Documentation
¶
Overview ¶
Package v2 contains API Schema definitions for the gateway v2 API group +kubebuilder:object:generate=true +groupName=gateway.kyma-project.io
Index ¶
- Constants
- Variables
- func ConvertHttpMethodsToStrings(methods []HttpMethod) []string
- func FindServiceNamespace(apiRule *APIRule, rule Rule) (string, error)
- type APIRule
- type APIRuleList
- type APIRuleSpec
- type APIRuleStatus
- type CorsPolicy
- type ExtAuth
- type Host
- type HttpMethod
- type JwtAuthentication
- type JwtAuthorization
- type JwtConfig
- type JwtHeader
- type PodSelector
- type Request
- type Rule
- type Service
- type State
- type StringMatch
- type Timeout
Constants ¶
const ( Regex = "regex" Exact = "exact" Prefix = "prefix" )
const (
OriginalVersionAnnotation = "gateway.kyma-project.io/original-version"
)
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "gateway.kyma-project.io", Version: "v2"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
func ConvertHttpMethodsToStrings ¶
func ConvertHttpMethodsToStrings(methods []HttpMethod) []string
Types ¶
type APIRule ¶
type APIRule struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Defines the desired state of the APIRule.
// +kubebuilder:validation:Required
Spec APIRuleSpec `json:"spec"`
// Describes the observed status of the APIRule.
Status APIRuleStatus `json:"status,omitempty"`
}
APIRule is the schema for APIRule APIs. +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:categories={kyma-api-gateway} +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state" +kubebuilder:printcolumn:name="Hosts",type="string",JSONPath=".spec.hosts"
func (*APIRule) ConvertFrom ¶
func (ruleV2 *APIRule) ConvertFrom(hub conversion.Hub) error
ConvertFrom converts from the Hub version (v2alpha1) into this ApiRule (v2)
func (*APIRule) ConvertTo ¶
func (ruleV2 *APIRule) ConvertTo(hub conversion.Hub) error
ConvertTo Converts this ApiRule (v2) to the Hub version (v2alpha1)
func (*APIRule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIRule.
func (*APIRule) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*APIRule) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type APIRuleList ¶
type APIRuleList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []APIRule `json:"items"`
}
APIRuleList contains a list of APIRules
func (*APIRuleList) DeepCopy ¶
func (in *APIRuleList) DeepCopy() *APIRuleList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIRuleList.
func (*APIRuleList) DeepCopyInto ¶
func (in *APIRuleList) DeepCopyInto(out *APIRuleList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*APIRuleList) DeepCopyObject ¶
func (in *APIRuleList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type APIRuleSpec ¶
type APIRuleSpec struct {
// Specifies the Service’s communication address for inbound external traffic.
// The following formats are supported:
// - A fully qualified domain name (FQDN) with at least two domain labels separated by dots. Each label must consist of lowercase alphanumeric characters or '-',
// and must start and end with a lowercase alphanumeric character. For example, `my-example.domain.com`, or `example.com`.
// - One lowercase RFC 1123 label (referred to as short host name) that must consist of lowercase alphanumeric characters or '-', and must start and end with a lowercase alphanumeric character. For example, `my-host`.
// If you define a single label, the domain name is taken from the Gateway referenced in the APIRule. In this case, the Gateway must provide the same single host for all Server definitions
// and it must be prefixed with `*.`. Otherwise, the validation fails.
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=1
Hosts []*Host `json:"hosts"`
// Specifies the backend Service that receives traffic. The Service can be deployed inside the cluster.
// If you don't define a Service at the **spec.service** level, each defined rule must
// specify a Service at the **spec.rules.service** level. Otherwise, the validation fails.
// +optional
Service *Service `json:"service,omitempty"`
// Specifies the Istio Gateway. The field must reference an existing Gateway in the cluster.
// Provide the Gateway in the format `namespace/gateway`.
// Both the namespace and the Gateway name cannot be longer than 63 characters each.
// +kubebuilder:validation:MaxLength=127
// +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)$')`,message="Gateway must be in the namespace/name format"
Gateway *string `json:"gateway"`
// Allows configuring CORS headers sent with the response. If **corsPolicy** is not defined, the CORS headers are removed from the response.
// +optional
CorsPolicy *CorsPolicy `json:"corsPolicy,omitempty"`
/* Defines an ordered list of access rules. Each rule is an atomic configuration that
defines how to access a specific HTTP path. A rule consists of a path
pattern, one or more allowed HTTP methods, exactly one access strategy (**jwt**, **extAuth**,
or **noAuth**), and other optional configuration fields. */
// +kubebuilder:validation:MinItems=1
Rules []Rule `json:"rules"`
// Specifies the timeout for HTTP requests in seconds for all rules.
