diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 8c30b89fbb..c1591c9b88 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -208,6 +208,7 @@ jobs: steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./tools/github-actions/setup-deps + - uses: ./tools/github-actions/reclaim-storage - name: Download EG Binaries uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 diff --git a/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml b/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml index a13dfdefdb..e763641dfa 100644 --- a/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +++ b/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml @@ -25,7 +25,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -130,6 +130,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -793,6 +799,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -1368,6 +1380,8 @@ spec: type: object served: true storage: false + subresources: + status: {} status: acceptedNames: kind: "" @@ -1383,7 +1397,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1902,7 +1916,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2846,19 +2860,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4423,19 +4448,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -5087,7 +5123,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5629,10 +5665,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5704,10 +5744,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5912,10 +5956,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5987,10 +6035,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6281,10 +6333,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6355,10 +6411,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6562,10 +6622,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6636,10 +6700,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -7336,7 +7404,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -8248,6 +8316,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8286,6 +8355,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8297,6 +8367,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8401,10 +8472,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8476,10 +8551,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8790,6 +8869,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8837,10 +8919,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8912,10 +8998,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9728,6 +9818,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9766,6 +9857,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9777,6 +9869,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9878,10 +9971,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9952,10 +10049,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10266,6 +10367,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10312,10 +10416,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10386,10 +10494,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10723,10 +10835,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12406,6 +12522,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12444,6 +12561,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12455,6 +12573,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12559,10 +12678,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12634,10 +12757,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12948,6 +13075,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -12995,10 +13125,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13070,10 +13204,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13886,6 +14024,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13924,6 +14063,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13935,6 +14075,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14036,10 +14177,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14110,10 +14255,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14424,6 +14573,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14470,10 +14622,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14544,10 +14700,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14881,10 +15041,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15681,7 +15845,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: referencegrants.gateway.networking.k8s.io spec: @@ -15875,7 +16039,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tcproutes.gateway.networking.k8s.io spec: @@ -16635,7 +16799,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tlsroutes.gateway.networking.k8s.io spec: @@ -18256,7 +18420,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: udproutes.gateway.networking.k8s.io spec: @@ -19016,7 +19180,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -19626,7 +19790,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xlistenersets.gateway.networking.x-k8s.io spec: @@ -20417,7 +20581,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: diff --git a/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml b/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml index 73b2b4db60..a663cce86f 100644 --- a/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml +++ b/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml @@ -25,7 +25,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard labels: gateway.networking.k8s.io/policy: Direct @@ -130,6 +130,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -775,6 +781,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -1332,6 +1344,8 @@ spec: type: object served: false storage: false + subresources: + status: {} status: acceptedNames: kind: "" @@ -1347,7 +1361,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1866,7 +1880,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: gateways.gateway.networking.k8s.io spec: @@ -4123,7 +4137,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: grpcroutes.gateway.networking.k8s.io spec: @@ -6197,7 +6211,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: httproutes.gateway.networking.k8s.io spec: @@ -7073,6 +7087,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8007,6 +8024,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -9882,6 +9902,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10816,6 +10839,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -11844,7 +11870,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: referencegrants.gateway.networking.k8s.io spec: diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/crds/gatewayapi-crds.yaml index 30154f05d7..53f41ad8ee 100644 --- a/charts/gateway-helm/crds/gatewayapi-crds.yaml +++ b/charts/gateway-helm/crds/gatewayapi-crds.yaml @@ -24,7 +24,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -129,6 +129,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -792,6 +798,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -1367,6 +1379,8 @@ spec: type: object served: true storage: false + subresources: + status: {} status: acceptedNames: kind: "" @@ -1382,7 +1396,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1901,7 +1915,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2845,19 +2859,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4422,19 +4447,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -5086,7 +5122,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5628,10 +5664,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5703,10 +5743,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5911,10 +5955,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5986,10 +6034,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6280,10 +6332,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6354,10 +6410,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6561,10 +6621,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6635,10 +6699,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -7335,7 +7403,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -8247,6 +8315,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8285,6 +8354,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8296,6 +8366,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8400,10 +8471,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8475,10 +8550,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8789,6 +8868,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8836,10 +8918,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8911,10 +8997,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9727,6 +9817,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9765,6 +9856,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9776,6 +9868,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9877,10 +9970,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9951,10 +10048,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10265,6 +10366,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10311,10 +10415,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10385,10 +10493,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10722,10 +10834,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12405,6 +12521,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12443,6 +12560,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12454,6 +12572,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12558,10 +12677,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12633,10 +12756,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12947,6 +13074,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -12994,10 +13124,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13069,10 +13203,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13885,6 +14023,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13923,6 +14062,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13934,6 +14074,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14035,10 +14176,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14109,10 +14254,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14423,6 +14572,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14469,10 +14621,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14543,10 +14699,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14880,10 +15040,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15680,7 +15844,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: referencegrants.gateway.networking.k8s.io spec: @@ -15874,7 +16038,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tcproutes.gateway.networking.k8s.io spec: @@ -16634,7 +16798,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tlsroutes.gateway.networking.k8s.io spec: @@ -18255,7 +18419,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: udproutes.gateway.networking.k8s.io spec: @@ -19015,7 +19179,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -19625,7 +19789,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xlistenersets.gateway.networking.x-k8s.io spec: @@ -20416,7 +20580,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 68fb353cea..cea15b218b 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -9,10 +9,10 @@ require ( github.com/urfave/cli/v2 v2.27.7 google.golang.org/grpc v1.76.0 google.golang.org/protobuf v1.36.10 - k8s.io/apimachinery v0.34.1 + k8s.io/apimachinery v0.34.2 sigs.k8s.io/controller-runtime v0.22.4 - sigs.k8s.io/gateway-api v1.4.0 - sigs.k8s.io/gateway-api-inference-extension v1.1.0 + sigs.k8s.io/gateway-api v1.4.1 + sigs.k8s.io/gateway-api-inference-extension v1.2.0 ) require ( @@ -46,20 +46,20 @@ require ( github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/mod v0.28.0 // indirect - golang.org/x/net v0.46.0 // indirect - golang.org/x/sync v0.17.0 // indirect - golang.org/x/sys v0.37.0 // indirect - golang.org/x/text v0.30.0 // indirect - golang.org/x/tools v0.37.0 // indirect + golang.org/x/mod v0.29.0 // indirect + golang.org/x/net v0.47.0 // indirect + golang.org/x/sync v0.18.0 // indirect + golang.org/x/sys v0.38.0 // indirect + golang.org/x/text v0.31.0 // indirect + golang.org/x/tools v0.38.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250922171735-9219d122eba9 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.34.1 // indirect - k8s.io/apiextensions-apiserver v0.34.1 // indirect - k8s.io/code-generator v0.34.1 // indirect + k8s.io/api v0.34.2 // indirect + k8s.io/apiextensions-apiserver v0.34.2 // indirect + k8s.io/code-generator v0.34.2 // indirect k8s.io/gengo/v2 v2.0.0-20250820003526-c297c0c1eb9d // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 87b73f1a1d..34b6d93b38 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -99,8 +99,8 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.26.0 h1:1J4Wut1IlYZNEAWIV3ALrT9NfiaGW2cDCJQSFQMs/gE= -github.com/onsi/ginkgo/v2 v2.26.0/go.mod h1:qhEywmzWTBUY88kfO0BRvX4py7scov9yR+Az2oavUzw= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= @@ -112,8 +112,8 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI= -github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q= +github.com/prometheus/common v0.67.2 h1:PcBAckGFTIHt2+L3I33uNRTlKTplNzFctXcWhPyAEN8= +github.com/prometheus/common v0.67.2/go.mod h1:63W3KZb1JOKgcjlIr64WW/LvFGAqKPj0atm+knVGEko= github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= @@ -164,8 +164,6 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE= go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= @@ -177,41 +175,41 @@ golang.org/x/exp v0.0.0-20250808145144-a408d31f581a h1:Y+7uR/b1Mw2iSXZ3G//1haIiS golang.org/x/exp v0.0.0-20250808145144-a408d31f581a/go.mod h1:rT6SFzZ7oxADUDx58pcaKFTcZ+inxAa9fTrYx/uVYwg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U= -golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI= +golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA= +golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= -golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= -golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo= -golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= +golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= +golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY= +golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= -golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I= +golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= -golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= -golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= +golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= +golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU= +golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= -golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= +golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= +golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI= golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE= -golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w= +golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ= +golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs= golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM= golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= @@ -242,20 +240,20 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= -k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= -k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= -k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= -k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= -k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= -k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA= -k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0= -k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= -k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= -k8s.io/code-generator v0.34.1 h1:WpphT26E+j7tEgIUfFr5WfbJrktCGzB3JoJH9149xYc= -k8s.io/code-generator v0.34.1/go.mod h1:DeWjekbDnJWRwpw3s0Jat87c+e0TgkxoR4ar608yqvg= -k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= -k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= +k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY= +k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw= +k8s.io/apiextensions-apiserver v0.34.2 h1:WStKftnGeoKP4AZRz/BaAAEJvYp4mlZGN0UCv+uvsqo= +k8s.io/apiextensions-apiserver v0.34.2/go.mod h1:398CJrsgXF1wytdaanynDpJ67zG4Xq7yj91GrmYN2SE= +k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4= +k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apiserver v0.34.2 h1:2/yu8suwkmES7IzwlehAovo8dDE07cFRC7KMDb1+MAE= +k8s.io/apiserver v0.34.2/go.mod h1:gqJQy2yDOB50R3JUReHSFr+cwJnL8G1dzTA0YLEqAPI= +k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M= +k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE= +k8s.io/code-generator v0.34.2 h1:9bG6jTxmsU3HXE5BNYJTC8AZ1D6hVVfkm8yYSkdkGY0= +k8s.io/code-generator v0.34.2/go.mod h1:dnDDEd6S/z4uZ+PG1aE58ySCi/lR4+qT3a4DddE4/2I= +k8s.io/component-base v0.34.2 h1:HQRqK9x2sSAsd8+R4xxRirlTjowsg6fWCPwWYeSvogQ= +k8s.io/component-base v0.34.2/go.mod h1:9xw2FHJavUHBFpiGkZoKuYZ5pdtLKe97DEByaA+hHbM= k8s.io/gengo/v2 v2.0.0-20250820003526-c297c0c1eb9d h1:qUrYOinhdAUL0xxhA4gPqogPBaS9nIq2l2kTb6pmeB0= k8s.io/gengo/v2 v2.0.0-20250820003526-c297c0c1eb9d/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= @@ -270,10 +268,10 @@ sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327U sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= sigs.k8s.io/controller-tools v0.19.0 h1:OU7jrPPiZusryu6YK0jYSjPqg8Vhf8cAzluP9XGI5uk= sigs.k8s.io/controller-tools v0.19.0/go.mod h1:y5HY/iNDFkmFla2CfQoVb2AQXMsBk4ad84iR1PLANB0= -sigs.k8s.io/gateway-api v1.4.0 h1:ZwlNM6zOHq0h3WUX2gfByPs2yAEsy/EenYJB78jpQfQ= -sigs.k8s.io/gateway-api v1.4.0/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= -sigs.k8s.io/gateway-api-inference-extension v1.1.0 h1:MqRYk+3LNUWB0MbTgTZVhmJGNDTvm8l3ze4MOlzR7MU= -sigs.k8s.io/gateway-api-inference-extension v1.1.0/go.mod h1:BmJy8Hvc2EHl3Oa/Ka8/4RqwVHCCbX7BLndLdMNtugI= +sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8= +sigs.k8s.io/gateway-api v1.4.1/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/gateway-api-inference-extension v1.2.0 h1:7H+ijrUImnW2ubcTakNgV723xDIdQx1Umv4vDVB+tTk= +sigs.k8s.io/gateway-api-inference-extension v1.2.0/go.mod h1:/HWeqxuOMjFM56YwJ2Spt3qceK7Spz4hk6ZfXYgE9a8= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/go.mod b/go.mod index e79462fd12..a76da0503c 100644 --- a/go.mod +++ b/go.mod @@ -62,7 +62,7 @@ require ( go.opentelemetry.io/proto/otlp v1.8.0 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 - golang.org/x/net v0.46.0 + golang.org/x/net v0.47.0 gomodules.xyz/jsonpatch/v2 v2.5.0 gonum.org/v1/gonum v0.16.0 google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 @@ -81,8 +81,8 @@ require ( k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 k8s.io/kubectl v0.34.1 k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d - sigs.k8s.io/controller-runtime v0.22.3 - sigs.k8s.io/gateway-api v1.4.0 + sigs.k8s.io/controller-runtime v0.22.4 + sigs.k8s.io/gateway-api v1.4.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 sigs.k8s.io/mcs-api v0.3.0 sigs.k8s.io/yaml v1.6.0 @@ -294,16 +294,16 @@ require ( go.uber.org/multierr v1.11.0 // indirect go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/crypto v0.43.0 // indirect + golang.org/x/crypto v0.45.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb // indirect - golang.org/x/mod v0.28.0 // indirect - golang.org/x/oauth2 v0.31.0 // indirect - golang.org/x/sync v0.17.0 // indirect - golang.org/x/sys v0.37.0 // indirect - golang.org/x/term v0.36.0 // indirect - golang.org/x/text v0.30.0 // indirect + golang.org/x/mod v0.29.0 // indirect + golang.org/x/oauth2 v0.32.0 // indirect + golang.org/x/sync v0.18.0 // indirect + golang.org/x/sys v0.38.0 // indirect + golang.org/x/term v0.37.0 // indirect + golang.org/x/text v0.31.0 // indirect golang.org/x/time v0.12.0 // indirect - golang.org/x/tools v0.37.0 // indirect + golang.org/x/tools v0.38.