev/null
+++ b/apis/applyconfiguration/apis/v1alpha3/backendtlspolicyvalidation.go
@@ -0,0 +1,68 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ v1 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1"
+ apisv1 "sigs.k8s.io/gateway-api/apis/v1"
+ v1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+)
+
+// BackendTLSPolicyValidationApplyConfiguration represents an declarative configuration of the BackendTLSPolicyValidation type for use
+// with apply.
+type BackendTLSPolicyValidationApplyConfiguration struct {
+ CACertificateRefs []v1.LocalObjectReferenceApplyConfiguration `json:"caCertificateRefs,omitempty"`
+ WellKnownCACertificates *v1alpha3.WellKnownCACertificatesType `json:"wellKnownCACertificates,omitempty"`
+ Hostname *apisv1.PreciseHostname `json:"hostname,omitempty"`
+}
+
+// BackendTLSPolicyValidationApplyConfiguration constructs an declarative configuration of the BackendTLSPolicyValidation type for use with
+// apply.
+func BackendTLSPolicyValidation() *BackendTLSPolicyValidationApplyConfiguration {
+ return &BackendTLSPolicyValidationApplyConfiguration{}
+}
+
+// WithCACertificateRefs adds the given value to the CACertificateRefs field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the CACertificateRefs field.
+func (b *BackendTLSPolicyValidationApplyConfiguration) WithCACertificateRefs(values ...*v1.LocalObjectReferenceApplyConfiguration) *BackendTLSPolicyValidationApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithCACertificateRefs")
+ }
+ b.CACertificateRefs = append(b.CACertificateRefs, *values[i])
+ }
+ return b
+}
+
+// WithWellKnownCACertificates sets the WellKnownCACertificates field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the WellKnownCACertificates field is set to the value of the last call.
+func (b *BackendTLSPolicyValidationApplyConfiguration) WithWellKnownCACertificates(value v1alpha3.WellKnownCACertificatesType) *BackendTLSPolicyValidationApplyConfiguration {
+ b.WellKnownCACertificates = &value
+ return b
+}
+
+// WithHostname sets the Hostname field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Hostname field is set to the value of the last call.
+func (b *BackendTLSPolicyValidationApplyConfiguration) WithHostname(value apisv1.PreciseHostname) *BackendTLSPolicyValidationApplyConfiguration {
+ b.Hostname = &value
+ return b
+}
diff --git a/apis/applyconfiguration/internal/internal.go b/apis/applyconfiguration/internal/internal.go
index 1d762106a5..b89ab0d41f 100644
--- a/apis/applyconfiguration/internal/internal.go
+++ b/apis/applyconfiguration/internal/internal.go
@@ -1094,54 +1094,6 @@ var schemaYAML = typed.YAMLObject(`types:
- name: namespace
type:
scalar: string
-- name: io.k8s.sigs.gateway-api.apis.v1alpha2.BackendTLSPolicy
- map:
- fields:
- - name: apiVersion
- type:
- scalar: string
- - name: kind
- type:
- scalar: string
- - name: metadata
- type:
- namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
- default: {}
- - name: spec
- type:
- namedType: io.k8s.sigs.gateway-api.apis.v1alpha2.BackendTLSPolicySpec
- default: {}
- - name: status
- type:
- namedType: io.k8s.sigs.gateway-api.apis.v1alpha2.PolicyStatus
- default: {}
-- name: io.k8s.sigs.gateway-api.apis.v1alpha2.BackendTLSPolicyConfig
- map:
- fields:
- - name: caCertRefs
- type:
- list:
- elementType:
- namedType: io.k8s.sigs.gateway-api.apis.v1.LocalObjectReference
- elementRelationship: atomic
- - name: hostname
- type:
- scalar: string
- default: ""
- - name: wellKnownCACerts
- type:
- scalar: string
-- name: io.k8s.sigs.gateway-api.apis.v1alpha2.BackendTLSPolicySpec
- map:
- fields:
- - name: targetRef
- type:
- namedType: io.k8s.sigs.gateway-api.apis.v1alpha2.LocalPolicyTargetReferenceWithSectionName
- default: {}
- - name: tls
- type:
- namedType: io.k8s.sigs.gateway-api.apis.v1alpha2.BackendTLSPolicyConfig
- default: {}
- name: io.k8s.sigs.gateway-api.apis.v1alpha2.GRPCRoute
map:
fields:
@@ -1394,6 +1346,56 @@ var schemaYAML = typed.YAMLObject(`types:
elementType:
namedType: io.k8s.sigs.gateway-api.apis.v1.RouteParentStatus
elementRelationship: atomic
+- name: io.k8s.sigs.gateway-api.apis.v1alpha3.BackendTLSPolicy
+ map:
+ fields:
+ - name: apiVersion
+ type:
+ scalar: string
+ - name: kind
+ type:
+ scalar: string
+ - name: metadata
+ type:
+ namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+ default: {}
+ - name: spec
+ type:
+ namedType: io.k8s.sigs.gateway-api.apis.v1alpha3.BackendTLSPolicySpec
+ default: {}
+ - name: status
+ type:
+ namedType: io.k8s.sigs.gateway-api.apis.v1alpha2.PolicyStatus
+ default: {}
+- name: io.k8s.sigs.gateway-api.apis.v1alpha3.BackendTLSPolicySpec
+ map:
+ fields:
+ - name: targetRefs
+ type:
+ list:
+ elementType:
+ namedType: io.k8s.sigs.gateway-api.apis.v1alpha2.LocalPolicyTargetReferenceWithSectionName
+ elementRelationship: atomic
+ - name: validation
+ type:
+ namedType: io.k8s.sigs.gateway-api.apis.v1alpha3.BackendTLSPolicyValidation
+ default: {}
+- name: io.k8s.sigs.gateway-api.apis.v1alpha3.BackendTLSPolicyValidation
+ map:
+ fields:
+ - name: caCertificateRefs
+ type:
+ list:
+ elementType:
+ namedType: io.k8s.sigs.gateway-api.apis.v1.LocalObjectReference
+ elementRelationship: atomic
+ - name: hostname
+ type:
+ scalar: string
+ default: ""
+ - name: wellKnownCACertificates
+ type:
+ scalar: string
- name: io.k8s.sigs.gateway-api.apis.v1beta1.Gateway
map:
fields:
diff --git a/apis/applyconfiguration/utils.go b/apis/applyconfiguration/utils.go
index 4c3b03e46d..7b94fe8168 100644
--- a/apis/applyconfiguration/utils.go
+++ b/apis/applyconfiguration/utils.go
@@ -22,9 +22,11 @@ import (
schema "k8s.io/apimachinery/pkg/runtime/schema"
apisv1 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1"
apisv1alpha2 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1alpha2"
+ apisv1alpha3 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1alpha3"
apisv1beta1 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1beta1"
v1 "sigs.k8s.io/gateway-api/apis/v1"
v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+ v1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)
@@ -141,12 +143,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &apisv1.SecretObjectReferenceApplyConfiguration{}
// Group=gateway.networking.k8s.io, Version=v1alpha2
- case v1alpha2.SchemeGroupVersion.WithKind("BackendTLSPolicy"):
- return &apisv1alpha2.BackendTLSPolicyApplyConfiguration{}
- case v1alpha2.SchemeGroupVersion.WithKind("BackendTLSPolicyConfig"):
- return &apisv1alpha2.BackendTLSPolicyConfigApplyConfiguration{}
- case v1alpha2.SchemeGroupVersion.WithKind("BackendTLSPolicySpec"):
- return &apisv1alpha2.BackendTLSPolicySpecApplyConfiguration{}
case v1alpha2.SchemeGroupVersion.WithKind("GRPCRoute"):
return &apisv1alpha2.GRPCRouteApplyConfiguration{}
case v1alpha2.SchemeGroupVersion.WithKind("LocalPolicyTargetReference"):
@@ -184,6 +180,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
case v1alpha2.SchemeGroupVersion.WithKind("UDPRouteStatus"):
return &apisv1alpha2.UDPRouteStatusApplyConfiguration{}
+ // Group=gateway.networking.k8s.io, Version=v1alpha3
+ case v1alpha3.SchemeGroupVersion.WithKind("BackendTLSPolicy"):
+ return &apisv1alpha3.BackendTLSPolicyApplyConfiguration{}
+ case v1alpha3.SchemeGroupVersion.WithKind("BackendTLSPolicySpec"):
+ return &apisv1alpha3.BackendTLSPolicySpecApplyConfiguration{}
+ case v1alpha3.SchemeGroupVersion.WithKind("BackendTLSPolicyValidation"):
+ return &apisv1alpha3.BackendTLSPolicyValidationApplyConfiguration{}
+
// Group=gateway.networking.k8s.io, Version=v1beta1
case v1beta1.SchemeGroupVersion.WithKind("Gateway"):
return &apisv1beta1.GatewayApplyConfiguration{}
diff --git a/apis/v1alpha2/zz_generated.deepcopy.go b/apis/v1alpha2/zz_generated.deepcopy.go
index 20b3cdb942..7bc87e9568 100644
--- a/apis/v1alpha2/zz_generated.deepcopy.go
+++ b/apis/v1alpha2/zz_generated.deepcopy.go
@@ -26,107 +26,6 @@ import (
"sigs.k8s.io/gateway-api/apis/v1"
)
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BackendTLSPolicy) DeepCopyInto(out *BackendTLSPolicy) {
- *out = *in
- out.TypeMeta = in.TypeMeta
- in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
- in.Spec.DeepCopyInto(&out.Spec)
- in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicy.
-func (in *BackendTLSPolicy) DeepCopy() *BackendTLSPolicy {
- if in == nil {
- return nil
- }
- out := new(BackendTLSPolicy)
- in.DeepCopyInto(out)
- return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *BackendTLSPolicy) DeepCopyObject() runtime.Object {
- if c := in.DeepCopy(); c != nil {
- return c
- }
- return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BackendTLSPolicyConfig) DeepCopyInto(out *BackendTLSPolicyConfig) {
- *out = *in
- if in.CACertRefs != nil {
- in, out := &in.CACertRefs, &out.CACertRefs
- *out = make([]v1.LocalObjectReference, len(*in))
- copy(*out, *in)
- }
- if in.WellKnownCACerts != nil {
- in, out := &in.WellKnownCACerts, &out.WellKnownCACerts
- *out = new(WellKnownCACertType)
- **out = **in
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicyConfig.
-func (in *BackendTLSPolicyConfig) DeepCopy() *BackendTLSPolicyConfig {
- if in == nil {
- return nil
- }
- out := new(BackendTLSPolicyConfig)
- in.DeepCopyInto(out)
- return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BackendTLSPolicyList) DeepCopyInto(out *BackendTLSPolicyList) {
- *out = *in
- out.TypeMeta = in.TypeMeta
- in.ListMeta.DeepCopyInto(&out.ListMeta)
- if in.Items != nil {
- in, out := &in.Items, &out.Items
- *out = make([]BackendTLSPolicy, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicyList.
-func (in *BackendTLSPolicyList) DeepCopy() *BackendTLSPolicyList {
- if in == nil {
- return nil
- }
- out := new(BackendTLSPolicyList)
- in.DeepCopyInto(out)
- return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *BackendTLSPolicyList) DeepCopyObject() runtime.Object {
- if c := in.DeepCopy(); c != nil {
- return c
- }
- return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BackendTLSPolicySpec) DeepCopyInto(out *BackendTLSPolicySpec) {
- *out = *in
- in.TargetRef.DeepCopyInto(&out.TargetRef)
- in.TLS.DeepCopyInto(&out.TLS)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicySpec.
-func (in *BackendTLSPolicySpec) DeepCopy() *BackendTLSPolicySpec {
- if in == nil {
- return nil
- }
- out := new(BackendTLSPolicySpec)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GRPCRoute) DeepCopyInto(out *GRPCRoute) {
*out = *in
diff --git a/apis/v1alpha2/zz_generated.register.go b/apis/v1alpha2/zz_generated.register.go
index 58a8ab6682..0cc50c40cb 100644
--- a/apis/v1alpha2/zz_generated.register.go
+++ b/apis/v1alpha2/zz_generated.register.go
@@ -58,8 +58,6 @@ func init() {
// Adds the list of known types to Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
- &BackendTLSPolicy{},
- &BackendTLSPolicyList{},
&GRPCRoute{},
&GRPCRouteList{},
&ReferenceGrant{},
diff --git a/apis/v1alpha2/backendtlspolicy_types.go b/apis/v1alpha3/backendtlspolicy_types.go
similarity index 60%
rename from apis/v1alpha2/backendtlspolicy_types.go
rename to apis/v1alpha3/backendtlspolicy_types.go
index db539ae59d..4c6257354f 100644
--- a/apis/v1alpha2/backendtlspolicy_types.go
+++ b/apis/v1alpha3/backendtlspolicy_types.go
@@ -14,12 +14,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
-package v1alpha2
+package v1alpha3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
- "sigs.k8s.io/gateway-api/apis/v1beta1"
+ "sigs.k8s.io/gateway-api/apis/v1"
+ "sigs.k8s.io/gateway-api/apis/v1alpha2"
)
// +genclient
@@ -42,11 +42,11 @@ type BackendTLSPolicy struct {
Spec BackendTLSPolicySpec `json:"spec"`
// Status defines the current state of BackendTLSPolicy.
- Status PolicyStatus `json:"status,omitempty"`
+ Status v1alpha2.PolicyStatus `json:"status,omitempty"`
}
-// +kubebuilder:object:root=true
// BackendTLSPolicyList contains a list of BackendTLSPolicies
+// +kubebuilder:object:root=true
type BackendTLSPolicyList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
@@ -57,7 +57,7 @@ type BackendTLSPolicyList struct {
//
// Support: Extended
type BackendTLSPolicySpec struct {
- // TargetRef identifies an API object to apply the policy to.
+ // TargetRefs identifies an API object to apply the policy to.
// Only Services have Extended support. Implementations MAY support
// additional objects, with Implementation Specific support.
// Note that this config applies to the entire referenced resource
@@ -68,30 +68,31 @@ type BackendTLSPolicySpec struct {
//
// Support: Implementation-specific for any other resource
//
- TargetRef LocalPolicyTargetReferenceWithSectionName `json:"targetRef"`
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=16
+ TargetRefs []v1alpha2.LocalPolicyTargetReferenceWithSectionName `json:"targetRefs"`
- // TLS contains backend TLS policy configuration.