// You can override the value for each rule. If no timeout is specified, the default timeout of 180 seconds applies.
// +optional
Timeout *Timeout `json:"timeout,omitempty"`
}
**APIRuleSpec** defines the desired state of the APIRule.
func (*APIRuleSpec) DeepCopy ¶
func (in *APIRuleSpec) DeepCopy() *APIRuleSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIRuleSpec.
func (*APIRuleSpec) DeepCopyInto ¶
func (in *APIRuleSpec) DeepCopyInto(out *APIRuleSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type APIRuleStatus ¶
type APIRuleStatus struct {
// Represents the last time the APIRule status was processed.
LastProcessedTime metav1.Time `json:"lastProcessedTime,omitempty"`
// Defines the reconciliation state of the APIRule.
// The possible states are `Ready`, `Warning`, or `Error`.
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=Processing;Deleting;Ready;Error;Warning
State State `json:"state"`
// Contains the description of the APIRule's status.
Description string `json:"description,omitempty"`
}
Describes the observed status of the APIRule.
func (*APIRuleStatus) ApiRuleStatusVersion ¶
func (s *APIRuleStatus) ApiRuleStatusVersion() versions.Version
func (*APIRuleStatus) DeepCopy ¶
func (in *APIRuleStatus) DeepCopy() *APIRuleStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIRuleStatus.
func (*APIRuleStatus) DeepCopyInto ¶
func (in *APIRuleStatus) DeepCopyInto(out *APIRuleStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CorsPolicy ¶
type CorsPolicy struct {
// Indicates whether credentials are allowed in the **Access-Control-Allow-Credentials** CORS header.
AllowHeaders []string `json:"allowHeaders,omitempty"`
// Lists headers allowed with the **Access-Control-Allow-Headers** CORS header.
AllowMethods []string `json:"allowMethods,omitempty"`
// Lists headers allowed with the **Access-Control-Allow-Methods** CORS header.
AllowOrigins StringMatch `json:"allowOrigins,omitempty"`
// Lists origins allowed with the **Access-Control-Allow-Origins** CORS header.
AllowCredentials *bool `json:"allowCredentials,omitempty"`
// Lists headers allowed with the **Access-Control-Expose-Headers** CORS header.
ExposeHeaders []string `json:"exposeHeaders,omitempty"`
// Specifies the maximum age of CORS policy cache. The value is provided in the **Access-Control-Max-Age** CORS header.
// +kubebuilder:validation:Minimum=1
MaxAge *uint64 `json:"maxAge,omitempty"`
}
Allows configuring CORS headers sent with the response. If **corsPolicy** is not defined, the CORS headers are removed from the response.
func (*CorsPolicy) DeepCopy ¶
func (in *CorsPolicy) DeepCopy() *CorsPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CorsPolicy.
func (*CorsPolicy) DeepCopyInto ¶
func (in *CorsPolicy) DeepCopyInto(out *CorsPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ExtAuth ¶
type ExtAuth struct {
// Specifies the name of the external authorization handler.
// +kubebuilder:validation:MinItems=1
ExternalAuthorizers []string `json:"authorizers"`
// Specifies JWT configuration for the external authorization handler.
// +optional
Restrictions *JwtConfig `json:"restrictions,omitempty"`
}
**ExtAuth** contains configuration for paths that use external authorization.
func (*ExtAuth) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtAuth.
func (*ExtAuth) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Host ¶
type Host string
The host is the URL of the exposed Service. Lowercase RFC 1123 labels and FQDN are supported. +kubebuilder:validation:MaxLength=255 +kubebuilder:validation:XValidation:rule=`self.matches('^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)(?:(?:\\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*(?:\\.[a-z0-9]{2,63}))?$')`,message="Host must be a lowercase RFC 1123 label (must consist of lowercase alphanumeric characters or '-', and must start and end with an lowercase alphanumeric character) or a fully qualified domain name"
type HttpMethod ¶
type HttpMethod string
HttpMethod specifies the HTTP request method. The list of supported methods is defined in in [RFC 9910: HTTP Semantics](https://www.rfc-editor.org/rfc/rfc9110.html) and [RFC 5789: PATCH Method for HTTP](https://www.rfc-editor.org/rfc/rfc5789.html). +kubebuilder:validation:Enum=GET;HEAD;POST;PUT;DELETE;CONNECT;OPTIONS;TRACE;PATCH
type JwtAuthentication ¶
type JwtAuthentication struct {
// Identifies the issuer that issued the JWT. The value must be a URL.