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index caf7ff69c1..44514e8a5b 100644 --- a/go.sum +++ b/go.sum @@ -755,8 +755,8 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04= -golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0= +golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= +golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb h1:Iu0p/klM0SM7atONioa/bPhLS7cjhnip99x1OIGibwg= golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb/go.mod h1:lxN5T34bK4Z/i6cMaU7frUU57VkDXFD4Kamfl/cp9oU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -767,8 +767,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U= -golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI= +golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA= +golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -781,18 +781,18 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= -golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= +golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= +golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo= -golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY= +golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= -golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I= +golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -814,15 +814,15 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= -golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= -golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= +golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= +golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU= +golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= -golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= +golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= +golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -834,8 +834,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE= -golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w= +golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ= +golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -936,10 +936,10 @@ periph.io/x/host/v3 v3.8.5 h1:g4g5xE1XZtDiGl1UAJaUur1aT7uNiFLMkyMEiZ7IHII= periph.io/x/host/v3 v3.8.5/go.mod h1:hPq8dISZIc+UNfWoRj+bPH3XEBQqJPdFdx218W92mdc= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= -sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= -sigs.k8s.io/gateway-api v1.4.0 h1:ZwlNM6zOHq0h3WUX2gfByPs2yAEsy/EenYJB78jpQfQ= -sigs.k8s.io/gateway-api v1.4.0/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A= +sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= +sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8= +sigs.k8s.io/gateway-api v1.4.1/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 h1:JQbPOwLjSztom+aSDQIi6UZq8V0Gbv7BjAlYQSgycCI= diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index a339d3b8c8..b42b4f7d28 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -281,7 +281,11 @@ func (t *Translator) processBackendTrafficPolicyForRoute( ancestorRef := getAncestorRefForPolicy(mapKey.NamespacedName, p.SectionName) ancestorRefs = append(ancestorRefs, &ancestorRef) - parentRefCtxs = append(parentRefCtxs, GetRouteParentContext(targetedRoute, p, t.GatewayControllerName)) + // Only process parentRefs that were handled by this translator + // (skip those referencing Gateways with different GatewayClasses) + if parentRefCtx := targetedRoute.GetRouteParentContext(p); parentRefCtx != nil { + parentRefCtxs = append(parentRefCtxs, parentRefCtx) + } } } diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index c0322b943e..2284e5d3c5 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -475,7 +475,12 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute( parentRefs := GetParentReferences(route) routesWithDirectResponse := sets.New[string]() for _, p := range parentRefs { - parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName) + // Skip if this parentRef was not processed by this translator + // (e.g., references a Gateway with a different GatewayClass) + parentRefCtx := route.GetRouteParentContext(p) + if parentRefCtx == nil { + continue + } gtwCtx := parentRefCtx.GetGateway() if gtwCtx == nil { continue diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index e851818454..a8a20d4ed7 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -233,6 +233,7 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe BackendRef: &rule.BackendRefs[i].BackendRef, Filters: rule.BackendRefs[i].Filters, } + // ds will never be nil here because processDestination returns an empty DestinationSetting for invalid backendRefs. ds, unstructuredRef, err := t.processDestination(settingName, backendRefCtx, parentRef, httpRoute, resources) if err != nil { // Gateway API conformance: When backendRef Service exists but has no endpoints, @@ -250,13 +251,12 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe )) processDestinationError = err } - continue } if unstructuredRef != nil { backendCustomRefs = append(backendCustomRefs, unstructuredRef) } - // ds can be nil if the backendRef weight is 0 - if ds == nil { + // skip backendRefs with weight 0 as they do not affect the traffic distribution + if ds.Weight != nil && *ds.Weight == 0 { continue } allDs = append(allDs, ds) @@ -275,9 +275,9 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe Metadata: routeRuleMetadata, } switch { - // return 500 if any destination setting is invalid + // return 500 if no valid destination settings exist // the error is already added to the error list when processing the destination - case processDestinationError != nil: + case processDestinationError != nil && destination.ToBackendWeights().Valid == 0: routesWithDirectResponse := sets.New[string]() for _, irRoute := range ruleRoutes { // If the route already has a direct response or redirect configured, then it was from a filter so skip @@ -297,9 +297,9 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe "error", processDestinationError, ) } - // return 503 if endpoints does not exist + // return 503 if no ready endpoints exist // the error is already added to the error list when processing the destination - case failedNoReadyEndpoints && len(allDs) == 0: + case failedNoReadyEndpoints && destination.ToBackendWeights().Valid == 0: routesWithDirectResponse := sets.New[string]() for _, irRoute := range ruleRoutes { // If the route already has a direct response or redirect configured, then it was from a filter so skip @@ -334,8 +334,8 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe t.Logger.Info("setting 500 direct response in routes due to all valid destinations having 0 weight", "routes", sets.List(routesWithDirectResponse)) } - // A route can only have one destination if this destination is a dynamic resolver, because the behavior of - // multiple destinations with one being a dynamic resolver just doesn't make sense. + // A route can only have one destination if this destination is a dynamic resolver, because the behavior of + // multiple destinations with one being a dynamic resolver just doesn't make sense. case hasDynamicResolver && len(rule.BackendRefs) > 1: routesWithDirectResponse := sets.New[string]() for _, irRoute := range ruleRoutes { @@ -388,10 +388,6 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe } } - // TODO handle: - // - sum of weights for valid backend refs is 0 - // - etc. - irRoutes = append(irRoutes, ruleRoutes...) } if errorCollector.Empty() { @@ -826,6 +822,7 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe BackendRef: &rule.BackendRefs[i].BackendRef, Filters: rule.BackendRefs[i].Filters, } + // ds will never be nil here because processDestination returns an empty DestinationSetting for invalid backendRefs. ds, _, err := t.processDestination(settingName, backendRefCtx, parentRef, grpcRoute, resources) if err != nil { // Gateway API conformance: When backendRef Service exists but has no endpoints, @@ -843,10 +840,10 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe )) processDestinationError = err } - continue } - if ds == nil { + // skip backendRefs with weight 0 as they do not affect the traffic distribution + if ds.Weight != nil && *ds.Weight == 0 { continue } allDs = append(allDs, ds) @@ -862,7 +859,7 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe switch { // return 500 if any destination setting is invalid // the error is already added to the error list when processing the destination - case processDestinationError != nil: + case processDestinationError != nil && destination.ToBackendWeights().Valid == 0: routesWithDirectResponse := sets.New[string]() for _, irRoute := range ruleRoutes { // If the route already has a direct response or redirect configured, then it was from a filter so skip @@ -883,7 +880,7 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe } // return 503 if endpoints does not exist // the error is already added to the error list when processing the destination - case failedNoReadyEndpoints && len(allDs) == 0: + case failedNoReadyEndpoints && destination.ToBackendWeights().Valid == 0: routesWithDirectResponse := sets.New[string]() for _, irRoute := range ruleRoutes { // If the route already has a direct response or redirect configured, then it was from a filter so skip @@ -945,10 +942,6 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe } } - // TODO handle: - // - sum of weights for valid backend refs is 0 - // - etc. - irRoutes = append(irRoutes, ruleRoutes...) } @@ -1195,12 +1188,14 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour for i := range rule.BackendRefs { settingName := irDestinationSettingName(destName, i) backendRefCtx := DirectBackendRef{BackendRef: &rule.BackendRefs[i]} + // ds will never be nil here because processDestination returns an empty DestinationSetting for invalid backendRefs. ds, _, err := t.processDestination(settingName, backendRefCtx, parentRef, tlsRoute, resources) if err != nil { resolveErrs.Add(err) continue } - if ds != nil { + // skip backendRefs with weight 0 as they do not affect the traffic distribution + if ds.Weight != nil && *ds.Weight > 0 { destSettings = append(destSettings, ds) } } @@ -1351,14 +1346,15 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour for i := range udpRoute.Spec.Rules[0].BackendRefs { settingName := irDestinationSettingName(destName, i) backendRefCtx := DirectBackendRef{BackendRef: &udpRoute.Spec.Rules[0].BackendRefs[i]} + // ds will never be nil here because processDestination returns an empty DestinationSetting for invalid backendRefs. ds, _, err := t.processDestination(settingName, backendRefCtx, parentRef, udpRoute, resources) if err != nil { resolveErrs.Add(err) continue } - // Skip nil destination settings - if ds != nil { + // skip backendRefs