- TLS BackendTLSPolicyConfig `json:"tls"`
+ // Validation contains backend TLS validation configuration.
+ Validation BackendTLSPolicyValidation `json:"validation"`
}
-// BackendTLSPolicyConfig contains backend TLS policy configuration.
-// +kubebuilder:validation:XValidation:message="must not contain both CACertRefs and WellKnownCACerts",rule="!(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts) && self.wellKnownCACerts != \"\")"
-// +kubebuilder:validation:XValidation:message="must specify either CACertRefs or WellKnownCACerts",rule="(has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts) && self.wellKnownCACerts != \"\")"
-type BackendTLSPolicyConfig struct {
- // CACertRefs contains one or more references to Kubernetes objects that
+// BackendTLSPolicyValidation contains backend TLS validation configuration.
+// +kubebuilder:validation:XValidation:message="must not contain both CACertificateRefs and WellKnownCACertificates",rule="!(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates != \"\")"
+// +kubebuilder:validation:XValidation:message="must specify either CACertificateRefs or WellKnownCACertificates",rule="(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates != \"\")"
+type BackendTLSPolicyValidation struct {
+ // CACertificateRefs contains one or more references to Kubernetes objects that
// contain a PEM-encoded TLS CA certificate bundle, which is used to
// validate a TLS handshake between the Gateway and backend Pod.
//
- // If CACertRefs is empty or unspecified, then WellKnownCACerts must be
- // specified. Only one of CACertRefs or WellKnownCACerts may be specified,
- // not both. If CACertRefs is empty or unspecified, the configuration for
- // WellKnownCACerts MUST be honored instead if supported by the
- // implementation.
+ // If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+ // specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+ // not both. If CACertifcateRefs is empty or unspecified, the configuration for
+ // WellKnownCACertificates MUST be honored instead if supported by the implementation.
//
// References to a resource in a different namespace are invalid for the
// moment, although we will revisit this in the future.
//
- // A single CACertRef to a Kubernetes ConfigMap kind has "Core" support.
+ // A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
// Implementations MAY choose to support attaching multiple certificates to
// a backend, but this behavior is implementation-specific.
//
@@ -103,22 +104,22 @@ type BackendTLSPolicyConfig struct {
//
// +kubebuilder:validation:MaxItems=8
// +optional
- CACertRefs []v1beta1.LocalObjectReference `json:"caCertRefs,omitempty"`
+ CACertificateRefs []v1.LocalObjectReference `json:"caCertificateRefs,omitempty"`
- // WellKnownCACerts specifies whether system CA certificates may be used in
+ // WellKnownCACertificates specifies whether system CA certificates may be used in
// the TLS handshake between the gateway and backend pod.
//
- // If WellKnownCACerts is unspecified or empty (""), then CACertRefs must be
- // specified with at least one entry for a valid configuration. Only one of
- // CACertRefs or WellKnownCACerts may be specified, not both. If an
- // implementation does not support the WellKnownCACerts field or the value
+ // If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+ // must be specified with at least one entry for a valid configuration. Only one of
+ // CACertificateRefs or WellKnownCACertificates may be specified, not both. If an
+ // implementation does not support the WellKnownCACertificates field or the value
// supplied is not supported, the Status Conditions on the Policy MUST be
// updated to include an Accepted: False Condition with Reason: Invalid.
//
// Support: Implementation-specific
//
// +optional
- WellKnownCACerts *WellKnownCACertType `json:"wellKnownCACerts,omitempty"`
+ WellKnownCACertificates *WellKnownCACertificatesType `json:"wellKnownCACertificates,omitempty"`
// Hostname is used for two purposes in the connection between Gateways and
// backends:
@@ -128,15 +129,15 @@ type BackendTLSPolicyConfig struct {
// served by the matching backend.
//
// Support: Core
- Hostname v1beta1.PreciseHostname `json:"hostname"`
+ Hostname v1.PreciseHostname `json:"hostname"`
}
-// WellKnownCACertType is the type of CA certificate that will be used when
+// WellKnownCACertificatesType is the type of CA certificate that will be used when
// the TLS.caCertRefs is unspecified.
// +kubebuilder:validation:Enum=System
-type WellKnownCACertType string
+type WellKnownCACertificatesType string
const (
- // Indicates that well known system CA certificates should be used.
- WellKnownCACertSystem WellKnownCACertType = "System"
+ // WellKnownCACertificatesSystem indicates that well known system CA certificates should be used.
+ WellKnownCACertificatesSystem WellKnownCACertificatesType = "System"
)
diff --git a/apis/v1alpha3/doc.go b/apis/v1alpha3/doc.go
new file mode 100644
index 0000000000..ceca92c692
--- /dev/null
+++ b/apis/v1alpha3/doc.go
@@ -0,0 +1,23 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha3 contains API Schema definitions for the
+// gateway.networking.k8s.io API group.
+//
+// +k8s:openapi-gen=true
+// +kubebuilder:object:generate=true
+// +groupName=gateway.networking.k8s.io
+package v1alpha3
diff --git a/apis/v1alpha3/zz_generated.deepcopy.go b/apis/v1alpha3/zz_generated.deepcopy.go
new file mode 100644
index 0000000000..416f6bebee
--- /dev/null
+++ b/apis/v1alpha3/zz_generated.deepcopy.go
@@ -0,0 +1,134 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ "k8s.io/apimachinery/pkg/runtime"
+ "sigs.k8s.io/gateway-api/apis/v1"
+ "sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackendTLSPolicy) DeepCopyInto(out *BackendTLSPolicy) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicy.
+func (in *BackendTLSPolicy) DeepCopy() *BackendTLSPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(BackendTLSPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackendTLSPolicy) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackendTLSPolicyList) DeepCopyInto(out *BackendTLSPolicyList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]BackendTLSPolicy, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicyList.
+func (in *BackendTLSPolicyList) DeepCopy() *BackendTLSPolicyList {
+ if in == nil {
+ return nil
+ }
+ out := new(BackendTLSPolicyList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackendTLSPolicyList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackendTLSPolicySpec) DeepCopyInto(out *BackendTLSPolicySpec) {
+ *out = *in
+ if in.TargetRefs != nil {
+ in, out := &in.TargetRefs, &out.TargetRefs
+ *out = make([]v1alpha2.LocalPolicyTargetReferenceWithSectionName, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ in.Validation.DeepCopyInto(&out.Validation)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicySpec.
+func (in *BackendTLSPolicySpec) DeepCopy() *BackendTLSPolicySpec {
+ if in == nil {
+ return nil
+ }
+ out := new(BackendTLSPolicySpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackendTLSPolicyValidation) DeepCopyInto(out *BackendTLSPolicyValidation) {
+ *out = *in
+ if in.CACertificateRefs != nil {
+ in, out := &in.CACertificateRefs, &out.CACertificateRefs
+ *out = make([]v1.LocalObjectReference, len(*in))
+ copy(*out, *in)
+ }
+ if in.WellKnownCACertificates != nil {
+ in, out := &in.WellKnownCACertificates, &out.WellKnownCACertificates
+ *out = new(WellKnownCACertificatesType)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicyValidation.
+func (in *BackendTLSPolicyValidation) DeepCopy() *BackendTLSPolicyValidation {
+ if in == nil {
+ return nil
+ }
+ out := new(BackendTLSPolicyValidation)
+ in.DeepCopyInto(out)
+ return out
+}
diff --git a/apis/v1alpha3/zz_generated.register.go b/apis/v1alpha3/zz_generated.register.go
new file mode 100644
index 0000000000..a7f649c7cc
--- /dev/null
+++ b/apis/v1alpha3/zz_generated.register.go
@@ -0,0 +1,67 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by register-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName specifies the group name used to register the objects.
+const GroupName = "gateway.networking.k8s.io"
+
+// GroupVersion specifies the group and the version used to register the objects.
+var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1alpha3"}
+
+// SchemeGroupVersion is group version used to register these objects
+// Deprecated: use GroupVersion instead.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha3"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+ return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+ // localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+ SchemeBuilder runtime.SchemeBuilder
+ localSchemeBuilder = &SchemeBuilder
+ // Depreciated: use Install instead
+ AddToScheme = localSchemeBuilder.AddToScheme
+ Install = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+ // We only register manually written functions here. The registration of the
+ // generated functions takes place in the generated files. The separation
+ // makes the code compile even when the generated files are missing.
+ localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+ scheme.AddKnownTypes(SchemeGroupVersion,
+ &BackendTLSPolicy{},
+ &BackendTLSPolicyList{},
+ )
+ // AddToGroupVersion allows the serialization of client types like ListOptions.
+ v1.AddToGroupVersion(scheme, SchemeGroupVersion)
+ return nil
+}
diff --git a/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml b/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
index 00ceb84acd..6635441d33 100644
--- a/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
+++ b/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
@@ -26,7 +26,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- name: v1alpha2
+ name: v1alpha3
schema:
openAPIV3Schema:
description: |-
@@ -53,9 +53,9 @@ spec:
spec:
description: Spec defines the desired state of BackendTLSPolicy.
properties:
- targetRef:
+ targetRefs:
description: |-
- TargetRef identifies an API object to apply the policy to.
+ TargetRefs identifies an API object to apply the policy to.
Only Services have Extended support. Implementations MAY support
additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource
@@ -67,69 +67,83 @@ spec:
Support: Implementation-specific for any other resource
- properties:
- group:
- description: Group is the group of the target resource.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the target resource.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the target resource.
- maxLength: 253
- minLength: 1
- type: string
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. When
- unspecified, this targetRef targets the entire resource. In the following
- resources, SectionName is interpreted as the following:
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
- * Gateway: Listener name
- * HTTPRoute: HTTPRouteRule name
- * Service: Port name
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
- If a SectionName is specified, but does not exist on the targeted object,
- the Policy must fail to attach, and the policy implementation should record
- a `ResolvedRefs` or similar Condition in the Policy's status.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - group
- - kind
- - name
- type: object
- tls:
- description: TLS contains backend TLS policy configuration.
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ validation:
+ description: Validation contains backend TLS validation configuration.
properties:
- caCertRefs:
+ caCertificateRefs:
description: |-
- CACertRefs contains one or more references to Kubernetes objects that
+ CACertificateRefs contains one or more references to Kubernetes objects that
contain a PEM-encoded TLS CA certificate bundle, which is used to
validate a TLS handshake between the Gateway and backend Pod.
- If CACertRefs is empty or unspecified, then WellKnownCACerts must be
- specified. Only one of CACertRefs or WellKnownCACerts may be specified,
- not both. If CACertRefs is empty or unspecified, the configuration for
- WellKnownCACerts MUST be honored instead if supported by the
- implementation.
+ If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+ specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+ not both. If CACertifcateRefs is empty or unspecified, the configuration for
+ WellKnownCACertificates MUST be honored instead if supported by the implementation.
References to a resource in a different namespace are invalid for the
moment, although we will revisit this in the future.
- A single CACertRef to a Kubernetes ConfigMap kind has "Core" support.
+ A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
Implementations MAY choose to support attaching multiple certificates to
a backend, but this behavior is implementation-specific.
@@ -194,16 +208,16 @@ spec:
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
- wellKnownCACerts:
+ wellKnownCACertificates:
description: |-
- WellKnownCACerts specifies whether system CA certificates may be used in
+ WellKnownCACertificates specifies whether system CA certificates may be used in
the TLS handshake between the gateway and backend pod.
- If WellKnownCACerts is unspecified or empty (""), then CACertRefs must be
- specified with at least one entry for a valid configuration. Only one of
- CACertRefs or WellKnownCACerts may be specified, not both. If an
- implementation does not support the WellKnownCACerts field or the value
+ If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+ must be specified with at least one entry for a valid configuration. Only one of
+ CACertificateRefs or WellKnownCACertificates may be specified, not both. If an
+ implementation does not support the WellKnownCACertificates field or the value
supplied is not supported, the Status Conditions on the Policy MUST be
updated to include an Accepted: False Condition with Reason: Invalid.
@@ -216,15 +230,17 @@ spec:
- hostname
type: object
x-kubernetes-validations:
- - message: must not contain both CACertRefs and WellKnownCACerts
- rule: '!(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts)
- && self.wellKnownCACerts != "")'
- - message: must specify either CACertRefs or WellKnownCACerts
- rule: (has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts)
- && self.wellKnownCACerts != "")
+ - message: must not contain both CACertificateRefs and WellKnownCACertificates
+ rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")'
+ - message: must specify either CACertificateRefs or WellKnownCACertificates
+ rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")
required:
- - targetRef
- - tls
+ - targetRefs
+ - validation
type: object
status:
description: Status defines the current state of BackendTLSPolicy.
