我的书签
添加书签
移除书签Traefik & Kubernetes with Gateway API
The Kubernetes Gateway API, The Experimental Way.
Gateway API is the evolution of Kubernetes APIs that relate to Services, such as Ingress. The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
The Kubernetes Gateway provider is a Traefik implementation of the Gateway API specifications from the Kubernetes Special Interest Groups (SIGs).
This provider is proposed as an experimental feature and partially supports the Gateway API v0.3.0 specification.
Enabling The Experimental Kubernetes Gateway Provider
Since this provider is still experimental, it needs to be activated in the experimental section of the static configuration.
File (YAML)
experimental:kubernetesGateway: trueproviders:kubernetesGateway: {}#...
File (TOML)
[experimental]kubernetesGateway = true[providers.kubernetesGateway]#...
CLI
--experimental.kubernetesgateway=true --providers.kubernetesgateway=true #...
Configuration Requirements
All Steps for a Successful Deployment
- Add/update the Kubernetes Gateway API definitions.
- Add/update the RBAC for the Traefik custom resources.
- Add all needed Kubernetes Gateway API resources.
Examples
Kubernetes Gateway Provider Basic Example
Gateway API
---kind: GatewayClassapiVersion: networking.x-k8s.io/v1alpha1metadata:name: my-gateway-classspec:controller: traefik.io/gateway-controller---kind: GatewayapiVersion: networking.x-k8s.io/v1alpha1metadata:name: my-gatewayspec:gatewayClassName: my-gateway-classlisteners:- protocol: HTTPSport: 443tls:certificateRef:group: "core"kind: "Secret"name: "mysecret"routes:kind: HTTPRouteselector:matchLabels:app: foo---kind: HTTPRouteapiVersion: networking.x-k8s.io/v1alpha1metadata:name: http-app-1namespace: defaultlabels:app: foospec:hostnames:- "whoami"rules:- matches:- path:type: Exactvalue: /fooforwardTo:- serviceName: whoamiport: 80weight: 1
Whoami Service
---kind: DeploymentapiVersion: apps/v1metadata:name: whoamispec:replicas: 2selector:matchLabels:app: whoamitemplate:metadata:labels:app: whoamispec:containers:- name: whoamiimage: traefik/whoami---apiVersion: v1kind: Servicemetadata:name: whoamispec:ports:- protocol: TCPport: 80selector:app: whoami
Traefik Service
---apiVersion: v1kind: ServiceAccountmetadata:name: traefik-controller---kind: DeploymentapiVersion: apps/v1metadata:name: traefikspec:replicas: 1selector:matchLabels:app: traefik-lbtemplate:metadata:labels:app: traefik-lbspec:serviceAccountName: traefik-controllercontainers:- name: traefikimage: traefik/traefik:latestimagePullPolicy: IfNotPresentargs:- --entrypoints.web.address=:80- --entrypoints.websecure.address=:443- --experimental.kubernetesgateway- --providers.kubernetesgatewayports:- name: webcontainerPort: 80- name: websecurecontainerPort: 443---apiVersion: v1kind: Servicemetadata:name: traefikspec:selector:app: traefik-lbports:- protocol: TCPport: 80targetPort: webname: web- protocol: TCPport: 443targetPort: websecurename: websecuretype: LoadBalancer
Gateway API CRDs
# All resources definition must be declared---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.5.0creationTimestamp: nullname: gatewayclasses.networking.x-k8s.iospec:group: networking.x-k8s.ionames:categories:- gateway-apikind: GatewayClasslistKind: GatewayClassListplural: gatewayclassesshortNames:- gcsingular: gatewayclassscope: Clusterversions:- additionalPrinterColumns:- jsonPath: .spec.controllername: Controllertype: string- jsonPath: .metadata.creationTimestampname: Agetype: datename: v1alpha1schema:openAPIV3Schema:description: "GatewayClass describes a class of Gateways available to theuser for creating Gateway resources. \n GatewayClass is a Cluster levelresource."properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: Spec defines the desired state of GatewayClass.properties:controller:description: "Controller is a domain/path string that indicates thecontroller that is managing Gateways of this class. \n Example:\"acme.io/gateway-controller\". \n This field is not mutable andcannot be empty. \n The format of this field is DOMAIN \"/\" PATH,where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\n Support: Core"maxLength: 253type: stringparametersRef:description: "ParametersRef is a reference to a resource that containsthe configuration parameters corresponding to the GatewayClass.This is optional if the controller does not require any additionalconfiguration. \n ParametersRef can reference a standard Kubernetesresource, i.e. ConfigMap, or