with weight 0 as they do not affect the traffic distribution + if ds.Weight != nil && *ds.Weight > 0 { destSettings = append(destSettings, ds) } } @@ -1507,8 +1503,8 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour resolveErrs.Add(err) continue } - // Skip nil destination settings - if ds != nil { + // skip backendRefs with weight 0 as they do not affect the traffic distribution + if ds.Weight != nil && *ds.Weight > 0 { destSettings = append(destSettings, ds) } } @@ -1613,27 +1609,33 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour func (t *Translator) processDestination(name string, backendRefContext BackendRefContext, parentRef *RouteParentContext, route RouteContext, resources *resource.Resources, ) (ds *ir.DestinationSetting, unstructuredRef *ir.UnstructuredRef, err status.Error) { - routeType := route.GetRouteType() - weight := uint32(1) - backendRef := backendRefContext.GetBackendRef() - if backendRef.Weight != nil { - weight = uint32(*backendRef.Weight) + var ( + routeType = route.GetRouteType() + weight = (uint32(ptr.Deref(backendRefContext.GetBackendRef().Weight, int32(1)))) + backendRef = backendRefContext.GetBackendRef() + ) + + // Create an empty DS without endpoints + // This represents an invalid DS. + emptyDS := &ir.DestinationSetting{ + Name: name, + Weight: &weight, } backendNamespace := NamespaceDerefOr(backendRef.Namespace, route.GetNamespace()) if !t.isCustomBackendResource(backendRef.Group, KindDerefOr(backendRef.Kind, resource.KindService)) { err = t.validateBackendRef(backendRefContext, route, resources, backendNamespace, routeType) { - // return with empty endpoint means the backend is invalid and an error to fail the associated route. + // Empty DS means the backend is invalid and an error to fail the associated route. if err != nil { - return nil, nil, err + return emptyDS, nil, err } } } // Skip processing backends with 0 weight if weight == 0 { - return nil, nil, nil + return emptyDS, nil, nil } var envoyProxy *egv1a1.EnvoyProxy @@ -1660,19 +1662,19 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe envoyProxy, ) if tlsErr != nil { - return nil, nil, status.NewRouteStatusError(tlsErr, status.RouteReasonInvalidBackendTLS) + return emptyDS, nil, status.NewRouteStatusError(tlsErr, status.RouteReasonInvalidBackendTLS) } switch KindDerefOr(backendRef.Kind, resource.KindService) { case resource.KindServiceImport: ds, err = t.processServiceImportDestinationSetting(name, backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) if err != nil { - return nil, nil, err + return emptyDS, nil, err } case resource.KindService: ds, err = t.processServiceDestinationSetting(name, backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) if err != nil { - return nil, nil, err + return emptyDS, nil, err } svc := resources.GetService(backendNamespace, string(backendRef.Name)) ds.IPFamily = getServiceIPFamily(svc) @@ -1687,7 +1689,7 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe // Check if the custom backend resource was found if unstructuredRef == nil { - return nil, nil, status.NewRouteStatusError( + return emptyDS, nil, status.NewRouteStatusError( fmt.Errorf("custom backend %s %s/%s not found", KindDerefOr(backendRef.Kind, resource.KindService), backendNamespace, @@ -1709,11 +1711,11 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe var filtersErr error ds.Filters, filtersErr = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) if filtersErr != nil { - return nil, nil, status.NewRouteStatusError(filtersErr, status.RouteReasonInvalidBackendFilters) + return emptyDS, nil, status.NewRouteStatusError(filtersErr, status.RouteReasonInvalidBackendFilters) } if err := validateDestinationSettings(ds, t.IsEnvoyServiceRouting(envoyProxy), backendRef.Kind); err != nil { - return nil, nil, err + return emptyDS, nil, err } ds.Weight = &weight diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 4dca669f88..80425d9f27 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -647,7 +647,12 @@ func (t *Translator) translateSecurityPolicyForRoute( parentRefs := GetParentReferences(route) routesWithDirectResponse := sets.New[string]() for _, p := range parentRefs { - parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName) + // Skip if this parentRef was not processed by this translator + // (e.g., references a Gateway with a different GatewayClass) + parentRefCtx := route.GetRouteParentContext(p) + if parentRefCtx == nil { + continue + } gtwCtx := parentRefCtx.GetGateway() if gtwCtx == nil { continue @@ -1423,15 +1428,42 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources // Discover the token and authorization endpoints from the issuer's well-known url if not explicitly specified. // EG assumes that the issuer url uses the same protocol and CA as the token endpoint. // If we need to support different protocols or CAs, we need to add more fields to the OIDCProvider CRD. - if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil { + var ( + userProvidedAuthorizationEndpoint = ptr.Deref(provider.AuthorizationEndpoint, "") + userProvidedTokenEndpoint = ptr.Deref(provider.TokenEndpoint, "") + userProvidedEndSessionEndpoint = ptr.Deref(provider.EndSessionEndpoint, "") + ) + + // Authorization endpoint and token endpoint are required fields. + // If either of them is not provided, we need to fetch them from the issuer's well-known url. + if userProvidedAuthorizationEndpoint == "" || userProvidedTokenEndpoint == "" { + // Fetch the endpoints from the issuer's well-known url. discoveredConfig, err := t.fetchEndpointsFromIssuer(provider.Issuer, providerTLS) if err != nil { return nil, err } - tokenEndpoint = discoveredConfig.TokenEndpoint - authorizationEndpoint = discoveredConfig.AuthorizationEndpoint - // endSessionEndpoint is optional, and we prioritize using the one provided in the well-known configuration. - if discoveredConfig.EndSessionEndpoint != nil && *discoveredConfig.EndSessionEndpoint != "" { + + // Prioritize using the explicitly provided authorization endpoints if available. + // This allows users to add extra parameters to the authorization endpoint if needed. + if userProvidedAuthorizationEndpoint != "" { + authorizationEndpoint = userProvidedAuthorizationEndpoint + } else { + authorizationEndpoint = discoveredConfig.AuthorizationEndpoint + } + + // Prioritize using the explicitly provided token endpoints if available. + // This may not be necessary, but we do it for consistency with authorization endpoint. + if userProvidedTokenEndpoint != "" { + tokenEndpoint = userProvidedTokenEndpoint + } else { + tokenEndpoint = discoveredConfig.TokenEndpoint + } + + // Prioritize using the explicitly provided end session endpoints if available. + // This may not be necessary, but we do it for consistency with other endpoints. + if userProvidedEndSessionEndpoint != "" { + endSessionEndpoint = &userProvidedEndSessionEndpoint + } else { endSessionEndpoint = discoveredConfig.EndSessionEndpoint } } else { diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index b42fc1539f..19a33e0aed 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -149,7 +149,7 @@ func SetGatewayListenerStatusCondition(gateway *gwapiv1.Gateway, listenerStatusI const ( messageAddressNotAssigned = "No addresses have been assigned to the Gateway" - messageFmtTooManyAddresses = "Too many addresses (%d) have been assigned to the Gateway, the maximum number of addresses is 16" + messageFmtTooManyAddresses = "Too many addresses (%d) have been assigned to the Gateway; only the first 16 are included in the status." messageNoResources = "Envoy replicas unavailable" messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy replicas available" ) @@ -166,7 +166,7 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Objec if len(gw.Status.Addresses) > 16 { gw.Status.Conditions = MergeConditions(gw.Status.Conditions, - newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonInvalid), + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayReasonProgrammed), fmt.Sprintf(messageFmtTooManyAddresses, len(gw.Status.Addresses)), gw.Generation)) // Truncate the addresses to 16 diff --git a/internal/gatewayapi/status/gateway_test.go b/internal/gatewayapi/status/gateway_test.go index b8d39da0d7..b6b13622a1 100644 --- a/internal/gatewayapi/status/gateway_test.go +++ b/internal/gatewayapi/status/gateway_test.go @@ -377,14 +377,14 @@ func TestUpdateGatewayProgrammedCondition(t *testing.T) { }, }, { - name: "not ready gateway with too many addresses", + name: "ready gateway with too many addresses", serviceAddressNum: 17, deploymentStatus: appsv1.DeploymentStatus{AvailableReplicas: 1}, expectCondition: []metav1.Condition{ { Type: string(gwapiv1.GatewayConditionProgrammed), - Status: metav1.ConditionFalse, - Reason: string(gwapiv1.GatewayReasonInvalid), + Status: metav1.ConditionTrue, + Reason: string(gwapiv1.GatewayReasonProgrammed), Message: fmt.Sprintf(messageFmtTooManyAddresses, 17), }, }, diff --git a/internal/gatewayapi/testdata/grpcroute-with-mixed-invalid-and-valid-backend-refs.in.yaml b/internal/gatewayapi/testdata/grpcroute-with-mixed-invalid-and-valid-backend-refs.in.yaml new file mode 100644 index 0000000000..c7268e9b91 --- /dev/null +++ b/internal/gatewayapi/testdata/grpcroute-with-mixed-invalid-and-valid-backend-refs.in.yaml @@ -0,0 +1,45 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: default + name: grpcroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - method: + method: ExampleExact + type: Exact + backendRefs: + - name: service-1 + port: 8080 + - name: service-not-exist + port: 8080 +services: +- apiVersion: v1 + kind: Service + metadata: + name: service-1 + spec: + clusterIP: 7.7.7.7 + ports: + - port: 8080 diff --git a/internal/gatewayapi/testdata/grpcroute-with-mixed-invalid-and-valid-backend-refs.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-mixed-invalid-and-valid-backend-refs.out.yaml new file mode 100644 index 0000000000..374daf4fda --- /dev/null +++ b/internal/gatewayapi/testdata/grpcroute-with-mixed-invalid-and-valid-backend-refs.out.yaml @@ -0,0 +1,177 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + name: grpcroute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + - name: service-not-exist + port: 8080 + matches: + - method: + method: ExampleExact + type: Exact + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'Failed to process route rule 0 backendRef 1: service default/service-not-exist + not found.' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: envoy-gateway-system +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: default + name: grpcroute/default/grpcroute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + name: service-1 + namespace: default + sectionName: "8080" + name: grpcroute/default/grpcroute-1/rule/0/backend/0 + protocol: GRPC + weight: 1 + - name: grpcroute/default/grpcroute-1/rule/0/backend/1 + weight: 1 + headerMatches: + - distinct: false + name: :path + suffix: /ExampleExact + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: default + name: grpcroute/default/grpcroute-1/rule/0/match/0/* + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml index 7a73b7b2be..e92e385665 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml @@ -313,8 +313,37 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - directResponse: - statusCode: 500 + - destination: + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0 + settings: + - name: httproute/default/httproute-1/rule/0/backend/0 + weight: 1 + - addressType: IP + endpoints: + - host: 1.1.1.1 + port: 3001 + metadata: + kind: Backend + name: backend-ip + namespace: default + name: httproute/default/httproute-1/rule/0/backend/1 + protocol: HTTP + weight: 1 + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + metadata: + kind: Backend + name: backend-fqdn + namespace: default + name: httproute/default/httproute-1/rule/0/backend/2 + protocol: HTTP + weight: 1 hostname: '*' isHTTP2: false metadata: @@ -326,8 +355,26 @@ xdsIR: distinct: false name: "" prefix: /1 - - directResponse: - statusCode: 500 + - destination: + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0 + settings: + - name: httproute/default/httproute-2/rule/0/backend/0 + weight: 1 + - addressType: IP + endpoints: + - host: 1.1.1.1 + port: 3001 + metadata: + kind: Backend + name: backend-ip + namespace: default + name: httproute/default/httproute-2/rule/0/backend/1 + protocol: HTTP + weight: 1 hostname: '*' isHTTP2: false metadata: @@ -379,8 +426,26 @@ xdsIR: distinct: false name: "" prefix: /3 - - directResponse: - statusCode: 500 + - destination: + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0 + settings: + - name: httproute/default/httproute-3/rule/0/backend/0 + weight: 1 + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + metadata: + kind: Backend + name: backend-fqdn + namespace: default + name: httproute/default/httproute-3/rule/0/backend/1 + protocol: HTTP + weight: 1 hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/httproute-with-mixed-invalid-and-valid-backend-refs.in.yaml b/internal/gatewayapi/testdata/httproute-with-mixed-invalid-and-valid-backend-refs.in.yaml new file mode 100644 index 0000000000..809ce1c5d8 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-mixed-invalid-and-valid-backend-refs.in.yaml @@ -0,0 +1,46 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + type: Exact + value: "/exact" + backendRefs: + - name: service-1 + port: 8080 + weight: 80 + - name: service-not-exist + port: 8080 + weight: 20 +services: +- apiVersion: v1 + kind: Service + metadata: + name: service-1 + spec: + clusterIP: 7.7.7.7 + ports: + - port: 8080 diff --git a/internal/gatewayapi/testdata/httproute-with-mixed-invalid-and-valid-backend-refs.out.yaml b/internal/gatewayapi/testdata/httproute-with-mixed-invalid-and-valid-backend-refs.out.yaml new file mode 100644 index 0000000000..9b76cbe1c2 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-mixed-invalid-and-valid-backend-refs.out.yaml @@ -0,0 +1,177 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + weight: 80 + - name: service-not-exist + port: 8080 + weight: 20 + matches: + - path: + type: Exact + value: /exact + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'Failed to process route rule 0 backendRef 1: service default/service-not-exist + not found.' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: envoy-gateway-system +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + name: service-1 + namespace: default + sectionName: "8080" + name: httproute/default/httproute-1/rule/0/backend/0 + protocol: HTTP + weight: 80 + - name: httproute/default/httproute-1/rule/0/backend/1 + weight: 20 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact + name: "" + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml index 73fb824935..1196a28cb8 100644 --- a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml @@ -140,8 +140,28 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - directResponse: - statusCode: 500 + - destination: + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0 + settings: + - name: httproute/default/httproute-1/rule/0/backend/0 + weight: 1 + - name: httproute/default/httproute-1/rule/0/backend/1 + weight: 1 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + name: service-1 + namespace: default + sectionName: "8080" + name: httproute/default/httproute-1/rule/0/backend/2 + protocol: HTTP + weight: 1 hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml index 4b0c9cc079..788747cd9d 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml @@ -14,6 +14,13 @@ secrets: data: client-secret: Y2xpZW50MTpzZWNyZXQK client-id: Y2xpZW50Mi5vYXV0aC5mb28uY29t +- apiVersion: v1 + kind: Secret + metadata: + namespace: default + name: client3-secret + data: + client-secret: Y2xpZW50MTpzZWNyZXQK - apiVersion: v1 kind: Secret metadata: @@ -75,6 +82,25 @@ httpRoutes: backendRefs: - name: service-1 port: 8080 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-3 + spec: + hostnames: + - www.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/baz" + backendRefs: + - name: service-1 + port: 8080 securityPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy @@ -130,3 +156,27 @@ securityPolicies: defaultRefreshTokenTTL: 48h cookieDomain: "example.com" disableTokenEncryption: true +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-http-route-3 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-3 + oidc: + provider: + issuer: "https://accounts.google.com" + authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth?foo=bar" # custom auth endpoint with query params, should be used as is + clientID: "client1.apps.googleusercontent.com" + clientSecret: + name: "client3-secret" + redirectURL: "https://www.example.com/bar/oauth2/callback" + logoutPath: "/bar/logout" + forwardAccessToken: true + defaultTokenTTL: 30m + refreshToken: true + defaultRefreshTokenTTL: 24h + csrfTokenTTL: 35m diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 69e4a8fc94..c3afcae246 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -15,7 +15,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 2 + - attachedRoutes: 3 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -113,6 +113,43 @@ httpRoutes: name: gateway-1 namespace: envoy-gateway sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-3 + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /baz + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http infraIR: envoy-gateway/gateway-1: proxy: @@ -187,6 +224,47 @@ securityPolicies: status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + name: policy-for-http-route-3 + namespace: default + spec: + oidc: + clientID: client1.apps.googleusercontent.com + clientSecret: + group: null + kind: null + name: client3-secret + csrfTokenTTL: 35m + defaultRefreshTokenTTL: 24h + defaultTokenTTL: 30m + forwardAccessToken: true + logoutPath: /bar/logout + provider: + authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth?foo=bar + issuer: https://accounts.google.com + redirectURL: https://www.example.com/bar/oauth2/callback + refreshToken: true + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-3 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: @@ -228,7 +306,7 @@ securityPolicies: type: Accepted - lastTransitionTime: null message: 'This policy is being overridden by other securityPolicies for these - routes: [default/httproute-1]' + routes: [default/httproute-1 default/httproute-3]' reason: Overridden status: "True" type: Overridden @@ -377,6 +455,55 @@ xdsIR: refreshToken: true scopes: - openid + - destination: + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + name: service-1 + namespace: default + sectionName: "8080" + name: httproute/default/httproute-3/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /baz + security: + oidc: + clientID: client1.apps.googleusercontent.com + clientSecret: '[redacted]' + cookieSuffix: 811c9dc5 + csrfTokenTTL: 35m0s + defaultRefreshTokenTTL: 24h0m0s + defaultTokenTTL: 30m0s + forwardAccessToken: true + hmacSecret: '[redacted]' + logoutPath: /bar/logout + name: securitypolicy/default/policy-for-http-route-3 + provider: + authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth?foo=bar + tokenEndpoint: https://oauth2.googleapis.com/token + redirectPath: /bar/oauth2/callback + redirectURL: https://www.example.com/bar/oauth2/callback + refreshToken: true + scopes: + - openid readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 2e9db1e3cb..2e801c4dec 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -838,6 +838,11 @@ func (h *HTTPRoute) NeedsClusterPerSetting() bool { h.Traffic.LoadBalancer.PreferLocal != nil { return true } + // When the destination has both valid and invalid backend weights, we use weighted clusters to distribute between + // valid backends and the `invalid-backend-cluster` for 500 responses according to their configured weights. + if h.Destination.ToBackendWeights().Invalid > 0 { + return true + } return h.Destination.NeedsClusterPerSetting() } @@ -1655,9 +1660,9 @@ func (r *RouteDestination) ToBackendWeights() *BackendWeights { w.Valid += *s.Weight case s.IsCustomBackend: // Custom backends has no endpoints w.Valid += *s.Weight - case len(s.Endpoints) > 0: + case len(s.Endpoints) > 0: // All other cases should have endpoints w.Valid += *s.Weight - default: + default: // DestinationSetting with no endpoints is considered invalid