// Although HTTP is allowed, it is recommended that you use only HTTPS endpoints.
Issuer string `json:"issuer"`
// Contains the URL of the provider’s public key set to validate the signature of the JWT.
// The value must be a URL. Although HTTP is allowed, it is recommended that you use only HTTPS endpoints.
JwksUri string `json:"jwksUri"`
// Specifies the list of headers from which the JWT token is extracted.
// +optional
FromHeaders []*JwtHeader `json:"fromHeaders,omitempty"`
// Specifies the list of parameters from which the JWT token is extracted.
// +optional
FromParams []string `json:"fromParams,omitempty"`
}
Specifies the list of Istio JWT authentication objects.
func (*JwtAuthentication) DeepCopy ¶
func (in *JwtAuthentication) DeepCopy() *JwtAuthentication
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JwtAuthentication.
func (*JwtAuthentication) DeepCopyInto ¶
func (in *JwtAuthentication) DeepCopyInto(out *JwtAuthentication)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JwtAuthorization ¶
type JwtAuthorization struct {
// Specifies the list of required scope values for the JWT.
// +optional
RequiredScopes []string `json:"requiredScopes,omitempty"`
// Specifies the list of audiences required for the JWT.
// +optional
Audiences []string `json:"audiences,omitempty"`
}
Specifies the list of Istio JWT authorization objects.
func (*JwtAuthorization) DeepCopy ¶
func (in *JwtAuthorization) DeepCopy() *JwtAuthorization
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JwtAuthorization.
func (*JwtAuthorization) DeepCopyInto ¶
func (in *JwtAuthorization) DeepCopyInto(out *JwtAuthorization)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*JwtAuthorization) HasRequiredScopes ¶
func (a *JwtAuthorization) HasRequiredScopes() bool
type JwtConfig ¶
type JwtConfig struct {
// Specifies the list of authentication objects.
Authentications []*JwtAuthentication `json:"authentications,omitempty"`
// Specifies the list of authorization objects.
Authorizations []*JwtAuthorization `json:"authorizations,omitempty"`
}
Configures Istio JWT authentication and authorization. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*JwtConfig) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JwtConfig.
func (*JwtConfig) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*JwtConfig) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*JwtConfig) GetObjectKind ¶
func (j *JwtConfig) GetObjectKind() schema.ObjectKind
type JwtHeader ¶
type JwtHeader struct {
// Specifies the name of the header from which the JWT token is extracted.
Name string `json:"name"`
// Specifies the prefix used before the JWT token. The default is `Bearer`.
// +optional
Prefix string `json:"prefix,omitempty"`
}
Specifies the header from which the JWT token is extracted.
func (*JwtHeader) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JwtHeader.
func (*JwtHeader) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodSelector ¶
type PodSelector struct {
Selector *apiv1beta1.WorkloadSelector
Namespace string
}
PodSelector represents a service workload selector for a pod and the namespace of the service. +k8s:deepcopy-gen=false
func GetSelectorFromService ¶
type Request ¶
type Request struct {
// Specifies a list of cookie key-value pairs, that are forwarded inside the Cookie header.
// +optional
Cookies map[string]string `json:"cookies,omitempty"`
// Specifies a list of header key-value pairs that are forwarded as header=value to the target workload.
// +optional
Headers map[string]string `json:"headers,omitempty"`
}
func (*Request) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Request.
func (*Request) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Rule ¶
type Rule struct {
// Specifies the path on which the Service is exposed. The supported configurations are:
// - Exact path (e.g. /abc) - matches the specified path exactly.
// - The `{*}` operator (for example, `/foo/{*}` or `/foo/{*}/bar`) - matches
// any request that matches the pattern with exactly one path segment in the operator's place.
// - The `{**}` operator (for example, `/foo/{**}` or `/foo/{**}/bar`) -
// matches any request that matches the pattern with zero or more path segments in the operator's place.
// The `{**}` operator must be the last operator in the path.
// - The wildcard path `/*` - matches all paths. Equivalent to the `/{**}` path.
// The value might contain the operators `{*}` and/or `{**}`. It can also be a wildcard match `/*`.
// For more information, see [Ordering Rules in APIRule v2](https://kyma-project.io/external-content/api-gateway/docs/user/custom-resources/apirule/04-20-significance-of-rule-path-and-method-order.html).
// +kubebuilder:validation:Pattern=`^((\/([A-Za-z0-9-._~!$&'()+,;=:@]|%[0-9a-fA-F]{2})*)|(\/\{\*{1,2}\}))+$|^\/\*$`
Path string `json:"path"`
// Specifies the backend Service that receives traffic. The Service must be deployed inside the cluster.