an implementation-specific custom resource.The resource can be cluster-scoped or namespace-scoped. \n If thereferent cannot be found, the GatewayClass's \"InvalidParameters\"status condition will be true. \n Support: Custom"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringnamespace:description: Namespace is the namespace of the referent. Thisfield is required when scope is set to "Namespace" and ignoredwhen scope is set to "Cluster".maxLength: 253minLength: 1type: stringscope:default: Clusterdescription: Scope represents if the referent is a Cluster orNamespace scoped resource. This may be set to "Cluster" or "Namespace".enum:- Cluster- Namespacetype: stringrequired:- group- kind- nametype: objectrequired:- controllertype: objectstatus:default:conditions:- lastTransitionTime: "1970-01-01T00:00:00Z"message: Waiting for controllerreason: Waitingstatus: "False"type: Admitteddescription: Status defines the current state of GatewayClass.properties:conditions:default:- lastTransitionTime: "1970-01-01T00:00:00Z"message: Waiting for controllerreason: Waitingstatus: "False"type: Admitteddescription: "Conditions is the current status from the controllerfor this GatewayClass. \n Controllers should prefer to publish conditionsusing values of GatewayClassConditionType for the type of each Condition."items:description: "Condition contains details for one aspect of the currentstate of this API Resource. --- This struct is intended for directuse as an array at the field path .status.conditions. For example,type FooStatus struct{ // Represents the observations of afoo's current state. // Known .status.conditions.type are:\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type\ // +patchStrategy=merge // +listType=map // +listMapKey=type\ Conditions []metav1.Condition `json:\"conditions,omitempty\"patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n // other fields }"properties:lastTransitionTime:description: lastTransitionTime is the last time the conditiontransitioned from one status to another. This should be whenthe underlying condition changed. If that is not known, thenusing the time when the API field changed is acceptable.format: date-timetype: stringmessage:description: message is a human readable message indicatingdetails about the transition. This may be an empty string.maxLength: 32768type: stringobservedGeneration:description: observedGeneration represents the .metadata.generationthat the condition was set based upon. For instance, if .metadata.generationis currently 12, but the .status.conditions[x].observedGenerationis 9, the condition is out of date with respect to the currentstate of the instance.format: int64minimum: 0type: integerreason:description: reason contains a programmatic identifier indicatingthe reason for the condition's last transition. Producersof specific condition types may define expected values andmeanings for this field, and whether the values are considereda guaranteed API. The value should be a CamelCase string.This field may not be empty.maxLength: 1024minLength: 1pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$type: stringstatus:description: status of the condition, one of True, False, Unknown.enum:- "True"- "False"- Unknowntype: stringtype:description: type of condition in CamelCase or in foo.example.com/CamelCase.--- Many .condition.type values are consistent across resourceslike Available, but because arbitrary conditions can be useful(see .node.status.conditions), the ability to deconflict isimportant. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)maxLength: 316pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$type: stringrequired:- lastTransitionTime- message- reason- status- typetype: objectmaxItems: 8type: arrayx-kubernetes-list-map-keys:- typex-kubernetes-list-type: maptype: objecttype: objectserved: truestorage: truesubresources:status: {}status:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.5.0creationTimestamp: nullname: gateways.networking.x-k8s.iospec:group: networking.x-k8s.ionames:categories:- gateway-apikind: GatewaylistKind: GatewayListplural: gatewaysshortNames:- gtwsingular: gatewayscope: Namespacedversions:- additionalPrinterColumns:- jsonPath: .spec.gatewayClassNamename: Classtype: string- jsonPath: .metadata.creationTimestampname: Agetype: datename: v1alpha1schema:openAPIV3Schema:description: "Gateway represents an instantiation of a service-traffic handlinginfrastructure by binding Listeners to a set of IP addresses. \n Implementationsshould add the `gateway-exists-finalizer.networking.x-k8s.io` finalizeron the associated GatewayClass whenever Gateway(s) is running. This ensuresthat a GatewayClass associated with a Gateway(s) is not deleted while inuse."properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: Spec defines the desired state of Gateway.properties:addresses:description: "Addresses requested for this gateway. This is optionaland behavior can depend on the GatewayClass. If a value is set inthe spec and the requested address is invalid, the GatewayClassMUST indicate this in the associated entry in GatewayStatus.Addresses.