w.Invalid += *s.Weight } } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index c57a6411ea..5c9f476f72 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -2490,7 +2490,8 @@ func (r *gatewayAPIReconciler) processGatewayClassParamsRef(ctx context.Context, } ep := new(egv1a1.EnvoyProxy) - nn := types.NamespacedName{Namespace: string(*gc.Spec.ParametersRef.Namespace), Name: gc.Spec.ParametersRef.Name} + ns := ptr.Deref(gc.Spec.ParametersRef.Namespace, "default") + nn := types.NamespacedName{Namespace: string(ns), Name: gc.Spec.ParametersRef.Name} if err := r.client.Get(ctx, nn, ep); err != nil { return fmt.Errorf("failed to find envoyproxy %s/%s for GatewayClass %s: %w", nn.Namespace, nn.Name, gc.Name, err) } diff --git a/internal/provider/kubernetes/helpers.go b/internal/provider/kubernetes/helpers.go index b2b69f513d..26748eb67f 100644 --- a/internal/provider/kubernetes/helpers.go +++ b/internal/provider/kubernetes/helpers.go @@ -12,6 +12,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" mcsapiv1a1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" @@ -141,8 +142,9 @@ func classRefsEnvoyProxy(gc *gwapiv1.GatewayClass, ep *egv1a1.EnvoyProxy) bool { return false } + ns := ptr.Deref(gc.Spec.ParametersRef.Namespace, "default") return refsEnvoyProxy(gc) && - string(*gc.Spec.ParametersRef.Namespace) == ep.Namespace && + string(ns) == ep.Namespace && gc.Spec.ParametersRef.Name == ep.Name } @@ -155,7 +157,6 @@ func refsEnvoyProxy(gc *gwapiv1.GatewayClass) bool { return gc.Spec.ParametersRef != nil && string(gc.Spec.ParametersRef.Group) == egv1a1.GroupVersion.Group && gc.Spec.ParametersRef.Kind == egv1a1.KindEnvoyProxy && - gc.Spec.ParametersRef.Namespace != nil && len(gc.Spec.ParametersRef.Name) > 0 } diff --git a/internal/provider/kubernetes/helpers_test.go b/internal/provider/kubernetes/helpers_test.go index dd7aa92ea4..efe54cb4eb 100644 --- a/internal/provider/kubernetes/helpers_test.go +++ b/internal/provider/kubernetes/helpers_test.go @@ -355,7 +355,7 @@ func TestRefsEnvoyProxy(t *testing.T) { }, }, }, - expect: false, + expect: true, }, } diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index 7b16dce317..e87dcb7815 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -726,7 +726,8 @@ func (r *gatewayAPIReconciler) envoyServiceForGateway(ctx context.Context, gatew return &services.Items[0], nil } -// findOwningGateway attempts finds a Gateway using "labels". +// findOwningGateway finds a Gateway using the provided labels. +// Returns the Gateway only if it belongs to this controller, or nil otherwise. func (r *gatewayAPIReconciler) findOwningGateway(ctx context.Context, labels map[string]string) *gwapiv1.Gateway { gwName, ok := labels[gatewayapi.OwningGatewayNameLabel] if !ok { @@ -745,6 +746,10 @@ func (r *gatewayAPIReconciler) findOwningGateway(ctx context.Context, labels map return nil } + if !r.validateGatewayForReconcile(gtw) { + return nil + } + return gtw } diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 38208eeead..8157614d21 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -6,6 +6,7 @@ package kubernetes import ( + "context" "fmt" "os" "testing" @@ -177,6 +178,90 @@ func TestValidateGatewayForReconcile(t *testing.T) { } } +func TestFindOwningGateway(t *testing.T) { + controllerName := gwapiv1.GatewayController("example.com/foo") + otherControllerName := gwapiv1.GatewayController("example.com/bar") + + testCases := []struct { + name string + configs []client.Object + labels map[string]string + expect *gwapiv1.Gateway + }{ + { + name: "returns Gateway when it belongs to this controller", + configs: []client.Object{ + test.GetGatewayClass("test-gc", controllerName, nil), + test.GetGateway(types.NamespacedName{Namespace: "default", Name: "test-gw"}, "test-gc", 8080), + }, + labels: map[string]string{ + gatewayapi.OwningGatewayNameLabel: "test-gw", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }, + expect: test.GetGateway(types.NamespacedName{Namespace: "default", Name: "test-gw"}, "test-gc", 8080), + }, + { + name: "returns nil when Gateway belongs to different controller", + configs: []client.Object{ + test.GetGatewayClass("test-gc", otherControllerName, nil), + test.GetGateway(types.NamespacedName{Namespace: "default", Name: "test-gw"}, "test-gc", 8080), + }, + labels: map[string]string{ + gatewayapi.OwningGatewayNameLabel: "test-gw", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }, + expect: nil, + }, + { + name: "returns nil when Gateway name label is missing", + configs: []client.Object{}, + labels: map[string]string{ + gatewayapi.OwningGatewayNamespaceLabel: "default", + }, + expect: nil, + }, + { + name: "returns nil when Gateway namespace label is missing", + configs: []client.Object{}, + labels: map[string]string{ + gatewayapi.OwningGatewayNameLabel: "test-gw", + }, + expect: nil, + }, + { + name: "returns nil when Gateway does not exist", + configs: []client.Object{}, + labels: map[string]string{ + gatewayapi.OwningGatewayNameLabel: "non-existent", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }, + expect: nil, + }, + } + + logger := logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo) + + r := gatewayAPIReconciler{ + classController: controllerName, + log: logger, + } + + for _, tc := range testCases { + r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.configs...).Build() + t.Run(tc.name, func(t *testing.T) { + ctx := context.Background() + res := r.findOwningGateway(ctx, tc.labels) + if tc.expect == nil { + require.Nil(t, res) + } else { + require.NotNil(t, res) + require.Equal(t, tc.expect.Name, res.Name) + require.Equal(t, tc.expect.Namespace, res.Namespace) + } + }) + } +} + // TestValidateConfigMapForReconcile tests the validateConfigMapForReconcile // predicate function. func TestValidateConfigMapForReconcile(t *testing.T) { diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml index 054f90bb71..92313ce2eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml @@ -8,7 +8,7 @@ edsConfig: ads: {} resourceApiVersion: V3 - serviceName: first-route-dest + serviceName: first-route-dest/backend/0 ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST loadBalancingPolicy: @@ -19,6 +19,30 @@ '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest localityLbConfig: localityWeightedLbConfig: {} - name: first-route-dest + name: first-route-dest/backend/0 + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: first-route-dest/backend/1 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + loadBalancingPolicy: + policies: + - typedExtensionConfig: + name: envoy.load_balancing_policies.least_request + typedConfig: + '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest + localityLbConfig: + localityWeightedLbConfig: {} + name: first-route-dest/backend/1 perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.endpoints.yaml index 7f8a028132..407ba8414d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.endpoints.yaml @@ -1,4 +1,4 @@ -- clusterName: first-route-dest +- clusterName: first-route-dest/backend/0 endpoints: - lbEndpoints: - endpoint: @@ -10,6 +10,8 @@ loadBalancingWeight: 1 locality: region: first-route-dest/backend/0 +- clusterName: first-route-dest/backend/1 + endpoints: - loadBalancingWeight: 1 locality: region: first-route-dest/backend/1 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 3271a4f907..7d53f4123f 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -5,11 +5,17 @@ breaking changes: | # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | + Bumped golang.org/x/crypto to the latest patched release to address upstream security fixes. # New features or capabilities added in this release. new features: | bug fixes: | + Owning Gateway resolution now validates the referenced GatewayClass controller to prevent cross-controller mutations. + Treat TooManyAddresses status as programmed so address overflows no longer block provisioning. + Avoid creating skeleton RouteParent status entries for parentRefs belonging to unmanaged GatewayClasses. + Fixed configured OIDC authorization endpoint being overridden by discovered endpoints from issuer's well-known URL. + Fix 500 errors caused by partially invalid BackendRefs; traffic is now correctly routed between valid backends and 500 responses according to their configured weights. # Enhancements that improve performance. performance improvements: | @@ -19,3 +25,5 @@ deprecations: | # Other notable changes not covered by the above sections. Other changes: | + Bumped Gateway API to v1.4.1 + Benchmark CPU sampling now uses a fixed duration for accurate CPU rate calculations. diff --git a/test/benchmark/suite/report.go b/test/benchmark/suite/report.go index f6296d5561..5f005bfdfc 100644 --- a/test/benchmark/suite/report.go +++ b/test/benchmark/suite/report.go @@ -32,6 +32,8 @@ const ( dataPlaneMemQL = `container_memory_working_set_bytes{namespace="envoy-gateway-system", container="envoy"}/1024/1024` dataPlaneCPUQLFormat = `rate(container_cpu_usage_seconds_total{namespace="envoy-gateway-system", container="envoy"}[%DURATIONs])*100` DurationFormatter = "%DURATION" + + benchmarkCPURateWindow = 30 * time.Second ) // BenchmarkMetricSample contains sampled metrics and profiles data. @@ -134,8 +136,15 @@ func (r *BenchmarkReport) sampleMetrics(ctx context.Context, sample *BenchmarkMe } // Sample cpu - // Get duration - durationSeconds := int(time.Since(startTime).Seconds()) + // CPU usages is calculated based on the Kubernetes container_cpu_usage_seconds_total counter metric. + // We use a fixed window size of 30s for rate calculation. However, to ensure that we only capture + // metrics during the benchmark run period (and not before), if the benchmark run duration is + // less than the fixed window size, + durationSeconds := int(benchmarkCPURateWindow.Seconds()) + elapsed := time.Since(startTime) + if elapsed < benchmarkCPURateWindow { + durationSeconds = int(elapsed.Seconds()) + } durationStr := fmt.Sprintf("%d", durationSeconds) cpCPUQL := strings.ReplaceAll(controlPlaneCPUQL, DurationFormatter, durationStr) diff --git a/test/e2e/testdata/weighted-backend-mixed-valid-and-invalid.yaml b/test/e2e/testdata/weighted-backend-mixed-valid-and-invalid.yaml new