diff --git a/config/crd/experimental/kustomization.yaml b/config/crd/experimental/kustomization.yaml
deleted file mode 100644
index ac301a0a81..0000000000
--- a/config/crd/experimental/kustomization.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-resources:
-- gateway.networking.k8s.io_gatewayclasses.yaml
-- gateway.networking.k8s.io_gateways.yaml
-- gateway.networking.k8s.io_httproutes.yaml
-- gateway.networking.k8s.io_referencegrants.yaml
-- gateway.networking.k8s.io_tcproutes.yaml
-- gateway.networking.k8s.io_tlsroutes.yaml
-- gateway.networking.k8s.io_udproutes.yaml
-- gateway.networking.k8s.io_grpcroutes.yaml
-- gateway.networking.k8s.io_backendtlspolicies.yaml
diff --git a/conformance/conformance.go b/conformance/conformance.go
index 398b5445aa..469a37011b 100644
--- a/conformance/conformance.go
+++ b/conformance/conformance.go
@@ -23,6 +23,7 @@ import (
v1 "sigs.k8s.io/gateway-api/apis/v1"
"sigs.k8s.io/gateway-api/apis/v1alpha2"
+ "sigs.k8s.io/gateway-api/apis/v1alpha3"
"sigs.k8s.io/gateway-api/apis/v1beta1"
confv1 "sigs.k8s.io/gateway-api/conformance/apis/v1"
"sigs.k8s.io/gateway-api/conformance/tests"
@@ -53,6 +54,7 @@ func DefaultOptions(t *testing.T) suite.ConformanceOptions {
clientset, err := clientset.NewForConfig(cfg)
require.NoError(t, err, "error initializing Kubernetes clientset")
+ require.NoError(t, v1alpha3.AddToScheme(client.Scheme()))
require.NoError(t, v1alpha2.AddToScheme(client.Scheme()))
require.NoError(t, v1beta1.AddToScheme(client.Scheme()))
require.NoError(t, v1.AddToScheme(client.Scheme()))
diff --git a/examples/experimental/v1alpha2/backendtlspolicy-system-certs.yaml b/examples/experimental/v1alpha2/backendtlspolicy-system-certs.yaml
deleted file mode 100644
index 9e24bcdd8c..0000000000
--- a/examples/experimental/v1alpha2/backendtlspolicy-system-certs.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-#$ Used in:
-#$ - site-src/guides/tls.md
-apiVersion: gateway.networking.k8s.io/v1alpha2
-kind: BackendTLSPolicy
-metadata:
- name: tls-upstream-dev
-spec:
- targetRef:
- kind: Service
- name: dev-service
- group: ""
- tls:
- wellKnownCACerts: "System"
- hostname: dev.example.com
diff --git a/examples/experimental/v1alpha2/backendtlspolicy-ca-certs.yaml b/examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
similarity index 58%
rename from examples/experimental/v1alpha2/backendtlspolicy-ca-certs.yaml
rename to examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
index 21eb75667d..530abb289c 100644
--- a/examples/experimental/v1alpha2/backendtlspolicy-ca-certs.yaml
+++ b/examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
@@ -1,16 +1,16 @@
#$ Used in:
#$ - site-src/guides/tls.md
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: tls-upstream-auth
spec:
- targetRef:
- kind: Service
- name: auth-service
- group: ""
- tls:
- caCertRefs:
+ targetRefs:
+ - kind: Service
+ name: auth
+ group: ""
+ validation:
+ caCertificateRefs:
- kind: ConfigMapReference
name: auth-cert
group: ""
diff --git a/examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml b/examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml
new file mode 100644
index 0000000000..82dd500647
--- /dev/null
+++ b/examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml
@@ -0,0 +1,14 @@
+#$ Used in:
+#$ - site-src/guides/tls.md
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+ name: tls-upstream-dev
+spec:
+ targetRefs:
+ - kind: Service
+ name: dev
+ group: ""
+ validation:
+ wellKnownCACertificates: "System"
+ hostname: dev.example.com
diff --git a/geps/gep-1897/index.md b/geps/gep-1897/index.md
index 1294f2a7ba..4c9227a1ee 100644
--- a/geps/gep-1897/index.md
+++ b/geps/gep-1897/index.md
@@ -186,7 +186,7 @@ sharing to BackendTLSPolicy, even if they don't for other cross-namespace sharin
One of the areas of concern for this API is that we need to indicate how and when the API implementations should use the
backend destination certificate authority. This solution proposes, as introduced in
[GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/), that the implementation
-should watch the connections to a specified TargetRef (Service), and if the Service matches a BackendTLSPolicy, then
+should watch the connections to the specified TargetRefs (Services), and if a Service matches a BackendTLSPolicy, then
assume the connection is TLS, and verify that the TargetRef’s certificate can be validated by the client (Gateway) using
the provided certificates and hostname before the connection is made. On the question of how to signal
that there was a failure in the certificate validation, this is left up to the implementation to return a response error
@@ -194,31 +194,31 @@ that is appropriate, such as one of the HTTP error codes: 400 (Bad Request), 401
other signal that makes the failure sufficiently clear to the requester without revealing too much about the transaction,
based on established security requirements.
-All policy resources must include `TargetRef` with the fields specified
+All policy resources must include `TargetRefs` with the fields specified
[here](https://github.com/kubernetes-sigs/gateway-api/blob/a33a934af9ec6997b34fd9b00d2ecd13d143e48b/apis/v1alpha2/policy_types.go#L24-L41).
-In an upcoming [extension](https://github.com/kubernetes-sigs/gateway-api/issues/2147) to TargetRef, policy resources
-_may_ also choose to include `SectionName` and/or `Port` in the TargetRef following the same mechanics as `ParentRef`.
+In an upcoming [extension](https://github.com/kubernetes-sigs/gateway-api/issues/2147) to TargetRefs, policy resources
+_may_ also choose to include `SectionName` and/or `Port` in the target reference following the same mechanics as `ParentRef`.
-BackendTLSPolicySpec contains the `TargetRef` and `TLS` fields. The `TLS` field is a `BackendTLSPolicyConfig` and
-contains `CertRefs`, `StandardCerts`, and `Hostname`.
+BackendTLSPolicySpec contains the `TargetRefs` and `Validation` fields. The `Validation` field is a
+`BackendTLSPolicyValidation` and contains `CACertificateRefs`, `WellKnownCACertificates`, and `Hostname`.
The names of the fields were chosen to facilitate discussion, but may be substituted without blocking acceptance of the
-content of the API change.
+content of the API change. In fact, the `CertRefs` field name was changed to CACertRefs and then to
+CACertificateRefs as of April 2024.
-The `CertRefs` and `StandardCerts` fields are both optional, but one of them must be set for a valid TLS configuration.
-CertRefs is a slice of
-named config maps, each containing a single cert. We originally proposed to follow the convention established by the
+The `CACertificateRefs` and `WellKnownCACertificates` fields are both optional, but one of them must be set for a valid TLS
+configuration. CACertificateRefs is an implementation-specific slice of
+named object references, each containing a single cert. We originally proposed to follow the convention established by the
[CertificateRefs field on Gateway](https://github.com/kubernetes-sigs/gateway-api/blob/18e79909f7310aafc625ba7c862dfcc67b385250/apis/v1beta1/gateway_types.go#L340)
, but the CertificateRef requires both a tls.key and tls.crt and a certificate reference only requires the tls.crt.
-StandardCerts is an optional enum that allows users to specify whether to use the set of CA certificates trusted by the
-Gateway (StandardCerts specified as "System"), or to use the existing CertRefs (StandardCerts specified as ""). The use
-
-and definition of system certificates is implementation-dependent, and the intent is that these certificates are obtained
-from the underlying operating system. CertRefs contains one or more references to Kubernetes objects that
-contain PEM-encoded TLS certificates, which are used to establish a TLS handshake between the gateway and backend pod.
-References to a resource in a different namespace are invalid.
-If CertRefs is unspecified, then StandardCerts must be set to "System" for a valid configuration.
-If StandardCerts is unspecified, then CertRefs must be specified with at least one entry for a valid configuration.
-If StandardCerts is set to "System" and there are no system trusted certificates or the implementation doesn't define system
+WellKnownCACertificates is an optional enum that allows users to specify whether to use the set of CA certificates trusted by the
+Gateway (WellKnownCACertificates specified as "System"), or to use the existing CACertificateRefs (WellKnownCACertificates
+specified as ""). The use and definition of system certificates is implementation-dependent, and the intent is that
+these certificates are obtained from the underlying operating system. CACertificateRefs contains one or more
+references to Kubernetes objects that contain PEM-encoded TLS certificates, which are used to establish a TLS handshake
+between the gateway and backend pod. References to a resource in a different namespace are invalid.
+If ClientCertifcateRefs is unspecified, then WellKnownCACertificates must be set to "System" for a valid configuration.
+If WellKnownCACertificates is unspecified, then CACertificateRefs must be specified with at least one entry for a valid configuration.
+If WellKnownCACertficates is set to "System" and there are no system trusted certificates or the implementation doesn't define system
trusted certificates, then the associated TLS connection must fail.
The `Hostname` field is required and is to be used to configure the SNI the Gateway should use to connect to the backend.
@@ -233,200 +233,7 @@ the first round](https://github.com/kubernetes-sigs/gateway-api/pull/2113#issuec
Thus, the following additions would be made to the Gateway API:
```go
-import "sigs.k8s.io/gateway-api/apis/v1beta1"
-
-// BackendTLSPolicy provides a way to publish TLS configuration
-// that enables a gateway client to connect to a backend pod.
-type BackendTLSPolicy struct {
- metav1.TypeMeta `json:",inline"`
- metav1.ObjectMeta `json:"metadata,omitempty"`
-
- // Spec defines the desired state of BackendTLSPolicy.
- Spec BackendTLSPolicySpec `json:"spec"`
-
- // Status defines the current state of BackendTLSPolicy.
- Status PolicyStatus `json:"status,omitempty"`
-}
-
-// BackendTLSPolicySpec defines the desired state of
-// BackendTLSPolicy.
-// Note: there is no Override or Default policy configuration.
-//
-// Support: Core
-type BackendTLSPolicySpec struct {
- // TargetRef identifies an API object to apply policy to.
- // Services are the only valid API target references.
- // Note that this config applies to the entire referenced resource
- // by default, but this default may change in the future to provide
- // a more granular application of the policy.
- TargetRef gatewayv1a2.PolicyTargetReference `json:"targetRef"`
-
- // TLS contains backend TLS policy configuration.
- TLS *BackendTLSPolicyConfig `json:”tls”`
-}
-
-// BackendTLSPolicyConfig contains backend TLS policy configuration.
-// +kubebuilder:validation:XValidation:message="must not contain both CertRefs and StandardCerts",rule="(has(self.certRefs) && size(self.certRefs > 0) && has(self.standardCerts) && self.standardCerts != "")"
-// +kubebuilder:validation:XValidation:message="must specify either CertRefs or StandardCerts",rule="!(has(self.certRefs) && size(self.certRefs > 0) || has(self.standardCerts) && self.standardCerts != "")"
-type BackendTLSPolicyConfig struct {
- // CertRefs contains one or more references to
- // Kubernetes objects that contain PEM-encoded TLS certificates,
- // which are used to establish a TLS handshake between the gateway
- // and backend pod.
- //
- // If CertRefs is empty or unspecified, then StandardCerts must
- // be specified. Only one of CertRefs or StandardCerts may be
- // specified, not both.
- //
- // If CertRefs is empty or unspecified, then system trusted
- // certificates should be used. If there are none, or the
- // implementation doesn't define system trusted certificates,
- // then a TLS connection must fail.
- //
- // References to a resource in a different namespace are
- // invalid.
- //
- // A single CertRef to a Kubernetes ConfigMap kind has "Core"
- // support. Implementations MAY choose to support attaching
- // multiple certificates to a backend, but this behavior is
- // implementation-specific. Also implementation-specific is
- // a CertRef of other object kinds, e.g. Secret.
- //
- // Support: Core - An optional single reference to a Kubernetes
- // ConfigMap.
- //
- // Support: Implementation-specific (No reference, more than one
- // reference, or resource types other than ConfigMaps.
- // Service mesh may ignore.)
- //
- // +kubebuilder:validation:MaxItems=8
- // +optional
- CertRefs []ConfigMapObjectReference `json:”certRefs,omitempty”`
-
- // StandardCerts specifies whether system CA certificates may
- // be used in the TLS handshake between the gateway and
- // backend pod.
- //
- // If StandardCerts is unspecified or set to "", then CertRefs must
- // be specified with at least one entry for a valid configuration.
- // If StandardCerts is unspecified or set to "", then CertRefs must
- // be specified. Only one of CertRefs or StandardCerts may be
- // specified, not both.
- //
- // StandardCerts must be set to "System" when CertRefs is unspecified.
- //
- // If StandardCerts is set to "System", then the system trusted
- // certificates should be used. If there are none, or the
- // implementation doesn't define system trusted certificates,
- // then a TLS connection must fail.
- //
- // Support: Core - An optional value to specify whether to use
- // system certificates or not.
- //
- // Support: Implementation-specific (In the absence of support
- // for usable system certs, may be ignored. Service mesh may ignore.)
- //
- // +optional
- StandardCerts *StandardCertType `json:"standardCerts,omitempty"`
-
- // Hostname is the Server Name Indication that the Gateway uses to
- // connect to the backend. It represents the fully qualified domain
- // name of a network host, as defined by RFC1123 - except that numeric
- // IP addresses are not allowed. Each label of the FQDN must consist
- // of lower case alphanumeric characters or '-', and must start and
- // end with an alphanumeric character. No other punctuation is allowed.
- // Wildcard domain names are specifically disallowed.
- //
- // It specifies the hostname that may authenticate, and must be in the
- // certificate served by the matching backend.
- //
- // Support: Core - A required value used by the Gateway to connect to
- // the backend when a BackendTLSPolicy is specified.
- Hostname v1beta1.PreciseHostname `json:"hostname"`
-}
-
-// StandardCertType is the type of CA certificate that will be used when
-// the TLS.certRefs is unspecified.
-// +kubebuilder:validation:Enum=System
-type StandardCertType string
-
-const (
- StandardCertSystem StandardCertType = "System"
-)
-
-// ConfigMapObjectReference identifies an API object including its namespace,
-// defaulting to ConfigMap.
-//
-// The API object must be valid in the cluster; the Group and Kind must
-// be registered in the cluster for this reference to be valid.
-//
-// References to objects with invalid Group and Kind are not valid, and must
-// be rejected by the implementation, with appropriate Conditions set
-// on the containing object.
-type ConfigMapObjectReference struct {
- // Group is the group of the referent. For example, "gateway.networking.k8s.io".
- // When unspecified or empty string, core API group is inferred.
- //
- // +optional
- // +kubebuilder:default=""
- Group *Group `json:"group"`
-
- // Kind is the kind of the referent. For example, "ConfigMap".
- //
- // +optional
- // +kubebuilder:default=ConfigMap
- Kind *Kind `json:"kind"`
-
- // Name is the metadata.name of the referenced config map.
- // +kubebuilder:validation:Required
- Name ObjectName `json"name"`
-
- // Namespace is the namespace of the referenced object. When unspecified, the local
- // namespace is inferred.
- //
- // Note that when a namespace different than the local namespace is specified,
- // a ReferenceGrant object is required in the referent namespace to allow that
- // namespace's owner to accept the reference. See the ReferenceGrant
- // documentation for details.
- //
- // Support: Core
- //
- // +optional
- Namespace *Namespace `json:"namespace,omitempty"`
-}
-
-// BackendTLSPolicyConditionType is the type of a condition used
-// as a signal by BackendTLSPolicy. This type should be used with
-// the BackendTLSPolicyStatus.Conditions field.
-type BackendTLSPolicyConditionType string
-
-// BackendTLSPolicyConditionReason is a reason that explains why a
-// particular BackendTLSPolicyConditionType was generated.
-type BackendTLSPolicyConditionReason string
-
-const (
- // This condition indicates that the BackendTLSPolicy has been
- // accepted as valid.