\n If no Addresses are specified, the GatewayClass may schedulethe Gateway in an implementation-defined manner, assigning an appropriateset of Addresses. \n The GatewayClass MUST bind all Listeners toevery GatewayAddress that it assigns to the Gateway. \n Support:Core"items:description: GatewayAddress describes an address that can be boundto a Gateway.properties:type:default: IPAddressdescription: "Type of the address. \n Support: Extended"enum:- IPAddress- NamedAddresstype: stringvalue:description: "Value of the address. The validity of the valueswill depend on the type and support by the controller. \nExamples: `1.2.3.4`, `128::1`, `my-ip-address`."maxLength: 253minLength: 1type: stringrequired:- valuetype: objectmaxItems: 16type: arraygatewayClassName:description: GatewayClassName used for this Gateway. This is the nameof a GatewayClass resource.maxLength: 253minLength: 1type: stringlisteners:description: "Listeners associated with this Gateway. Listeners definelogical endpoints that are bound on this Gateway's addresses. Atleast one Listener MUST be specified. \n An implementation MAY groupListeners by Port and then collapse each group of Listeners intoa single Listener if the implementation determines that the Listenersin the group are \"compatible\". An implementation MAY also grouptogether and collapse compatible Listeners belonging to differentGateways. \n For example, an implementation might consider Listenersto be compatible with each other if all of the following conditionsare met: \n 1. Either each Listener within the group specifies the\"HTTP\" Protocol or each Listener within the group specifieseither the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listenerwithin the group specifies a Hostname that is unique within thegroup. \n 3. As a special case, one Listener within a group mayomit Hostname, in which case this Listener matches when no otherListener matches. \n If the implementation does collapse compatibleListeners, the hostname provided in the incoming client requestMUST be matched to a Listener to find the correct set of Routes.The incoming hostname MUST be matched using the Hostname field foreach Listener in order of most to least specific. That is, exactmatches must be processed before wildcard matches. \n If this fieldspecifies multiple Listeners that have the same Port value but arenot compatible, the implementation must raise a \"Conflicted\" conditionin the Listener status. \n Support: Core"items:description: Listener embodies the concept of a logical endpointwhere a Gateway can accept network connections. Each listenerin a Gateway must have a unique combination of Hostname, Port,and Protocol. This will be enforced by a validating webhook.properties:hostname:description: "Hostname specifies the virtual hostname to matchfor protocol types that define this concept. When unspecified,\"\", or `*`, all hostnames are matched. This field can beomitted for protocols that don't require hostname based matching.\n Hostname is the fully qualified domain name of a networkhost, as defined by RFC 3986. Note the following deviationsfrom the \"host\" part of the URI as defined in the RFC: \n1. IP literals are not allowed. 2. The `:` delimiter is notrespected because ports are not allowed. \n Hostname can be\"precise\" which is a domain name without the terminatingdot of a network host (e.g. \"foo.example.com\") or \"wildcard\",which is a domain name prefixed with a single wildcard label(e.g. `*.example.com`). The wildcard character `*` must appearby itself as the first DNS label and matches only a singlelabel. \n Support: Core"maxLength: 253minLength: 1type: stringport:description: "Port is the network port. Multiple listeners mayuse the same port, subject to the Listener compatibility rules.