file mode 100644 index 0000000000..d77e8487c4 --- /dev/null +++ b/test/e2e/testdata/weighted-backend-mixed-valid-and-invalid.yaml @@ -0,0 +1,20 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: weight-mixed-valid-and-invalid-http-route + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /mixed-valid-and-invalid + backendRefs: + - name: infra-backend-v1 + port: 8080 + weight: 80 + - name: infra-backend-not-existing + port: 8080 + weight: 20 diff --git a/test/e2e/tests/weighted_backend.go b/test/e2e/tests/weighted_backend.go index fbce5ddc5a..a2e73cf03b 100644 --- a/test/e2e/tests/weighted_backend.go +++ b/test/e2e/tests/weighted_backend.go @@ -31,6 +31,7 @@ var WeightedBackendTest = suite.ConformanceTest{ "testdata/weighted-backend-all-equal.yaml", "testdata/weighted-backend-bluegreen.yaml", "testdata/weighted-backend-completing-rollout.yaml", + "testdata/weighted-backend-mixed-valid-and-invalid.yaml", }, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("SameWeight", func(t *testing.T) { @@ -57,6 +58,11 @@ var WeightedBackendTest = suite.ConformanceTest{ } runWeightedBackendTest(t, suite, nil, "weight-complete-rollout-http-route", "/complete-rollout", "infra-backend", expected) }) + + t.Run("MixedValidAndInvalid", func(t *testing.T) { + // Requests should be distributed to valid and invalid backends according to their weights + testMixedValidAndInvalid(t, suite) + }) }, } @@ -129,3 +135,40 @@ func extractPodNamePrefix(podName, prefix string) string { return podName } + +func testMixedValidAndInvalid(t *testing.T, suite *suite.ConformanceTestSuite) { + weightEqualRoute := types.NamespacedName{Name: "weight-mixed-valid-and-invalid-http-route", Namespace: ConformanceInfraNamespace} + gatewayRef := kubernetes.NewGatewayRef(SameNamespaceGateway) + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, gatewayRef, weightEqualRoute) + + // Make sure all test resources are ready + kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ConformanceInfraNamespace}) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/mixed-valid-and-invalid", + }, + Namespace: ConformanceInfraNamespace, + } + req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http") + + var ( + successCount = 0 + failCount = 0 + ) + for range sendRequests { + _, response, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Errorf("failed to get expected response: %v", err) + } + if response.StatusCode == 200 { + successCount++ + } else { + failCount++ + } + } + + if !AlmostEquals(successCount, 40, 3) { // The weight of valid backend is 80%, so the expected success count is 50*80%=40 + t.Errorf("The actual success count is not within the expected range, success %d", successCount) + } +} diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index 63dc101fdd..fcd65f0656 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -8,7 +8,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -113,6 +113,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -776,6 +782,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -1351,6 +1363,8 @@ spec: type: object served: true storage: false + subresources: + status: {} status: acceptedNames: kind: "" @@ -1367,7 +1381,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1887,7 +1901,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2831,19 +2845,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4408,19 +4433,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -5073,7 +5109,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5615,10 +5651,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5690,10 +5730,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5898,10 +5942,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5973,10 +6021,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6267,10 +6319,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6341,10 +6397,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6548,10 +6608,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6622,10 +6686,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -7323,7 +7391,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -8235,6 +8303,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8273,6 +8342,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8284,6 +8354,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8388,10 +8459,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8463,10 +8538,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8777,6 +8856,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8824,10 +8906,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8899,10 +8985,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9715,6 +9805,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9753,6 +9844,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9764,6 +9856,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9865,10 +9958,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9939,10 +10036,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10253,6 +10354,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10299,10 +10403,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10373,10 +10481,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10710,10 +10822,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12393,6 +12509,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12431,6 +12548,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12442,6 +12560,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12546,10 +12665,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12621,10 +12744,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12935,6 +13062,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -12982,10 +13112,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13057,10 +13191,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13873,6 +14011,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13911,6 +14050,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13922,6 +14062,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14023,10 +14164,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14097,10 +14242,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14411,6 +14560,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14457,10 +14609,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14531,10 +14687,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14868,10 +15028,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15669,7 +15833,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: referencegrants.gateway.networking.k8s.io spec: @@ -15864,7 +16028,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tcproutes.gateway.networking.k8s.io spec: @@ -16625,7 +16789,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tlsroutes.gateway.networking.k8s.io spec: @@ -18247,7 +18411,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: udproutes.gateway.networking.k8s.io spec: @@ -19008,7 +19172,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -19619,7 +19783,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xlistenersets.gateway.networking.x-k8s.io spec: @@ -20411,7 +20575,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: diff --git a/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml index 8488d6172f..e84e2dfe9d 100644 --- a/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml +++ b/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml @@ -8,7 +8,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -113,6 +113,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -776,6 +782,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -1351,6 +1363,8 @@ spec: type: object served: true storage: false + subresources: + status: {} status: acceptedNames: kind: "" @@ -1367,7 +1381,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1887,7 +1901,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2831,19 +2845,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4408,19 +4433,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -5073,7 +5109,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5615,10 +5651,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5690,10 +5730,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5898,10 +5942,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5973,10 +6021,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6267,10 +6319,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6341,10 +6397,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6548,10 +6608,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6622,10 +6686,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -7323,7 +7391,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -8235,6 +8303,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8273,6 +8342,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8284,6 +8354,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8388,10 +8459,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8463,10 +8538,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8777,6 +8856,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8824,10 +8906,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8899,10 +8985,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9715,6 +9805,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9753,6 +9844,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9764,6 +9856,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9865,10 +9958,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9939,10 +10036,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10253,6 +10354,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10299,10 +10403,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10373,10 +10481,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10710,10 +10822,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12393,6 +12509,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12431,6 +12548,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12442,6 +12560,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12546,10 +12665,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12621,10 +12744,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12935,6 +13062,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -12982,10 +13112,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13057,10 +13191,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13873,6 +14011,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13911,6 +14050,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13922,6 +14062,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14023,10 +14164,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14097,10 +14242,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14411,6 +14560,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14457,10 +14609,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14531,10 +14687,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14868,10 +15028,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15669,7 +15833,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: referencegrants.gateway.networking.k8s.io spec: @@ -15864,7 +16028,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tcproutes.gateway.networking.k8s.io spec: @@ -16625,7 +16789,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tlsroutes.gateway.networking.k8s.io spec: @@ -18247,7 +18411,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: udproutes.gateway.networking.k8s.io spec: @@ -19008,7 +19172,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -19619,7 +19783,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xlistenersets.gateway.networking.x-k8s.io spec: @@ -20411,7 +20575,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: diff --git a/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml index 8488d6172f..e84e2dfe9d 100644 --- a/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml +++ b/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml @@ -8,7 +8,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -113,6 +113,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -776,6 +782,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -1351,6 +1363,8 @@ spec: type: object served: true storage: false + subresources: + status: {} status: acceptedNames: kind: "" @@ -1367,7 +1381,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1887,7 +1901,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2831,19 +2845,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4408,19 +4433,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -5073,7 +5109,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5615,10 +5651,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5690,10 +5730,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5898,10 +5942,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5973,10 +6021,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6267,10 +6319,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6341,10 +6397,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6548,10 +6608,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6622,10 +6686,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -7323,7 +7391,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -8235,6 +8303,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8273,6 +8342,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8284,6 +8354,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8388,10 +8459,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8463,10 +8538,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8777,6 +8856,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8824,10 +8906,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8899,10 +8985,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9715,6 +9805,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9753,6 +9844,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9764,6 +9856,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9865,10 +9958,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9939,10 +10036,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10253,6 +10354,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10299,10 +10403,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10373,10 +10481,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10710,10 +10822,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12393,6 +12509,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12431,6 +12548,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12442,6 +12560,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12546,10 +12665,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12621,10 +12744,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12935,6 +13062,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -12982,10 +13112,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13057,10 +13191,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13873,6 +14011,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13911,6 +14050,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13922,6 +14062,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14023,10 +14164,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14097,10 +14242,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14411,6 +14560,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14457,10 +14609,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14531,10 +14687,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14868,10 +15028,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15669,7 +15833,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: referencegrants.gateway.networking.k8s.io spec: @@ -15864,7 +16028,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tcproutes.gateway.networking.k8s.io spec: @@ -16625,7 +16789,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: tlsroutes.gateway.networking.k8s.io spec: @@ -18247,7 +18411,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: udproutes.gateway.networking.k8s.io spec: @@ -19008,7 +19172,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -19619,7 +19783,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xlistenersets.gateway.networking.x-k8s.io spec: @@ -20411,7 +20575,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: diff --git a/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml index 5755f48ac9..094c73bb54 100644 --- a/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml +++ b/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml @@ -8,7 +8,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard labels: gateway.networking.k8s.io/policy: Direct @@ -113,6 +113,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -758,6 +764,12 @@ spec: implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -1315,6 +1327,8 @@ spec: type: object served: false storage: false + subresources: + status: {} status: acceptedNames: kind: "" @@ -1331,7 +1345,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1851,7 +1865,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: gateways.gateway.networking.k8s.io spec: @@ -4109,7 +4123,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: grpcroutes.gateway.networking.k8s.io spec: @@ -6184,7 +6198,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: httproutes.gateway.networking.k8s.io spec: @@ -7060,6 +7074,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -7994,6 +8011,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -9869,6 +9889,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10803,6 +10826,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -11832,7 +11858,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.4.1 gateway.networking.k8s.io/channel: standard name: referencegrants.gateway.networking.k8s.io spec: diff --git a/tools/github-actions/reclaim-storage/action.yaml b/tools/github-actions/reclaim-storage/action.yaml new file mode 100644 index 0000000000..6c76cbd4f2 --- /dev/null +++ b/tools/github-actions/reclaim-storage/action.yaml @@ -0,0 +1,8 @@ +name: reclaim-storage +description: Remove unnecessary packages and artifacts from GitHub Actions Runner + +runs: + using: composite + steps: + - shell: bash + run: make reclaim-storage diff --git a/tools/hack/reclaim-storage.sh b/tools/hack/reclaim-storage.sh new file mode 100644 index 0000000000..8747de1307 --- /dev/null +++ b/tools/hack/reclaim-storage.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash +set -euo pipefail + +log() { echo "==> $*"; } + +log "Initial disk usage:" +df -h || true + +# Remove large, unused language/tool runtimes +TO_DELETE=( + /usr/local/lib/android + /usr/share/dotnet + /opt/ghc + /usr/local/.ghcup + /usr/share/swift +) + +for path in "${TO_DELETE[@]}"; do + if [ -d "$path" ]; then + log "Removing $path" + sudo rm -rf "$path" + fi +done + +log "Removing large packages..." +EXTRA_PKGS="azure-cli google-chrome-stable firefox powershell mono-devel libgl1-mesa-dri google-cloud-sdk google-cloud-cli" + +sudo apt-get remove -y "$EXTRA_PKGS" --fix-missing || true +sudo apt-get autoremove -y || true +sudo apt-get clean || true + +# Swap removal +if [ -f /mnt/swapfile ]; then + log "Disabling and removing swapfile" + sudo swapoff -a || true + sudo rm -f /mnt/swapfile || true +fi + +log "Final disk usage:" +df -h || true + +log "Completed disk space reclamation." diff --git a/tools/make/kube.mk b/tools/make/kube.mk index ca299763a3..c62a7bc9c3 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -9,7 +9,7 @@ ENVTEST_K8S_VERSIONS ?= 1.30.3 1.31.0 1.32.0 1.33.0 # GATEWAY_API_VERSION refers to the version of Gateway API CRDs. # For more details, see https://gateway-api.sigs.k8s.io/guides/getting-started/#installing-gateway-api GATEWAY_API_MINOR_VERSION ?= 1.4 -GATEWAY_API_VERSION ?= v$(GATEWAY_API_MINOR_VERSION).0 +GATEWAY_API_VERSION ?= v$(GATEWAY_API_MINOR_VERSION).1 GATEWAY_API_RELEASE_URL ?= https://github.com/kubernetes-sigs/gateway-api/releases/download/${GATEWAY_API_VERSION} EXPERIMENTAL_GATEWAY_API_RELEASE_URL ?= ${GATEWAY_API_RELEASE_URL}/experimental-install.yaml diff --git a/tools/make/tools.mk b/tools/make/tools.mk index e1bb44c021..69c4ab09f7 100644 --- a/tools/make/tools.mk +++ b/tools/make/tools.mk @@ -55,3 +55,7 @@ tools.clean: # Remove all tools .PHONY: clean clean: ## Remove all files that are created during builds. clean: tools.clean + +.PHONY: reclaim-storage +reclaim-storage: ## Removes unnecessary packages and artifacts from GitHub Actions Runner + bash ./tools/hack/reclaim-storage.sh