- // Possible reason for this condition to be True is:
- //
- // * “Accepted”
- //
- // Possible reasons for this condition to be False are:
- //
- // * “Invalid”
- // * “Pending”
- BackendTLSPolicyConditionAccepted BackendTLSPolicyConditionType = “Accepted”
-
- // This reason is used with the “Accepted” condition when the condition is true.
- BackendTLSPolicyReasonAccepted BackendTLSPolicyConditionReason = “Valid”
-
- // This reason is used with the “Accepted” condition when the BackendTLSPolicy is invalid,
- // e.g. use of a CertRef that crosses namespace boundaries.
- BackendTLSPolicyReasonInvalid BackendTLSPolicyConditionReason = “Invalid”
-
- // This reason is used with the “Accepted” condition when the BackendTLSPolicy is pending validation.
- BackendTLSPolicyReasonPending BackendTLSPolicyConditionReason = “Pending”
-)
+//TODO: Will update this section once API changes from PR 2955 are approved.
```
## How a client behaves
@@ -472,17 +279,17 @@ reverse proxy. This is shown as **bolded** additions in step 6 below.
4. Optionally, the reverse proxy can perform request header and/or path matching based on match rules of the HTTPRoute.
5. Optionally, the reverse proxy can modify the request, i.e. add/remove headers, based on filter rules of the HTTPRoute.
6. Lastly, the reverse proxy **optionally performs a TLS handshake** and forwards the request to one or more objects,
-i.e. Service, in the cluster based on backendRefs rules of the HTTPRoute **and TLSTargetRef of the BackendTLSPolicy**.
+i.e. Service, in the cluster based on backendRefs rules of the HTTPRoute **and the TargetRefs of the BackendTLSPolicy**.
## Alternatives
-Most alternatives are enumerated in the section on the history of backend TLS above. A couple of additional
+Most alternatives are enumerated in the section "The history of backend TLS". A couple of additional
alternatives are also listed here.
1. Expand BackendRef, which is already an expansion point. At first, it seems logical that since listeners are handling
the client-gateway certs, BackendRefs could handle the gateway-backend certs. However, when multiple Routes to target
the same Service, there would be unnecessary copying of the BackendRef every time the Service was targeted. As well,
there could be multiple bBackendRefs with multiple rules on a rRoute, each of which might need the gateway-backend cert
-configuration so it is not the appropriate pattern.
+configuration, so it is not the appropriate pattern.
2. Extend HTTPRoute to indicate TLS backend support. Extending HTTPRoute would interfere with deployed implementations
too much to be a practical solution.
3. Add a new type of Route for backend TLS. This is impractical because we might want to enable backend TLS on other
diff --git a/gwctl/pkg/common/clients.go b/gwctl/pkg/common/clients.go
index 186e57e901..fc3616a58e 100644
--- a/gwctl/pkg/common/clients.go
+++ b/gwctl/pkg/common/clients.go
@@ -32,6 +32,7 @@ import (
fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+ gatewayv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)
@@ -51,6 +52,7 @@ func NewK8sClients(kubeconfig string) (*K8sClients, error) {
if err != nil {
return nil, fmt.Errorf("failed to initialize Kubernetes client: %v", err)
}
+ gatewayv1alpha3.AddToScheme(client.Scheme())
gatewayv1alpha2.AddToScheme(client.Scheme())
gatewayv1beta1.AddToScheme(client.Scheme())
gatewayv1.AddToScheme(client.Scheme())
@@ -66,6 +68,7 @@ func NewK8sClients(kubeconfig string) (*K8sClients, error) {
func MustClientsForTest(t *testing.T, initRuntimeObjects ...runtime.Object) *K8sClients {
scheme := scheme.Scheme
+ gatewayv1alpha3.AddToScheme(scheme)
gatewayv1alpha2.AddToScheme(scheme)
gatewayv1beta1.AddToScheme(scheme)
gatewayv1.AddToScheme(scheme)
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
index 07dbb62e8c..2e163c85d6 100755
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -50,7 +50,7 @@ readonly OUTPUT_PKG=sigs.k8s.io/gateway-api/pkg/client
readonly APIS_PKG=sigs.k8s.io/gateway-api
readonly CLIENTSET_NAME=versioned
readonly CLIENTSET_PKG_NAME=clientset
-readonly VERSIONS=(v1alpha2 v1beta1 v1)
+readonly VERSIONS=(v1alpha2 v1alpha3 v1beta1 v1)
GATEWAY_INPUT_DIRS=""
for VERSION in "${VERSIONS[@]}"
diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go
index 743be8d8fc..116d5cca8a 100644
--- a/pkg/client/clientset/versioned/clientset.go
+++ b/pkg/client/clientset/versioned/clientset.go
@@ -27,12 +27,14 @@ import (
flowcontrol "k8s.io/client-go/util/flowcontrol"
gatewayv1 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1"
gatewayv1alpha2 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1alpha2"
+ gatewayv1alpha3 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1alpha3"
gatewayv1beta1 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1beta1"
)
type Interface interface {
Discovery() discovery.DiscoveryInterface
GatewayV1alpha2() gatewayv1alpha2.GatewayV1alpha2Interface
+ GatewayV1alpha3() gatewayv1alpha3.GatewayV1alpha3Interface
GatewayV1beta1() gatewayv1beta1.GatewayV1beta1Interface
GatewayV1() gatewayv1.GatewayV1Interface
}
@@ -41,6 +43,7 @@ type Interface interface {
type Clientset struct {
*discovery.DiscoveryClient
gatewayV1alpha2 *gatewayv1alpha2.GatewayV1alpha2Client
+ gatewayV1alpha3 *gatewayv1alpha3.GatewayV1alpha3Client
gatewayV1beta1 *gatewayv1beta1.GatewayV1beta1Client
gatewayV1 *gatewayv1.GatewayV1Client
}
@@ -50,6 +53,11 @@ func (c *Clientset) GatewayV1alpha2() gatewayv1alpha2.GatewayV1alpha2Interface {
return c.gatewayV1alpha2
}
+// GatewayV1alpha3 retrieves the GatewayV1alpha3Client
+func (c *Clientset) GatewayV1alpha3() gatewayv1alpha3.GatewayV1alpha3Interface {
+ return c.gatewayV1alpha3
+}
+
// GatewayV1beta1 retrieves the GatewayV1beta1Client
func (c *Clientset) GatewayV1beta1() gatewayv1beta1.GatewayV1beta1Interface {
return c.gatewayV1beta1
@@ -108,6 +116,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset,
if err != nil {
return nil, err
}
+ cs.gatewayV1alpha3, err = gatewayv1alpha3.NewForConfigAndClient(&configShallowCopy, httpClient)
+ if err != nil {
+ return nil, err
+ }
cs.gatewayV1beta1, err = gatewayv1beta1.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
@@ -138,6 +150,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
func New(c rest.Interface) *Clientset {
var cs Clientset
cs.gatewayV1alpha2 = gatewayv1alpha2.New(c)
+ cs.gatewayV1alpha3 = gatewayv1alpha3.New(c)
cs.gatewayV1beta1 = gatewayv1beta1.New(c)
cs.gatewayV1 = gatewayv1.New(c)
diff --git a/pkg/client/clientset/versioned/fake/clientset_generated.go b/pkg/client/clientset/versioned/fake/clientset_generated.go
index a3045a7102..c588377449 100644
--- a/pkg/client/clientset/versioned/fake/clientset_generated.go
+++ b/pkg/client/clientset/versioned/fake/clientset_generated.go
@@ -29,6 +29,8 @@ import (
fakegatewayv1 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1/fake"
gatewayv1alpha2 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1alpha2"
fakegatewayv1alpha2 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake"
+ gatewayv1alpha3 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1alpha3"
+ fakegatewayv1alpha3 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake"
gatewayv1beta1 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1beta1"
fakegatewayv1beta1 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1beta1/fake"
)
@@ -88,6 +90,11 @@ func (c *Clientset) GatewayV1alpha2() gatewayv1alpha2.GatewayV1alpha2Interface {
return &fakegatewayv1alpha2.FakeGatewayV1alpha2{Fake: &c.Fake}
}
+// GatewayV1alpha3 retrieves the GatewayV1alpha3Client
+func (c *Clientset) GatewayV1alpha3() gatewayv1alpha3.GatewayV1alpha3Interface {
+ return &fakegatewayv1alpha3.FakeGatewayV1alpha3{Fake: &c.Fake}
+}
+
// GatewayV1beta1 retrieves the GatewayV1beta1Client
func (c *Clientset) GatewayV1beta1() gatewayv1beta1.GatewayV1beta1Interface {
return &fakegatewayv1beta1.FakeGatewayV1beta1{Fake: &c.Fake}
diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go
index e3296a9cbd..502a6efc6e 100644
--- a/pkg/client/clientset/versioned/fake/register.go
+++ b/pkg/client/clientset/versioned/fake/register.go
@@ -26,6 +26,7 @@ import (
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+ gatewayv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)
@@ -34,6 +35,7 @@ var codecs = serializer.NewCodecFactory(scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
gatewayv1alpha2.AddToScheme,
+ gatewayv1alpha3.AddToScheme,
gatewayv1beta1.AddToScheme,
gatewayv1.AddToScheme,
}
diff --git a/pkg/client/clientset/versioned/scheme/register.go b/pkg/client/clientset/versioned/scheme/register.go
index 4d31a9ec73..c6eca7a83a 100644
--- a/pkg/client/clientset/versioned/scheme/register.go
+++ b/pkg/client/clientset/versioned/scheme/register.go
@@ -26,6 +26,7 @@ import (
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+ gatewayv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)
@@ -34,6 +35,7 @@ var Codecs = serializer.NewCodecFactory(Scheme)
var ParameterCodec = runtime.NewParameterCodec(Scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
gatewayv1alpha2.AddToScheme,
+ gatewayv1alpha3.AddToScheme,
gatewayv1beta1.AddToScheme,
gatewayv1.AddToScheme,
}
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go
index 7f019a56ed..ff577d35e2 100644
--- a/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go
@@ -28,7 +28,6 @@ import (
type GatewayV1alpha2Interface interface {
RESTClient() rest.Interface
- BackendTLSPoliciesGetter
GRPCRoutesGetter
ReferenceGrantsGetter
TCPRoutesGetter
@@ -41,10 +40,6 @@ type GatewayV1alpha2Client struct {
restClient rest.Interface
}
-func (c *GatewayV1alpha2Client) BackendTLSPolicies(namespace string) BackendTLSPolicyInterface {
- return newBackendTLSPolicies(c, namespace)
-}
-
func (c *GatewayV1alpha2Client) GRPCRoutes(namespace string) GRPCRouteInterface {
return newGRPCRoutes(c, namespace)
}
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go
index 3414ee7d36..a2e69883a0 100644
--- a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go
@@ -28,10 +28,6 @@ type FakeGatewayV1alpha2 struct {
*testing.Fake
}
-func (c *FakeGatewayV1alpha2) BackendTLSPolicies(namespace string) v1alpha2.BackendTLSPolicyInterface {
- return &FakeBackendTLSPolicies{c, namespace}
-}
-
func (c *FakeGatewayV1alpha2) GRPCRoutes(namespace string) v1alpha2.GRPCRouteInterface {
return &FakeGRPCRoutes{c, namespace}
}
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go
index 403342d7fe..c57afdec63 100644
--- a/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go
@@ -18,8 +18,6 @@ limitations under the License.
package v1alpha2
-type BackendTLSPolicyExpansion interface{}
-
type GRPCRouteExpansion interface{}
type ReferenceGrantExpansion interface{}
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha3/apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1alpha3/apis_client.go
new file mode 100644
index 0000000000..cdb327c3b7
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha3/apis_client.go
@@ -0,0 +1,107 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ "net/http"
+
+ rest "k8s.io/client-go/rest"
+ v1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+ "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/scheme"
+)
+
+type GatewayV1alpha3Interface interface {
+ RESTClient() rest.Interface
+ BackendTLSPoliciesGetter
+}
+
+// GatewayV1alpha3Client is used to interact with features provided by the gateway.networking.k8s.io group.
+type GatewayV1alpha3Client struct {
+ restClient rest.Interface
+}
+
+func (c *GatewayV1alpha3Client) BackendTLSPolicies(namespace string) BackendTLSPolicyInterface {
+ return newBackendTLSPolicies(c, namespace)
+}
+
+// NewForConfig creates a new GatewayV1alpha3Client for the given config.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*GatewayV1alpha3Client, error) {
+ config := *c
+ if err := setConfigDefaults(&config); err != nil {
+ return nil, err
+ }
+ httpClient, err := rest.HTTPClientFor(&config)
+ if err != nil {
+ return nil, err
+ }
+ return NewForConfigAndClient(&config, httpClient)
+}
+
+// NewForConfigAndClient creates a new GatewayV1alpha3Client for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+func NewForConfigAndClient(c *rest.Config, h *http.Client) (*GatewayV1alpha3Client, error) {
+ config := *c
+ if err := setConfigDefaults(&config); err != nil {
+ return nil, err
+ }
+ client, err := rest.RESTClientForConfigAndClient(&config, h)
+ if err != nil {
+ return nil, err
+ }
+ return &GatewayV1alpha3Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new GatewayV1alpha3Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *GatewayV1alpha3Client {
+ client, err := NewForConfig(c)
+ if err != nil {
+ panic(err)
+ }
+ return client
+}
+
+// New creates a new GatewayV1alpha3Client for the given RESTClient.
+func New(c rest.Interface) *GatewayV1alpha3Client {
+ return &GatewayV1alpha3Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+ gv := v1alpha3.SchemeGroupVersion
+ config.GroupVersion = &gv
+ config.APIPath = "/apis"
+ config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+ if config.UserAgent == "" {
+ config.UserAgent = rest.DefaultKubernetesUserAgent()
+ }
+
+ return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *GatewayV1alpha3Client) RESTClient() rest.Interface {
+ if c == nil {
+ return nil
+ }
+ return c.restClient
+}
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha3/backendtlspolicy.go b/pkg/client/clientset/versioned/typed/apis/v1alpha3/backendtlspolicy.go
new file mode 100644
index 0000000000..aecd62b6bb
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha3/backendtlspolicy.go
@@ -0,0 +1,256 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ "context"
+ json "encoding/json"
+ "fmt"
+ "time"
+
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ rest "k8s.io/client-go/rest"
+ apisv1alpha3 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1alpha3"
+ v1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+ scheme "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/scheme"
+)
+
+// BackendTLSPoliciesGetter has a method to return a BackendTLSPolicyInterface.