\n Support: Core"format: int32maximum: 65535minimum: 1type: integerprotocol:description: "Protocol specifies the network protocol this listenerexpects to receive. The GatewayClass MUST apply the Hostnamematch appropriately for each protocol: \n * For the \"TLS\"protocol, the Hostname match MUST be applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3)\ server name offered by the client. * For the \"HTTP\" protocol,the Hostname match MUST be applied to the host portion ofthe [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)\ or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)* For the \"HTTPS\" protocol, the Hostname match MUST be appliedat both the TLS and HTTP protocol layers. \n Support: Core"type: stringroutes:description: "Routes specifies a schema for associating routeswith the Listener using selectors. A Route is a resource capableof servicing a request and allows a cluster operator to exposea cluster resource (i.e. Service) by externally-reachableURL, load-balance traffic and terminate SSL/TLS. Typically,a route is a \"HTTPRoute\" or \"TCPRoute\" in group \"networking.x-k8s.io\",however, an implementation may support other types of resources.\n The Routes selector MUST select a set of objects that arecompatible with the application protocol specified in theProtocol field. \n Although a client request may technicallymatch multiple route rules, only one rule may ultimately receivethe request. Matching precedence MUST be determined in orderof the following criteria: \n * The most specific match. Forexample, the most specific HTTPRoute match is determinedby the longest matching combination of hostname and path.* The oldest Route based on creation timestamp. For example,a Route with a creation timestamp of \"2020-09-08 01:02:03\"is given precedence over a Route with a creation timestampof \"2020-09-08 01:02:04\". * If everything else is equivalent,the Route appearing first in alphabetical order (namespace/name)should be given precedence. For example, foo/bar is givenprecedence over foo/baz. \n All valid portions of a Routeselected by this field should be supported. Invalid portionsof a Route can be ignored (sometimes that will mean the fullRoute). If a portion of a Route transitions from valid toinvalid, support for that portion of the Route should be droppedto ensure consistency. For example, even if a filter specifiedby a Route is invalid, the rest of the Route should stillbe supported. \n Support: Core"properties:group:default: networking.x-k8s.iodescription: "Group is the group of the route resource toselect. Omitting the value or specifying the empty stringindicates the networking.x-k8s.io API group. For example,use the following to select an HTTPRoute: \n routes: kind:HTTPRoute \n Otherwise, if an alternative API group isdesired, specify the desired group: \n routes: group:acme.io kind: FooRoute \n Support: Core"maxLength: 253minLength: 1type: stringkind:description: "Kind is the kind of the route resource toselect. \n Kind MUST correspond to kinds of routes thatare compatible with the application protocol specifiedin the Listener's Protocol field. \n If an implementationdoes not support or recognize this resource type, it SHOULDset the \"ResolvedRefs\" condition to false for this listenerwith the \"InvalidRoutesRef\" reason. \n Support: Core"type: stringnamespaces:default:from: Samedescription: "Namespaces indicates in which namespaces Routesshould be selected for this Gateway. This is restrictedto the namespace of this Gateway by default. \n Support:Core"properties:from:default: Samedescription: "From indicates where Routes will be selectedfor this Gateway. Possible values are: * All: Routesin all namespaces may be used by this Gateway. * Selector:Routes in namespaces selected by the selector maybe used by this Gateway. * Same: Only Routes inthe same namespace may be used by this Gateway. \nSupport: Core"enum:- All- Selector- Sametype: stringselector:description: "Selector must be specified when From isset to \"Selector\". In that case, only Routes inNamespaces matching this Selector will be selectedby this Gateway. This field is ignored for other valuesof \"From\". \n Support: Core"properties:matchExpressions:description: matchExpressions is a list of labelselector requirements. The requirements are ANDed.items:description: A label selector requirement is aselector that contains values, a key, and anoperator that relates the key and values.properties:key:description: key is the label key that theselector