// If you don't define a Service at the **spec.service** level, each defined rule must
// specify a Service at the **spec.rules.service** level. Otherwise, the validation fails.
// +optional
Service *Service `json:"service,omitempty"`
// Specifies the list of HTTP request methods available for spec.rules.path.
// The list of supported methods is defined in [RFC 9910: HTTP Semantics](https://www.rfc-editor.org/rfc/rfc9110.html)
// and [RFC 5789: PATCH Method for HTTP](https://www.rfc-editor.org/rfc/rfc5789.html).
// +kubebuilder:validation:MinItems=1
Methods []HttpMethod `json:"methods"`
// Disables authorization when set to `true`.
// +optional
NoAuth *bool `json:"noAuth"`
// Specifies the Istio JWT configuration.
// +optional
Jwt *JwtConfig `json:"jwt,omitempty"`
// Specifies the external authorization configuration.
// +optional
ExtAuth *ExtAuth `json:"extAuth,omitempty"`
// Specifies the timeout, in seconds, for HTTP requests made to spec.rules.path.
// Timeout definitions set at this level take precedence over any timeout defined
// at the spec.timeout level. The maximum timeout is limited to 3900 seconds (65 minutes).
// +optional
Timeout *Timeout `json:"timeout,omitempty"`
// Defines request modification rules, which are applied before forwarding the request to the target workload.
// +optional
Request *Request `json:"request,omitempty"`
}
Defines an ordered list of access rules. Each rule is an atomic access configuration that defines how to access a specific HTTP path. A rule consists of a path pattern, one or more allowed HTTP methods, exactly one access strategy (`jwt`, `extAuth`, or `noAuth`), and other optional configuration fields. The order of rules in the APIRule CR is important. Rules defined earlier in the list have a higher priority than those defined later. +kubebuilder:validation:XValidation:rule="((has(self.extAuth)?1:0)+(has(self.jwt)?1:0)+((has(self.noAuth)&&self.noAuth==true)?1:0))==1",message="One of the following fields must be set: noAuth, jwt, extAuth"
func (*Rule) AppliesToAllPaths ¶
AppliesToAllPaths returns true if the rule applies to all paths of the service.
func (*Rule) ContainsAccessStrategyJwt ¶
func (*Rule) ContainsNoAuth ¶
func (*Rule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
func (*Rule) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Service ¶
type Service struct {
// Specifies the name of the exposed Service.
Name *string `json:"name"`
// Specifies the namespace of the exposed Service.
// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
// +optional
Namespace *string `json:"namespace,omitempty"`
// Specifies the communication port of the exposed Service.
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65535
Port *uint32 `json:"port"`
// Specifies if the Service is internal (deployed in the cluster) or external.
// +optional
IsExternal *bool `json:"external,omitempty"`
}
Specifies the backend Service that receives traffic. The Service must be deployed inside the cluster. If you don't define a Service at the **spec.service** level, each defined rule must specify a Service at the **spec.rules.service** level. Otherwise, the validation fails.
func (*Service) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Service.
func (*Service) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type State ¶
type State string
Defines the reconciliation state of the APIRule.
const ( // The APIRule's reconciliation is finished. Ready State = "Ready" // The APIRule is being created or updated. Processing State = "Processing" // An error occurred during reconciliation. Error State = "Error" // The APIRule is being deleted. Deleting State = "Deleting" // The APIRule is misconfigured. Warning State = "Warning" )
type StringMatch ¶
Describes how to match a given string in HTTP headers. See StringMatch(https://istio.io/latest/docs/reference/config/networking/virtual-service/#StringMatch).
func (StringMatch) DeepCopy ¶
func (in StringMatch) DeepCopy() StringMatch
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch.
func (StringMatch) DeepCopyInto ¶
func (in StringMatch) DeepCopyInto(out *StringMatch)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (StringMatch) ToIstioStringMatchArray ¶
func (s StringMatch) ToIstioStringMatchArray() (out []*v1beta1.StringMatch)
type Timeout ¶
type Timeout uint16 // We use unit16 instead of a time.Duration because there is a bug with duration that requires additional validation of the format. Issue: checking https://github.com/kubernetes/apiextensions-apiserver/issues/56
Specifies the timeout for HTTP requests in seconds for all rules. You can override the value for each rule. If no timeout is specified, the default timeout of 180 seconds applies. +kubebuilder:validation:Minimum=1 +kubebuilder:validation:Maximum=3900
Source Files