+// A group's client should implement this interface.
+type BackendTLSPoliciesGetter interface {
+ BackendTLSPolicies(namespace string) BackendTLSPolicyInterface
+}
+
+// BackendTLSPolicyInterface has methods to work with BackendTLSPolicy resources.
+type BackendTLSPolicyInterface interface {
+ Create(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.CreateOptions) (*v1alpha3.BackendTLSPolicy, error)
+ Update(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.UpdateOptions) (*v1alpha3.BackendTLSPolicy, error)
+ UpdateStatus(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.UpdateOptions) (*v1alpha3.BackendTLSPolicy, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha3.BackendTLSPolicy, error)
+ List(ctx context.Context, opts v1.ListOptions) (*v1alpha3.BackendTLSPolicyList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha3.BackendTLSPolicy, err error)
+ Apply(ctx context.Context, backendTLSPolicy *apisv1alpha3.BackendTLSPolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha3.BackendTLSPolicy, err error)
+ ApplyStatus(ctx context.Context, backendTLSPolicy *apisv1alpha3.BackendTLSPolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha3.BackendTLSPolicy, err error)
+ BackendTLSPolicyExpansion
+}
+
+// backendTLSPolicies implements BackendTLSPolicyInterface
+type backendTLSPolicies struct {
+ client rest.Interface
+ ns string
+}
+
+// newBackendTLSPolicies returns a BackendTLSPolicies
+func newBackendTLSPolicies(c *GatewayV1alpha3Client, namespace string) *backendTLSPolicies {
+ return &backendTLSPolicies{
+ client: c.RESTClient(),
+ ns: namespace,
+ }
+}
+
+// Get takes name of the backendTLSPolicy, and returns the corresponding backendTLSPolicy object, and an error if there is any.
+func (c *backendTLSPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ result = &v1alpha3.BackendTLSPolicy{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ Name(name).
+ VersionedParams(&options, scheme.ParameterCodec).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// List takes label and field selectors, and returns the list of BackendTLSPolicies that match those selectors.
+func (c *backendTLSPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha3.BackendTLSPolicyList, err error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ result = &v1alpha3.BackendTLSPolicyList{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Watch returns a watch.Interface that watches the requested backendTLSPolicies.
+func (c *backendTLSPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ opts.Watch = true
+ return c.client.Get().
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Watch(ctx)
+}
+
+// Create takes the representation of a backendTLSPolicy and creates it. Returns the server's representation of the backendTLSPolicy, and an error, if there is any.
+func (c *backendTLSPolicies) Create(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.CreateOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ result = &v1alpha3.BackendTLSPolicy{}
+ err = c.client.Post().
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(backendTLSPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Update takes the representation of a backendTLSPolicy and updates it. Returns the server's representation of the backendTLSPolicy, and an error, if there is any.
+func (c *backendTLSPolicies) Update(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.UpdateOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ result = &v1alpha3.BackendTLSPolicy{}
+ err = c.client.Put().
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ Name(backendTLSPolicy.Name).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(backendTLSPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *backendTLSPolicies) UpdateStatus(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.UpdateOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ result = &v1alpha3.BackendTLSPolicy{}
+ err = c.client.Put().
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ Name(backendTLSPolicy.Name).
+ SubResource("status").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(backendTLSPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Delete takes name of the backendTLSPolicy and deletes it. Returns an error if one occurs.
+func (c *backendTLSPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ Name(name).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *backendTLSPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ var timeout time.Duration
+ if listOpts.TimeoutSeconds != nil {
+ timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+ }
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ VersionedParams(&listOpts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// Patch applies the patch and returns the patched backendTLSPolicy.
+func (c *backendTLSPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha3.BackendTLSPolicy, err error) {
+ result = &v1alpha3.BackendTLSPolicy{}
+ err = c.client.Patch(pt).
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ Name(name).
+ SubResource(subresources...).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied backendTLSPolicy.
+func (c *backendTLSPolicies) Apply(ctx context.Context, backendTLSPolicy *apisv1alpha3.BackendTLSPolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ if backendTLSPolicy == nil {
+ return nil, fmt.Errorf("backendTLSPolicy provided to Apply must not be nil")
+ }
+ patchOpts := opts.ToPatchOptions()
+ data, err := json.Marshal(backendTLSPolicy)
+ if err != nil {
+ return nil, err
+ }
+ name := backendTLSPolicy.Name
+ if name == nil {
+ return nil, fmt.Errorf("backendTLSPolicy.Name must be provided to Apply")
+ }
+ result = &v1alpha3.BackendTLSPolicy{}
+ err = c.client.Patch(types.ApplyPatchType).
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ Name(*name).
+ VersionedParams(&patchOpts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *backendTLSPolicies) ApplyStatus(ctx context.Context, backendTLSPolicy *apisv1alpha3.BackendTLSPolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ if backendTLSPolicy == nil {
+ return nil, fmt.Errorf("backendTLSPolicy provided to Apply must not be nil")
+ }
+ patchOpts := opts.ToPatchOptions()
+ data, err := json.Marshal(backendTLSPolicy)
+ if err != nil {
+ return nil, err
+ }
+
+ name := backendTLSPolicy.Name
+ if name == nil {
+ return nil, fmt.Errorf("backendTLSPolicy.Name must be provided to Apply")
+ }
+
+ result = &v1alpha3.BackendTLSPolicy{}
+ err = c.client.Patch(types.ApplyPatchType).
+ Namespace(c.ns).
+ Resource("backendtlspolicies").
+ Name(*name).
+ SubResource("status").
+ VersionedParams(&patchOpts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha3/doc.go b/pkg/client/clientset/versioned/typed/apis/v1alpha3/doc.go
new file mode 100644
index 0000000000..fdb23fd37c
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha3/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha3
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/doc.go b/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/doc.go
new file mode 100644
index 0000000000..16f4439906
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/fake_apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/fake_apis_client.go
new file mode 100644
index 0000000000..76f13e27e7
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/fake_apis_client.go
@@ -0,0 +1,40 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ rest "k8s.io/client-go/rest"
+ testing "k8s.io/client-go/testing"
+ v1alpha3 "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/typed/apis/v1alpha3"
+)
+
+type FakeGatewayV1alpha3 struct {
+ *testing.Fake
+}
+
+func (c *FakeGatewayV1alpha3) BackendTLSPolicies(namespace string) v1alpha3.BackendTLSPolicyInterface {
+ return &FakeBackendTLSPolicies{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeGatewayV1alpha3) RESTClient() rest.Interface {
+ var ret *rest.RESTClient
+ return ret
+}
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/fake_backendtlspolicy.go b/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/fake_backendtlspolicy.go
new file mode 100644
index 0000000000..65ec24e635
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha3/fake/fake_backendtlspolicy.go
@@ -0,0 +1,189 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ "context"
+ json "encoding/json"
+ "fmt"
+
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ labels "k8s.io/apimachinery/pkg/labels"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ testing "k8s.io/client-go/testing"
+ apisv1alpha3 "sigs.k8s.io/gateway-api/apis/applyconfiguration/apis/v1alpha3"
+ v1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+)
+
+// FakeBackendTLSPolicies implements BackendTLSPolicyInterface
+type FakeBackendTLSPolicies struct {
+ Fake *FakeGatewayV1alpha3
+ ns string
+}
+
+var backendtlspoliciesResource = v1alpha3.SchemeGroupVersion.WithResource("backendtlspolicies")
+
+var backendtlspoliciesKind = v1alpha3.SchemeGroupVersion.WithKind("BackendTLSPolicy")
+
+// Get takes name of the backendTLSPolicy, and returns the corresponding backendTLSPolicy object, and an error if there is any.
+func (c *FakeBackendTLSPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewGetAction(backendtlspoliciesResource, c.ns, name), &v1alpha3.BackendTLSPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha3.BackendTLSPolicy), err
+}
+
+// List takes label and field selectors, and returns the list of BackendTLSPolicies that match those selectors.
+func (c *FakeBackendTLSPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha3.BackendTLSPolicyList, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewListAction(backendtlspoliciesResource, backendtlspoliciesKind, c.ns, opts), &v1alpha3.BackendTLSPolicyList{})
+
+ if obj == nil {
+ return nil, err
+ }
+
+ label, _, _ := testing.ExtractFromListOptions(opts)
+ if label == nil {
+ label = labels.Everything()
+ }
+ list := &v1alpha3.BackendTLSPolicyList{ListMeta: obj.(*v1alpha3.BackendTLSPolicyList).ListMeta}
+ for _, item := range obj.(*v1alpha3.BackendTLSPolicyList).Items {
+ if label.Matches(labels.Set(item.Labels)) {
+ list.Items = append(list.Items, item)
+ }
+ }
+ return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested backendTLSPolicies.
+func (c *FakeBackendTLSPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ return c.Fake.
+ InvokesWatch(testing.NewWatchAction(backendtlspoliciesResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a backendTLSPolicy and creates it. Returns the server's representation of the backendTLSPolicy, and an error, if there is any.
+func (c *FakeBackendTLSPolicies) Create(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.CreateOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewCreateAction(backendtlspoliciesResource, c.ns, backendTLSPolicy), &v1alpha3.BackendTLSPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha3.BackendTLSPolicy), err
+}
+
+// Update takes the representation of a backendTLSPolicy and updates it. Returns the server's representation of the backendTLSPolicy, and an error, if there is any.
+func (c *FakeBackendTLSPolicies) Update(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.UpdateOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewUpdateAction(backendtlspoliciesResource, c.ns, backendTLSPolicy), &v1alpha3.BackendTLSPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha3.BackendTLSPolicy), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeBackendTLSPolicies) UpdateStatus(ctx context.Context, backendTLSPolicy *v1alpha3.BackendTLSPolicy, opts v1.UpdateOptions) (*v1alpha3.BackendTLSPolicy, error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewUpdateSubresourceAction(backendtlspoliciesResource, "status", c.ns, backendTLSPolicy), &v1alpha3.BackendTLSPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha3.BackendTLSPolicy), err
+}
+
+// Delete takes name of the backendTLSPolicy and deletes it. Returns an error if one occurs.
+func (c *FakeBackendTLSPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ _, err := c.Fake.
+ Invokes(testing.NewDeleteActionWithOptions(backendtlspoliciesResource, c.ns, name, opts), &v1alpha3.BackendTLSPolicy{})
+
+ return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeBackendTLSPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ action := testing.NewDeleteCollectionAction(backendtlspoliciesResource, c.ns, listOpts)
+
+ _, err := c.Fake.Invokes(action, &v1alpha3.BackendTLSPolicyList{})
+ return err
+}
+
+// Patch applies the patch and returns the patched backendTLSPolicy.
+func (c *FakeBackendTLSPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha3.BackendTLSPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewPatchSubresourceAction(backendtlspoliciesResource, c.ns, name, pt, data, subresources...), &v1alpha3.BackendTLSPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha3.BackendTLSPolicy), err
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied backendTLSPolicy.
+func (c *FakeBackendTLSPolicies) Apply(ctx context.Context, backendTLSPolicy *apisv1alpha3.BackendTLSPolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ if backendTLSPolicy == nil {
+ return nil, fmt.Errorf("backendTLSPolicy provided to Apply must not be nil")
+ }
+ data, err := json.Marshal(backendTLSPolicy)
+ if err != nil {
+ return nil, err
+ }
+ name := backendTLSPolicy.Name
+ if name == nil {
+ return nil, fmt.Errorf("backendTLSPolicy.Name must be provided to Apply")
+ }
+ obj, err := c.Fake.
+ Invokes(testing.NewPatchSubresourceAction(backendtlspoliciesResource, c.ns, *name, types.ApplyPatchType, data), &v1alpha3.BackendTLSPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha3.BackendTLSPolicy), err
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *FakeBackendTLSPolicies) ApplyStatus(ctx context.Context, backendTLSPolicy *apisv1alpha3.BackendTLSPolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha3.BackendTLSPolicy, err error) {
+ if backendTLSPolicy == nil {
+ return nil, fmt.Errorf("backendTLSPolicy provided to Apply must not be nil")
+ }
+ data, err := json.Marshal(backendTLSPolicy)
+ if err != nil {
+ return nil, err
+ }
+ name := backendTLSPolicy.Name
+ if name == nil {
+ return nil, fmt.Errorf("backendTLSPolicy.Name must be provided to Apply")
+ }
+ obj, err := c.Fake.
+ Invokes(testing.NewPatchSubresourceAction(backendtlspoliciesResource, c.ns, *name, types.ApplyPatchType, data, "status"), &v1alpha3.BackendTLSPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha3.BackendTLSPolicy), err
+}
diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha3/generated_expansion.go b/pkg/client/clientset/versioned/typed/apis/v1alpha3/generated_expansion.go
new file mode 100644
index 0000000000..68c5693b88
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/apis/v1alpha3/generated_expansion.go
@@ -0,0 +1,21 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha3
+
+type BackendTLSPolicyExpansion interface{}
diff --git a/pkg/client/informers/externalversions/apis/interface.go b/pkg/client/informers/externalversions/apis/interface.go
index 05de6bbe33..ec6d9155da 100644
--- a/pkg/client/informers/externalversions/apis/interface.go
+++ b/pkg/client/informers/externalversions/apis/interface.go
@@ -21,6 +21,7 @@ package apis
import (
v1 "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/apis/v1"
v1alpha2 "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/apis/v1alpha2"
+ v1alpha3 "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/apis/v1alpha3"
v1beta1 "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/apis/v1beta1"
internalinterfaces "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/internalinterfaces"
)
@@ -29,6 +30,8 @@ import (
type Interface interface {
// V1alpha2 provides access to shared informers for resources in V1alpha2.
V1alpha2() v1alpha2.Interface
+ // V1alpha3 provides access to shared informers for resources in V1alpha3.
+ V1alpha3() v1alpha3.Interface
// V1beta1 provides access to shared informers for resources in V1beta1.
V1beta1() v1beta1.Interface
// V1 provides access to shared informers for resources in V1.
@@ -51,6 +54,11 @@ func (g *group) V1alpha2() v1alpha2.Interface {
return v1alpha2.New(g.factory, g.namespace, g.tweakListOptions)
}
+// V1alpha3 returns a new v1alpha3.Interface.