applies to.type: stringoperator:description: operator represents a key's relationshipto a set of values. Valid operators areIn, NotIn, Exists and DoesNotExist.type: stringvalues:description: values is an array of stringvalues. If the operator is In or NotIn,the values array must be non-empty. If theoperator is Exists or DoesNotExist, thevalues array must be empty. This array isreplaced during a strategic merge patch.items:type: stringtype: arrayrequired:- key- operatortype: objecttype: arraymatchLabels:additionalProperties:type: stringdescription: matchLabels is a map of {key,value}pairs. A single {key,value} in the matchLabelsmap is equivalent to an element of matchExpressions,whose key field is "key", the operator is "In",and the values array contains only "value". Therequirements are ANDed.type: objecttype: objecttype: objectselector:description: "Selector specifies a set of route labels usedfor selecting routes to associate with the Gateway. Ifthis Selector is defined, only routes matching the Selectorare associated with the Gateway. An empty Selector matchesall routes. \n Support: Core"properties:matchExpressions:description: matchExpressions is a list of label selectorrequirements. The requirements are ANDed.items:description: A label selector requirement is a selectorthat contains values, a key, and an operator thatrelates the key and values.properties:key:description: key is the label key that the selectorapplies to.type: stringoperator:description: operator represents a key's relationshipto a set of values. Valid operators are In,NotIn, Exists and DoesNotExist.type: stringvalues:description: values is an array of string values.If the operator is In or NotIn, the values arraymust be non-empty. If the operator is Existsor DoesNotExist, the values array must be empty.This array is replaced during a strategic mergepatch.items:type: stringtype: arrayrequired:- key- operatortype: objecttype: arraymatchLabels:additionalProperties:type: stringdescription: matchLabels is a map of {key,value} pairs.A single {key,value} in the matchLabels map is equivalentto an element of matchExpressions, whose key fieldis "key", the operator is "In", and the values arraycontains only "value". The requirements are ANDed.type: objecttype: objectrequired:- kindtype: objecttls:description: "TLS is the TLS configuration for the Listener.This field is required if the Protocol field is \"HTTPS\"or \"TLS\" and ignored otherwise. \n The association of SNIsto Certificate defined in GatewayTLSConfig is defined basedon the Hostname field for this listener. \n The GatewayClassMUST use the longest matching SNI out of all available certificatesfor any TLS handshake. \n Support: Core"properties:certificateRef:description: "CertificateRef is a reference to a Kubernetesobject that contains a TLS certificate and private key.This certificate is used to establish a TLS handshakefor requests that match the hostname of the associatedlistener. The referenced object MUST reside in the samenamespace as Gateway. \n This field is required when modeis set to \"Terminate\" (default) and optional otherwise.\n CertificateRef can reference a standard Kubernetesresource, i.e. Secret, or an implementation-specific customresource. \n Support: Core (Kubernetes Secrets) \n Support:Implementation-specific (Other resource types)"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringrequired:- group- kind- nametype: objectmode:default: Terminatedescription: "Mode defines the TLS behavior for the TLSsession initiated by the client. There are two possiblemodes: - Terminate: The TLS session between the downstreamclient and the Gateway is terminated at the Gateway.This mode requires certificateRef to be set. - Passthrough:The TLS session is NOT terminated by the Gateway. This\ implies that the Gateway can't decipher the TLS streamexcept for the ClientHello message of the TLS protocol.\ CertificateRef field is ignored in this mode. \n Support:Core"enum:- Terminate- Passthroughtype: stringoptions:additionalProperties:type: stringdescription: "Options are a list of key/value pairs to giveextended options to the provider. \n There variation amongproviders as to how ciphersuites are expressed. If thereis a common subset for expressing ciphers then it willmake sense to loft that as a core API construct. \n Support:Implementation-specific"type: objectrouteOverride:default:certificate: Denydescription: "RouteOverride dictates if TLS settings canbe configured via Routes or not. \n CertificateRef mustbe defined even if `routeOverride.certificate` is setto 'Allow' as it will be used as the default certificatefor the listener. \n Support: Core"properties:certificate:default: Denydescription: "Certificate dictates if TLS certificatescan be configured via Routes. If set to 'Allow', aTLS certificate for a hostname defined in a Routetakes precedence over the certificate defined in Gateway.