+func (g *group) V1alpha3() v1alpha3.Interface {
+ return v1alpha3.New(g.factory, g.namespace, g.tweakListOptions)
+}
+
// V1beta1 returns a new v1beta1.Interface.
func (g *group) V1beta1() v1beta1.Interface {
return v1beta1.New(g.factory, g.namespace, g.tweakListOptions)
diff --git a/pkg/client/informers/externalversions/apis/v1alpha2/interface.go b/pkg/client/informers/externalversions/apis/v1alpha2/interface.go
index be6d020d0d..9e5c505ddc 100644
--- a/pkg/client/informers/externalversions/apis/v1alpha2/interface.go
+++ b/pkg/client/informers/externalversions/apis/v1alpha2/interface.go
@@ -24,8 +24,6 @@ import (
// Interface provides access to all the informers in this group version.
type Interface interface {
- // BackendTLSPolicies returns a BackendTLSPolicyInformer.
- BackendTLSPolicies() BackendTLSPolicyInformer
// GRPCRoutes returns a GRPCRouteInformer.
GRPCRoutes() GRPCRouteInformer
// ReferenceGrants returns a ReferenceGrantInformer.
@@ -49,11 +47,6 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
-// BackendTLSPolicies returns a BackendTLSPolicyInformer.
-func (v *version) BackendTLSPolicies() BackendTLSPolicyInformer {
- return &backendTLSPolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
-}
-
// GRPCRoutes returns a GRPCRouteInformer.
func (v *version) GRPCRoutes() GRPCRouteInformer {
return &gRPCRouteInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
diff --git a/pkg/client/informers/externalversions/apis/v1alpha3/backendtlspolicy.go b/pkg/client/informers/externalversions/apis/v1alpha3/backendtlspolicy.go
new file mode 100644
index 0000000000..927db8da49
--- /dev/null
+++ b/pkg/client/informers/externalversions/apis/v1alpha3/backendtlspolicy.go
@@ -0,0 +1,90 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ "context"
+ time "time"
+
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+ apisv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+ versioned "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned"
+ internalinterfaces "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/internalinterfaces"
+ v1alpha3 "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1alpha3"
+)
+
+// BackendTLSPolicyInformer provides access to a shared informer and lister for
+// BackendTLSPolicies.
+type BackendTLSPolicyInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() v1alpha3.BackendTLSPolicyLister
+}
+
+type backendTLSPolicyInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+ namespace string
+}
+
+// NewBackendTLSPolicyInformer constructs a new informer for BackendTLSPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewBackendTLSPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredBackendTLSPolicyInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredBackendTLSPolicyInformer constructs a new informer for BackendTLSPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredBackendTLSPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.GatewayV1alpha3().BackendTLSPolicies(namespace).List(context.TODO(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.GatewayV1alpha3().BackendTLSPolicies(namespace).Watch(context.TODO(), options)
+ },
+ },
+ &apisv1alpha3.BackendTLSPolicy{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *backendTLSPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredBackendTLSPolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *backendTLSPolicyInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&apisv1alpha3.BackendTLSPolicy{}, f.defaultInformer)
+}
+
+func (f *backendTLSPolicyInformer) Lister() v1alpha3.BackendTLSPolicyLister {
+ return v1alpha3.NewBackendTLSPolicyLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/apis/v1alpha3/interface.go b/pkg/client/informers/externalversions/apis/v1alpha3/interface.go
new file mode 100644
index 0000000000..468614d4f4
--- /dev/null
+++ b/pkg/client/informers/externalversions/apis/v1alpha3/interface.go
@@ -0,0 +1,45 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ internalinterfaces "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+ // BackendTLSPolicies returns a BackendTLSPolicyInformer.
+ BackendTLSPolicies() BackendTLSPolicyInformer
+}
+
+type version struct {
+ factory internalinterfaces.SharedInformerFactory
+ namespace string
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+ return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// BackendTLSPolicies returns a BackendTLSPolicyInformer.
+func (v *version) BackendTLSPolicies() BackendTLSPolicyInformer {
+ return &backendTLSPolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go
index 6fc898dd21..7a07e5ba38 100644
--- a/pkg/client/informers/externalversions/generic.go
+++ b/pkg/client/informers/externalversions/generic.go
@@ -25,6 +25,7 @@ import (
cache "k8s.io/client-go/tools/cache"
v1 "sigs.k8s.io/gateway-api/apis/v1"
v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+ v1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)
@@ -65,8 +66,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1().HTTPRoutes().Informer()}, nil
// Group=gateway.networking.k8s.io, Version=v1alpha2
- case v1alpha2.SchemeGroupVersion.WithResource("backendtlspolicies"):
- return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().BackendTLSPolicies().Informer()}, nil
case v1alpha2.SchemeGroupVersion.WithResource("grpcroutes"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().GRPCRoutes().Informer()}, nil
case v1alpha2.SchemeGroupVersion.WithResource("referencegrants"):
@@ -78,6 +77,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
case v1alpha2.SchemeGroupVersion.WithResource("udproutes"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().UDPRoutes().Informer()}, nil
+ // Group=gateway.networking.k8s.io, Version=v1alpha3
+ case v1alpha3.SchemeGroupVersion.WithResource("backendtlspolicies"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha3().BackendTLSPolicies().Informer()}, nil
+
// Group=gateway.networking.k8s.io, Version=v1beta1
case v1beta1.SchemeGroupVersion.WithResource("gateways"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1beta1().Gateways().Informer()}, nil
diff --git a/pkg/client/listers/apis/v1alpha2/expansion_generated.go b/pkg/client/listers/apis/v1alpha2/expansion_generated.go
index ae5d0ba98f..a3ba069b9a 100644
--- a/pkg/client/listers/apis/v1alpha2/expansion_generated.go
+++ b/pkg/client/listers/apis/v1alpha2/expansion_generated.go
@@ -18,14 +18,6 @@ limitations under the License.
package v1alpha2
-// BackendTLSPolicyListerExpansion allows custom methods to be added to
-// BackendTLSPolicyLister.
-type BackendTLSPolicyListerExpansion interface{}
-
-// BackendTLSPolicyNamespaceListerExpansion allows custom methods to be added to
-// BackendTLSPolicyNamespaceLister.
-type BackendTLSPolicyNamespaceListerExpansion interface{}
-
// GRPCRouteListerExpansion allows custom methods to be added to
// GRPCRouteLister.
type GRPCRouteListerExpansion interface{}
diff --git a/pkg/client/listers/apis/v1alpha3/backendtlspolicy.go b/pkg/client/listers/apis/v1alpha3/backendtlspolicy.go
new file mode 100644
index 0000000000..56ea817373
--- /dev/null
+++ b/pkg/client/listers/apis/v1alpha3/backendtlspolicy.go
@@ -0,0 +1,99 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+ "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/client-go/tools/cache"
+ v1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+)
+
+// BackendTLSPolicyLister helps list BackendTLSPolicies.
+// All objects returned here must be treated as read-only.
+type BackendTLSPolicyLister interface {
+ // List lists all BackendTLSPolicies in the indexer.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v1alpha3.BackendTLSPolicy, err error)
+ // BackendTLSPolicies returns an object that can list and get BackendTLSPolicies.
+ BackendTLSPolicies(namespace string) BackendTLSPolicyNamespaceLister
+ BackendTLSPolicyListerExpansion
+}
+
+// backendTLSPolicyLister implements the BackendTLSPolicyLister interface.
+type backendTLSPolicyLister struct {
+ indexer cache.Indexer
+}
+
+// NewBackendTLSPolicyLister returns a new BackendTLSPolicyLister.
+func NewBackendTLSPolicyLister(indexer cache.Indexer) BackendTLSPolicyLister {
+ return &backendTLSPolicyLister{indexer: indexer}
+}
+
+// List lists all BackendTLSPolicies in the indexer.
+func (s *backendTLSPolicyLister) List(selector labels.Selector) (ret []*v1alpha3.BackendTLSPolicy, err error) {
+ err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha3.BackendTLSPolicy))
+ })
+ return ret, err
+}
+
+// BackendTLSPolicies returns an object that can list and get BackendTLSPolicies.
+func (s *backendTLSPolicyLister) BackendTLSPolicies(namespace string) BackendTLSPolicyNamespaceLister {
+ return backendTLSPolicyNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// BackendTLSPolicyNamespaceLister helps list and get BackendTLSPolicies.
+// All objects returned here must be treated as read-only.
+type BackendTLSPolicyNamespaceLister interface {
+ // List lists all BackendTLSPolicies in the indexer for a given namespace.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v1alpha3.BackendTLSPolicy, err error)
+ // Get retrieves the BackendTLSPolicy from the indexer for a given namespace and name.
+ // Objects returned here must be treated as read-only.
+ Get(name string) (*v1alpha3.BackendTLSPolicy, error)
+ BackendTLSPolicyNamespaceListerExpansion
+}
+
+// backendTLSPolicyNamespaceLister implements the BackendTLSPolicyNamespaceLister
+// interface.
+type backendTLSPolicyNamespaceLister struct {
+ indexer cache.Indexer
+ namespace string
+}
+
+// List lists all BackendTLSPolicies in the indexer for a given namespace.
+func (s backendTLSPolicyNamespaceLister) List(selector labels.Selector) (ret []*v1alpha3.BackendTLSPolicy, err error) {
+ err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha3.BackendTLSPolicy))
+ })
+ return ret, err
+}
+
+// Get retrieves the BackendTLSPolicy from the indexer for a given namespace and name.
+func (s backendTLSPolicyNamespaceLister) Get(name string) (*v1alpha3.BackendTLSPolicy, error) {
+ obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+ if err != nil {
+ return nil, err
+ }
+ if !exists {
+ return nil, errors.NewNotFound(v1alpha3.Resource("backendtlspolicy"), name)
+ }
+ return obj.(*v1alpha3.BackendTLSPolicy), nil
+}
diff --git a/pkg/client/listers/apis/v1alpha3/expansion_generated.go b/pkg/client/listers/apis/v1alpha3/expansion_generated.go
new file mode 100644
index 0000000000..5cba22fc90
--- /dev/null
+++ b/pkg/client/listers/apis/v1alpha3/expansion_generated.go
@@ -0,0 +1,27 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha3
+
+// BackendTLSPolicyListerExpansion allows custom methods to be added to
+// BackendTLSPolicyLister.
+type BackendTLSPolicyListerExpansion interface{}
+
+// BackendTLSPolicyNamespaceListerExpansion allows custom methods to be added to
+// BackendTLSPolicyNamespaceLister.
+type BackendTLSPolicyNamespaceListerExpansion interface{}
diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go
index 6126c0049e..5fa28eb71f 100644
--- a/pkg/generated/openapi/zz_generated.openapi.go
+++ b/pkg/generated/openapi/zz_generated.openapi.go
@@ -140,10 +140,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"sigs.k8s.io/gateway-api/apis/v1.RouteParentStatus": schema_sigsk8sio_gateway_api_apis_v1_RouteParentStatus(ref),
"sigs.k8s.io/gateway-api/apis/v1.RouteStatus": schema_sigsk8sio_gateway_api_apis_v1_RouteStatus(ref),
"sigs.k8s.io/gateway-api/apis/v1.SecretObjectReference": schema_sigsk8sio_gateway_api_apis_v1_SecretObjectReference(ref),
- "sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicy": schema_sigsk8sio_gateway_api_apis_v1alpha2_BackendTLSPolicy(ref),
- "sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicyConfig": schema_sigsk8sio_gateway_api_apis_v1alpha2_BackendTLSPolicyConfig(ref),
- "sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicyList": schema_sigsk8sio_gateway_api_apis_v1alpha2_BackendTLSPolicyList(ref),
- "sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicySpec": schema_sigsk8sio_gateway_api_apis_v1alpha2_BackendTLSPolicySpec(ref),
"sigs.k8s.io/gateway-api/apis/v1alpha2.GRPCRoute": schema_sigsk8sio_gateway_api_apis_v1alpha2_GRPCRoute(ref),
"sigs.k8s.io/gateway-api/apis/v1alpha2.GRPCRouteList": schema_sigsk8sio_gateway_api_apis_v1alpha2_GRPCRouteList(ref),
"sigs.k8s.io/gateway-api/apis/v1alpha2.LocalPolicyTargetReference": schema_sigsk8sio_gateway_api_apis_v1alpha2_LocalPolicyTargetReference(ref),
@@ -168,6 +164,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"sigs.k8s.io/gateway-api/apis/v1alpha2.UDPRouteRule": schema_sigsk8sio_gateway_api_apis_v1alpha2_UDPRouteRule(ref),
"sigs.k8s.io/gateway-api/apis/v1alpha2.UDPRouteSpec": schema_sigsk8sio_gateway_api_apis_v1alpha2_UDPRouteSpec(ref),
"sigs.k8s.io/gateway-api/apis/v1alpha2.UDPRouteStatus": schema_sigsk8sio_gateway_api_apis_v1alpha2_UDPRouteStatus(ref),
+ "sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicy": schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicy(ref),
+ "sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicyList": schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicyList(ref),
+ "sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicySpec": schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicySpec(ref),
+ "sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicyValidation": schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicyValidation(ref),
"sigs.k8s.io/gateway-api/apis/v1beta1.Gateway": schema_sigsk8sio_gateway_api_apis_v1beta1_Gateway(ref),
"sigs.k8s.io/gateway-api/apis/v1beta1.GatewayClass": schema_sigsk8sio_gateway_api_apis_v1beta1_GatewayClass(ref),
"sigs.k8s.io/gateway-api/apis/v1beta1.GatewayClassList": schema_sigsk8sio_gateway_api_apis_v1beta1_GatewayClassList(ref),
@@ -5240,180 +5240,6 @@ func schema_sigsk8sio_gateway_api_apis_v1_SecretObjectReference(ref common.Refer
}
}
-func schema_sigsk8sio_gateway_api_apis_v1alpha2_BackendTLSPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition {
- return common.OpenAPIDefinition{
- Schema: spec.Schema{
- SchemaProps: spec.SchemaProps{
- Description: "BackendTLSPolicy provides a way to configure how a Gateway connects to a Backend via TLS.",
- Type: []string{"object"},
- Properties: map[string]spec.Schema{
- "kind": {
- SchemaProps: spec.SchemaProps{
- Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- Type: []string{"string"},
- Format: "",
- },
- },
- "apiVersion": {
- SchemaProps: spec.SchemaProps{
- Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- Type: []string{"string"},
- Format: "",
- },
- },
- "metadata": {
- SchemaProps: spec.SchemaProps{
- Default: map[string]interface{}{},
- Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
- },
- },
- "spec": {
- SchemaProps: spec.SchemaProps{
- Description: "Spec defines the desired state of BackendTLSPolicy.",
- Default: map[string]interface{}{},
- Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicySpec"),
- },
- },
- "status": {
- SchemaProps: spec.SchemaProps{
- Description: "Status defines the current state of BackendTLSPolicy.",
- Default: map[string]interface{}{},
- Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyStatus"),
- },
- },
- },
- Required: []string{"spec"},
- },
- },
- Dependencies: []string{
- "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicySpec", "sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyStatus"},
- }
-}
-
-func schema_sigsk8sio_gateway_api_apis_v1alpha2_BackendTLSPolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
- return common.OpenAPIDefinition{
- Schema: spec.Schema{
- SchemaProps: spec.SchemaProps{
- Description: "BackendTLSPolicyConfig contains backend TLS policy configuration.",
- Type: []string{"object"},
- Properties: map[string]spec.Schema{
- "caCertRefs": {
- SchemaProps: spec.SchemaProps{
- Description: "CACertRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.\n\nIf CACertRefs is empty or unspecified, then WellKnownCACerts must be specified. Only one of CACertRefs or WellKnownCACerts may be specified, not both. If CACertRefs is empty or unspecified, the configuration for WellKnownCACerts MUST be honored instead if supported by the implementation.\n\nReferences to a resource in a different namespace are invalid for the moment, although we will revisit this in the future.\n\nA single CACertRef to a Kubernetes ConfigMap kind has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific.\n\nSupport: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named `ca.crt`.\n\nSupport: Implementation-specific (More than one reference, or other kinds of resources).",
- Type: []string{"array"},
- Items: &spec.SchemaOrArray{
- Schema: &spec.Schema{
- SchemaProps: spec.SchemaProps{
- Default: map[string]interface{}{},
- Ref: ref("sigs.k8s.io/gateway-api/apis/v1.LocalObjectReference"),
- },
- },
- },
- },
- },
- "wellKnownCACerts": {
- SchemaProps: spec.SchemaProps{
- Description: "WellKnownCACerts specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.\n\nIf WellKnownCACerts is unspecified or empty (\"\"), then CACertRefs must be specified with at least one entry for a valid configuration. Only one of CACertRefs or WellKnownCACerts may be specified, not both. If an implementation does not support the WellKnownCACerts field or the value supplied is not supported, the Status Conditions on the Policy MUST be updated to include an Accepted: False Condition with Reason: Invalid.\n\nSupport: Implementation-specific",
- Type: []string{"string"},
- Format: "",
- },
- },
- "hostname": {
- SchemaProps: spec.SchemaProps{
- Description: "Hostname is used for two purposes in the connection between Gateways and backends:\n\n1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). 2. Hostname MUST be used for authentication and MUST match the certificate\n served by the matching backend.\n\nSupport: Core",
- Default: "",
- Type: []string{"string"},
- Format: "",
- },
- },
- },
- Required: []string{"hostname"},
- },
- },
- Dependencies: []string{
- "sigs.k8s.io/gateway-api/apis/v1.LocalObjectReference"},
- }
-}
-
-func schema_sigsk8sio_gateway_api_apis_v1alpha2_BackendTLSPolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition {
- return common.OpenAPIDefinition{
- Schema: spec.Schema{
- SchemaProps: spec.SchemaProps{
- Description: "BackendTLSPolicyList contains a list of BackendTLSPolicies",
- Type: []string{"object"},
- Properties: map[string]spec.Schema{
- "kind": {
- SchemaProps: spec.SchemaProps{
- Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- Type: []string{"string"},
- Format: "",
- },
- },
- "apiVersion": {
- SchemaProps: spec.SchemaProps{
- Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- Type: []string{"string"},
- Format: "",
- },
- },
- "metadata": {
- SchemaProps: spec.SchemaProps{
- Default: map[string]interface{}{},
- Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
- },
- },
- "items": {
- SchemaProps: spec.SchemaProps{
- Type: []string{"array"},
- Items: &spec.SchemaOrArray{
- Schema: &spec.Schema{
- SchemaProps: spec.SchemaProps{
- Default: map[string]interface{}{},
- Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicy"),
- },
- },
- },
- },
- },
- },
- Required: []string{"items"},
- },
- },
- Dependencies: []string{
- "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicy"},
- }
-}
-
-func schema_sigsk8sio_gateway_api_apis_v1alpha2_BackendTLSPolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
- return common.OpenAPIDefinition{
- Schema: spec.Schema{
- SchemaProps: spec.SchemaProps{
- Description: "BackendTLSPolicySpec defines the desired state of BackendTLSPolicy.\n\nSupport: Extended",
- Type: []string{"object"},
- Properties: map[string]spec.Schema{
- "targetRef": {
- SchemaProps: spec.SchemaProps{
- Description: "TargetRef identifies an API object to apply the policy to. Only Services have Extended support. Implementations MAY support additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy.\n\nSupport: Extended for Kubernetes Service\n\nSupport: Implementation-specific for any other resource",
- Default: map[string]interface{}{},
- Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha2.LocalPolicyTargetReferenceWithSectionName"),
- },
- },
- "tls": {
- SchemaProps: spec.SchemaProps{
- Description: "TLS contains backend TLS policy configuration.",
- Default: map[string]interface{}{},
- Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicyConfig"),
- },
- },
- },
- Required: []string{"targetRef", "tls"},
- },
- },
- Dependencies: []string{
- "sigs.k8s.io/gateway-api/apis/v1alpha2.BackendTLSPolicyConfig", "sigs.k8s.io/gateway-api/apis/v1alpha2.LocalPolicyTargetReferenceWithSectionName"},
- }
-}
-
func schema_sigsk8sio_gateway_api_apis_v1alpha2_GRPCRoute(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
@@ -6433,6 +6259,187 @@ func schema_sigsk8sio_gateway_api_apis_v1alpha2_UDPRouteStatus(ref common.Refere
}
}
+func schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "BackendTLSPolicy provides a way to configure how a Gateway connects to a Backend via TLS.",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "kind": {
+ SchemaProps: spec.SchemaProps{
+ Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "apiVersion": {
+ SchemaProps: spec.SchemaProps{
+ Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "metadata": {
+ SchemaProps: spec.SchemaProps{
+ Default: map[string]interface{}{},
+ Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+ },
+ },
+ "spec": {
+ SchemaProps: spec.SchemaProps{
+ Description: "Spec defines the desired state of BackendTLSPolicy.",
+ Default: map[string]interface{}{},
+ Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicySpec"),
+ },
+ },
+ "status": {
+ SchemaProps: spec.SchemaProps{
+ Description: "Status defines the current state of BackendTLSPolicy.",
+ Default: map[string]interface{}{},
+ Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyStatus"),
+ },
+ },
+ },
+ Required: []string{"spec"},
+ },
+ },
+ Dependencies: []string{
+ "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyStatus", "sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicySpec"},
+ }
+}
+
+func schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "BackendTLSPolicyList contains a list of BackendTLSPolicies",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "kind": {
+ SchemaProps: spec.SchemaProps{
+ Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "apiVersion": {
+ SchemaProps: spec.SchemaProps{
+ Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "metadata": {
+ SchemaProps: spec.SchemaProps{
+ Default: map[string]interface{}{},
+ Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+ },
+ },
+ "items": {
+ SchemaProps: spec.SchemaProps{
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Default: map[string]interface{}{},
+ Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicy"),
+ },
+ },
+ },
+ },
+ },
+ },
+ Required: []string{"items"},
+ },
+ },
+ Dependencies: []string{
+ "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicy"},
+ }
+}
+
+func schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "BackendTLSPolicySpec defines the desired state of BackendTLSPolicy.\n\nSupport: Extended",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "targetRefs": {
+ SchemaProps: spec.SchemaProps{
+ Description: "TargetRefs identifies an API object to apply the policy to. Only Services have Extended support. Implementations MAY support additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy.\n\nSupport: Extended for Kubernetes Service\n\nSupport: Implementation-specific for any other resource",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Default: map[string]interface{}{},
+ Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha2.LocalPolicyTargetReferenceWithSectionName"),
+ },
+ },
+ },
+ },
+ },
+ "validation": {
+ SchemaProps: spec.SchemaProps{
+ Description: "Validation contains backend TLS validation configuration.",
+ Default: map[string]interface{}{},
+ Ref: ref("sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicyValidation"),
+ },
+ },
+ },
+ Required: []string{"targetRefs", "validation"},
+ },
+ },
+ Dependencies: []string{
+ "sigs.k8s.io/gateway-api/apis/v1alpha2.LocalPolicyTargetReferenceWithSectionName", "sigs.k8s.io/gateway-api/apis/v1alpha3.BackendTLSPolicyValidation"},
+ }
+}
+
+func schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicyValidation(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "BackendTLSPolicyValidation contains backend TLS validation configuration.",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "caCertificateRefs": {
+ SchemaProps: spec.SchemaProps{
+ Description: "CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.\n\nIf CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertifcateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation.\n\nReferences to a resource in a different namespace are invalid for the moment, although we will revisit this in the future.\n\nA single CACertificateRef to a Kubernetes ConfigMap kind has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific.\n\nSupport: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named `ca.crt`.\n\nSupport: Implementation-specific (More than one reference, or other kinds of resources).",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Default: map[string]interface{}{},
+ Ref: ref("sigs.k8s.io/gateway-api/apis/v1.LocalObjectReference"),
+ },
+ },
+ },
+ },
+ },
+ "wellKnownCACertificates": {
+ SchemaProps: spec.SchemaProps{
+ Description: "WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.\n\nIf WellKnownCACertificates is unspecified or empty (\"\"), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an implementation does not support the WellKnownCACertificates field or the value supplied is not supported, the Status Conditions on the Policy MUST be updated to include an Accepted: False Condition with Reason: Invalid.\n\nSupport: Implementation-specific",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "hostname": {
+ SchemaProps: spec.SchemaProps{
+ Description: "Hostname is used for two purposes in the connection between Gateways and backends:\n\n1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). 2. Hostname MUST be used for authentication and MUST match the certificate\n served by the matching backend.\n\nSupport: Core",
+ Default: "",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ Required: []string{"hostname"},
+ },
+ },
+ Dependencies: []string{
+ "sigs.k8s.io/gateway-api/apis/v1.LocalObjectReference"},
+ }
+}
+
func schema_sigsk8sio_gateway_api_apis_v1beta1_Gateway(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
diff --git a/pkg/generator/main.go b/pkg/generator/main.go
index a50acb5b46..4cb6661fbb 100644
--- a/pkg/generator/main.go
+++ b/pkg/generator/main.go
@@ -45,6 +45,7 @@ var standardKinds = map[string]bool{
func main() {
roots, err := loader.LoadRoots(
"k8s.io/apimachinery/pkg/runtime/schema", // Needed to parse generated register functions.
+ "sigs.k8s.io/gateway-api/apis/v1alpha3",
"sigs.k8s.io/gateway-api/apis/v1alpha2",
"sigs.k8s.io/gateway-api/apis/v1beta1",
"sigs.k8s.io/gateway-api/apis/v1",
diff --git a/pkg/test/cel/backendtlspolicy_test.go b/pkg/test/cel/backendtlspolicy_test.go
index f2d4a6e73e..1740a002db 100644
--- a/pkg/test/cel/backendtlspolicy_test.go
+++ b/pkg/test/cel/backendtlspolicy_test.go
@@ -28,27 +28,28 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
gatewayv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
- "sigs.k8s.io/gateway-api/apis/v1beta1"
+ gatewayv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+ v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)
-func TestBackendTLSPolicyConfig(t *testing.T) {
+func TestBackendTLSPolicyValidation(t *testing.T) {
tests := []struct {
name string
wantErrors []string
- routeConfig gatewayv1a2.BackendTLSPolicyConfig
+ routeConfig gatewayv1a3.BackendTLSPolicyValidation
}{
{
- name: "valid BackendTLSPolicyConfig with WellKnownCACerts",
- routeConfig: gatewayv1a2.BackendTLSPolicyConfig{
- WellKnownCACerts: ptrTo(gatewayv1a2.WellKnownCACertType("System")),
- Hostname: "foo.example.com",
+ name: "valid BackendTLSPolicyValidation with WellKnownCACertificates",
+ routeConfig: gatewayv1a3.BackendTLSPolicyValidation{
+ WellKnownCACertificates: ptrTo(gatewayv1a3.WellKnownCACertificatesType("System")),
+ Hostname: "foo.example.com",
},
wantErrors: []string{},
},
{
- name: "valid BackendTLSPolicyConfig with CACertRefs",
- routeConfig: gatewayv1a2.BackendTLSPolicyConfig{
- CACertRefs: []v1beta1.LocalObjectReference{
+ name: "valid BackendTLSPolicyValidation with CACertificateRefs",
+ routeConfig: gatewayv1a3.BackendTLSPolicyValidation{
+ CACertificateRefs: []v1beta1.LocalObjectReference{
{
Group: "group",
Kind: "kind",
@@ -60,38 +61,38 @@ func TestBackendTLSPolicyConfig(t *testing.T) {
wantErrors: []string{},
},
{
- name: "invalid BackendTLSPolicyConfig with missing fields",
- routeConfig: gatewayv1a2.BackendTLSPolicyConfig{},
- wantErrors: []string{"spec.tls.hostname in body should be at least 1 chars long", "must specify either CACertRefs or WellKnownCACerts"},
+ name: "invalid BackendTLSPolicyValidation with missing fields",
+ routeConfig: gatewayv1a3.BackendTLSPolicyValidation{},
+ wantErrors: []string{"spec.validation.hostname in body should be at least 1 chars long", "must specify either CACertificateRefs or WellKnownCACertificates"},
},
{
- name: "invalid BackendTLSPolicyConfig with both CACertRefs and WellKnownCACerts",
- routeConfig: gatewayv1a2.BackendTLSPolicyConfig{
- CACertRefs: []v1beta1.LocalObjectReference{
+ name: "invalid BackendTLSPolicyValidation with both CACertificateRefs and WellKnownCACertificates",
+ routeConfig: gatewayv1a3.BackendTLSPolicyValidation{
+ CACertificateRefs: []v1beta1.LocalObjectReference{
{
Group: "group",
Kind: "kind",
Name: "name",
},
},
- WellKnownCACerts: ptrTo(gatewayv1a2.WellKnownCACertType("System")),
- Hostname: "foo.example.com",
+ WellKnownCACertificates: ptrTo(gatewayv1a3.WellKnownCACertificatesType("System")),
+ Hostname: "foo.example.com",
},
- wantErrors: []string{"must not contain both CACertRefs and WellKnownCACerts"},
+ wantErrors: []string{"must not contain both CACertificateRefs and WellKnownCACertificates"},
},
{
- name: "invalid BackendTLSPolicyConfig with Unsupported value for WellKnownCACerts",
- routeConfig: gatewayv1a2.BackendTLSPolicyConfig{
- WellKnownCACerts: ptrTo(gatewayv1a2.WellKnownCACertType("bar")),
- Hostname: "foo.example.com",
+ name: "invalid BackendTLSPolicyValidation with Unsupported value for WellKnownCACertificates",
+ routeConfig: gatewayv1a3.BackendTLSPolicyValidation{
+ WellKnownCACertificates: ptrTo(gatewayv1a3.WellKnownCACertificatesType("bar")),
+ Hostname: "foo.example.com",
},
wantErrors: []string{"supported values: \"System\""},
},
{
- name: "invalid BackendTLSPolicyConfig with empty Hostname field",
- routeConfig: gatewayv1a2.BackendTLSPolicyConfig{
- CACertRefs: []v1beta1.LocalObjectReference{
+ name: "invalid BackendTLSPolicyValidation with empty Hostname field",
+ routeConfig: gatewayv1a3.BackendTLSPolicyValidation{
+ CACertificateRefs: []v1beta1.LocalObjectReference{
{
Group: "group",
Kind: "kind",
@@ -100,25 +101,30 @@ func TestBackendTLSPolicyConfig(t *testing.T) {
},
Hostname: "",
},
- wantErrors: []string{"spec.tls.hostname in body should be at least 1 chars long"},
+ wantErrors: []string{"spec.validation.hostname in body should be at least 1 chars long"},
},
}
+
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
- route := &gatewayv1a2.BackendTLSPolicy{
+ route := &gatewayv1a3.BackendTLSPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("foo-%v", time.Now().UnixNano()),
Namespace: metav1.NamespaceDefault,
},
- Spec: gatewayv1a2.BackendTLSPolicySpec{
- TargetRef: gatewayv1a2.LocalPolicyTargetReferenceWithSectionName{
- LocalPolicyTargetReference: gatewayv1a2.LocalPolicyTargetReference{
- Group: "group",
- Kind: "kind",
- Name: "name",
+ Spec: gatewayv1a3.BackendTLSPolicySpec{
+ TargetRefs: []gatewayv1a2.LocalPolicyTargetReferenceWithSectionName{
+ {
+ gatewayv1a2.LocalPolicyTargetReference{
+ Group: "group",
+ Kind: "kind",
+ Name: "name",
+ },
+ // SectionName cannot contain capital letters.
+ ptrTo(gatewayv1a2.SectionName("section")),
},
},
- TLS: tc.routeConfig,
+ Validation: tc.routeConfig,
},
}
validateBackendTLSPolicy(t, route, tc.wantErrors)
@@ -126,7 +132,7 @@ func TestBackendTLSPolicyConfig(t *testing.T) {
}
}
-func validateBackendTLSPolicy(t *testing.T, route *gatewayv1a2.BackendTLSPolicy, wantErrors []string) {
+func validateBackendTLSPolicy(t *testing.T, route *gatewayv1a3.BackendTLSPolicy, wantErrors []string) {
t.Helper()
ctx := context.Background()
diff --git a/pkg/test/cel/main_test.go b/pkg/test/cel/main_test.go
index 655ad0d2c0..59bf05b937 100644
--- a/pkg/test/cel/main_test.go
+++ b/pkg/test/cel/main_test.go
@@ -24,6 +24,7 @@ import (
v1 "sigs.k8s.io/gateway-api/apis/v1"
"sigs.k8s.io/gateway-api/apis/v1alpha2"
+ "sigs.k8s.io/gateway-api/apis/v1alpha3"
"sigs.k8s.io/gateway-api/apis/v1beta1"
"k8s.io/client-go/tools/clientcmd"
@@ -47,6 +48,7 @@ func TestMain(m *testing.M) {
if err != nil {
panic(fmt.Sprintf("Error initializing Kubernetes client: %v", err))
}
+ v1alpha3.AddToScheme(k8sClient.Scheme())
v1alpha2.AddToScheme(k8sClient.Scheme())
v1beta1.AddToScheme(k8sClient.Scheme())
v1.AddToScheme(k8sClient.Scheme())
diff --git a/site-src/api-types/backendtlspolicy.md b/site-src/api-types/backendtlspolicy.md
index 2de89b9f3b..ed149b5385 100644
--- a/site-src/api-types/backendtlspolicy.md
+++ b/site-src/api-types/backendtlspolicy.md
@@ -30,33 +30,34 @@ All Gateway API Routes that point to a referenced Service should respect a confi
The specification of a [BackendTLSPolicy][backendtlspolicy] consists of:
-- [TargetRef][targetRef] - Defines the targeted API object of the policy. Only Service is allowed.
-- [TLS][tls] - Defines the configuration for TLS, including hostname, CACertRefs, and WellKnownCACerts.
+- [TargetRefs][targetRefs] - Defines the targeted API object of the policy. Only Service is allowed.
+- [Validation][validation] - Defines the configuration for TLS, including hostname, CACertificateRefs, and
+WellKnownCACertificates.
- [Hostname][hostname] - Defines the Server Name Indication (SNI) that the Gateway uses to connect to the backend.
-- [CACertRefs][caCertRefs] - Defines one or more references to objects that contain PEM-encoded TLS certificates,
-which are used to establish a TLS handshake between the Gateway and backend Pod. Either CACertRefs or WellKnownCACerts
-may be specified, but not both.
-- [WellKnownCACerts][wellKnownCACerts] - Specifies whether system CA certificates may be used in the TLS
-handshake between the Gateway and backend Pod. Either CACertRefs or WellKnownCACerts may be specified, but not both.
+- [CACertificateRefs][caCertificateRefs] - Defines one or more references to objects that contain PEM-encoded TLS certificates,
+which are used to establish a TLS handshake between the Gateway and backend Pod. Either CACertficateRefs or
+WellKnownCACertificates may be specified, but not both.
+- [WellKnownCACertificates][wellKnownCACertificates] - Specifies whether system CA certificates may be used in the TLS
+handshake between the Gateway and backend Pod. Either CACertficateRefs or WellKnownCACertificates may be specified, but not both.
The following chart outlines the object definitions and relationship:
```mermaid
flowchart LR
backendTLSPolicy[["backendTLSPolicy
BackendTLSPolicySpec: spec
PolicyStatus: status"]]
- spec[["spec
PolicyTargetReferenceWithSectionName: targetRef
BackendTLSPolicyConfig: tls"]]
+ spec[["spec
PolicyTargetReferenceWithSectionName: targetRefs
BackendTLSPolicyValidation: tls"]]
status[["status
[ ]PolicyAncestorStatus: ancestors"]]
- tls[["tls
LocalObjectReference: caCertRefs
wellKnownCACertType: wellKnownCACerts
PreciseHostname: hostname"]]
+ validation[["tls
LocalObjectReference: caCertificateRefs
wellKnownCACertificatesType: wellKnownCACertificates/
PreciseHostname: hostname"]]
ancestorStatus[["ancestors
AncestorRef: parentReference
GatewayController: controllerName
[]Condition: conditions"]]
- targetRef[[targetRef
]]
+ targetRefs[targetRefs
]]
service["service"]
backendTLSPolicy -->spec
backendTLSPolicy -->status
- spec -->targetRef & tls
+ spec -->targetRefs & validation
status -->ancestorStatus
- targetRef -->service
- note[choose only one
caCertRef OR wellKnownCACerts]
+ targetRefs -->service
+ note[choose only one
caCerticateRefs OR wellKnownCACertificates]
style note fill:#fff
- tls -.- note
+ validation -.- note
```
The following illustrates a BackendTLSPolicy that configures TLS for a Service serving a backend:
@@ -81,17 +82,17 @@ flowchart LR
### Targeting backends
-A BackendTLSPolicy targets a backend Pod (or set of Pods) via a TargetRef to a Service. This TargetRef is a
+A BackendTLSPolicy targets a backend Pod (or set of Pods) via one or more TargetRefs to a Service. This TargetRef is a
required object reference that specifies a Service by its Name, Kind (Service), and optionally its Namespace and Group.
-TargetRef identifies the Service for which your HTTPRoute requires TLS.
+TargetRefs identify the Service/s for which your HTTPRoute requires TLS.
!!! info "Restrictions"
- Cross-namespace certificate references are not allowed.
-### BackendTLSPolicyConfig
+### BackendTLSPolicyValidation
-A BackendTLSPolicyConfig is the specification for the BackendTLSPolicy and defines the configuration for TLS,
+A BackendTLSPolicyValidation is the specification for the BackendTLSPolicy and defines the configuration for TLS,
including hostname (for server name indication) and certificates.
#### Hostname
@@ -110,23 +111,23 @@ Also note:
#### Certificates
-The BackendTLSPolicyConfig must contain a certificate reference of some kind, and contains two ways to configure the
-certificate to use for backend TLS, CACertRefs and WellKnownCACerts. Only one of these may be used per
-BackendTLSPolicyConfig.
+The BackendTLSPolicyValidation must contain a certificate reference of some kind, and contains two ways to configure the
+certificate to use for backend TLS, CACertificateRefs and WellKnownCACertificates. Only one of these may be used per
+BackendTLSPolicyValidation.
-##### CaCertRefs
+##### CACertficateRefs
-CACertRefs refer to one or more PEM-encoded TLS certificates.
+CACertificateRefs refer to one or more PEM-encoded TLS certificates.
!!! info "Restrictions"
- Cross-namespace certificate references are not allowed.
-##### WellKnownCACerts
+##### WellKnownCACertificates
If you are working in an environment where specific TLS certificates are not required, and your Gateway API
implementation allows system or default certificates to be used, e.g. in a development environment, you may
-set WellKnownCACerts to "System" to tell the Gateway to use a set of trusted CA Certificates. There may be
+set WellKnownCACertificates to "System" to tell the Gateway to use a set of trusted CA Certificates. There may be
some variation in which system certificates are used by each implementation. Refer to documentation from your
implementation of choice for more information.
@@ -136,9 +137,9 @@ Status defines the observed state of the BackendTLSPolicy and is not user-config
way you do for other Gateway API objects to verify correct operation. Note that the status in BackendTLSPolicy
uses `PolicyAncestorStatus` to allow you to know which parentReference set that particular status.
-[backendtlspolicy]: /references/spec/#gateway.networking.k8s.io/v1alpha2.BackendTLSPolicy
-[tls]: /references/spec/#gateway.networking.k8s.io/v1alpha2.BackendTLSPolicy.TLS
-[caCertRefs]: /references/spec/#gateway.networking.k8s.io/v1alpha2.BackendTLSPolicyConfig.CACertRefs
-[wellKnownCACerts]: /references/spec/#gateway.networking.k8s.io/v1alpha2.BackendTLSPolicyConfig.WellKnownCACerts
+[backendtlspolicy]: /references/spec/#gateway.networking.k8s.io/v1alpha3.BackendTLSPolicy
+[validation]: /references/spec/#gateway.networking.k8s.io/v1alpha3.BackendTLSPolicy.Validation
+[caCertificateRefs]: /references/spec/#gateway.networking.k8s.io/v1alpha3.BackendTLSPolicyValidation.CACertificateRefs
+[wellKnownCACertificates]: /references/spec/#gateway.networking.k8s.io/v1alpha3.BackendTLSPolicyValidation.WellKnownCACertificates
[hostname]: /references/spec/#gateway.networking.k8s.io/v1.PreciseHostname
-[targetRef]: /references/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference
+[targetRefs]: /references/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference
diff --git a/site-src/guides/tls.md b/site-src/guides/tls.md
index 06ad409d34..2cb0baf7ab 100644
--- a/site-src/guides/tls.md
+++ b/site-src/guides/tls.md
@@ -119,15 +119,15 @@ backend and how the certificate served by the backend Pod(s) should be verified.
### TargetRefs and TLS
-BackendTLSPolicy contains specification for the `TargetRef` and `TLS`. TargetRef is required and
-identifies the `Service` for which your HTTPRoute requires TLS. The `TLS` configuration contains a
-required `Hostname`, and either `CACertRefs` or `WellKnownCACerts`.
+BackendTLSPolicy contains specification for the `TargetRefs` and `Validation`. TargetRefs is required and
+identifies one or more `Service`s for which your HTTPRoute requires TLS. The `Validation` configuration contains a
+required `Hostname`, and either `CACertificateRefs` or `WellKnownCACertificates`.
Hostname refers to the SNI the Gateway should use to connect to the backend, and
must match the certificate served by the backend pod.
-CACertRefs refer to one or more PEM-encoded TLS certificates. If there are no specific certificates
-to use, then you must set WellKnownCACerts to "System" to tell the Gateway to use a set of trusted
+CACertificateRefs refer to one or more PEM-encoded TLS certificates. If there are no specific certificates
+to use, then you must set WellKnownCACertificates to "System" to tell the Gateway to use a set of trusted
CA Certificates. There may be some variation in which system certificates are used by each implementation.
Refer to documentation from your implementation of choice for more information.
@@ -145,7 +145,7 @@ TLS-encrypted upstream connection where Pods backing the `dev` Service are expec
certificate for `dev.example.com`.
```yaml
-{% include 'experimental/v1alpha2/backendtlspolicy-system-certs.yaml' %}
+{% include 'experimental/v1alpha3/backendtlspolicy-system-certs.yaml' %}
```
#### Using Explicit CA Certificates
@@ -155,7 +155,7 @@ map `auth-cert` to connect with a TLS-encrypted upstream connection where Pods b
are expected to serve a valid certificate for `auth.example.com`.
```yaml
-{% include 'experimental/v1alpha2/backendtlspolicy-ca-certs.yaml' %}
+{% include 'experimental/v1alpha3/backendtlspolicy-ca-certs.yaml' %}
```
## Extensions