\n Support: Core"enum:- Allow- Denytype: stringtype: objecttype: objectrequired:- port- protocol- routestype: objectmaxItems: 64minItems: 1type: arrayrequired:- gatewayClassName- listenerstype: objectstatus:default:conditions:- lastTransitionTime: "1970-01-01T00:00:00Z"message: Waiting for controllerreason: NotReconciledstatus: "False"type: Scheduleddescription: Status defines the current state of Gateway.properties:addresses:description: "Addresses lists the IP addresses that have actuallybeen bound to the Gateway. These addresses may differ from the addressesin the Spec, e.g. if the Gateway automatically assigns an addressfrom a reserved pool. \n These addresses should all be of type \"IPAddress\"."items:description: GatewayAddress describes an address that can be boundto a Gateway.properties:type:default: IPAddressdescription: "Type of the address. \n Support: Extended"enum:- IPAddress- NamedAddresstype: stringvalue:description: "Value of the address. The validity of the valueswill depend on the type and support by the controller. \nExamples: `1.2.3.4`, `128::1`, `my-ip-address`."maxLength: 253minLength: 1type: stringrequired:- valuetype: objectmaxItems: 16type: arrayconditions:default:- lastTransitionTime: "1970-01-01T00:00:00Z"message: Waiting for controllerreason: NotReconciledstatus: "False"type: Scheduleddescription: "Conditions describe the current conditions of the Gateway.\n Implementations should prefer to express Gateway conditions usingthe `GatewayConditionType` and `GatewayConditionReason` constantsso that operators and tools can converge on a common vocabularyto describe Gateway state. \n Known condition types are: \n * \"Scheduled\"* \"Ready\""items:description: "Condition contains details for one aspect of the currentstate of this API Resource. --- This struct is intended for directuse as an array at the field path .status.conditions. For example,type FooStatus struct{ // Represents the observations of afoo's current state. // Known .status.conditions.type are:\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type\ // +patchStrategy=merge // +listType=map // +listMapKey=type\ Conditions []metav1.Condition `json:\"conditions,omitempty\"patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n // other fields }"properties:lastTransitionTime:description: lastTransitionTime is the last time the conditiontransitioned from one status to another. This should be whenthe underlying condition changed. If that is not known, thenusing the time when the API field changed is acceptable.format: date-timetype: stringmessage:description: message is a human readable message indicatingdetails about the transition. This may be an empty string.maxLength: 32768type: stringobservedGeneration:description: observedGeneration represents the .metadata.generationthat the condition was set based upon. For instance, if .metadata.generationis currently 12, but the .status.conditions[x].observedGenerationis 9, the condition is out of date with respect to the currentstate of the instance.format: int64minimum: 0type: integerreason:description: reason contains a programmatic identifier indicatingthe reason for the condition's last transition. Producersof specific condition types may define expected values andmeanings for this field, and whether the values are considereda guaranteed API. The value should be a CamelCase string.This field may not be empty.maxLength: 1024minLength: 1pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$type: stringstatus:description: status of the condition, one of True, False, Unknown.enum:- "True"- "False"- Unknowntype: stringtype:description: type of condition in CamelCase or in foo.example.com/CamelCase.--- Many .condition.type values are consistent across resourceslike Available, but because arbitrary conditions can be useful(see .node.status.conditions), the ability to deconflict isimportant. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)maxLength: 316pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$type: stringrequired:- lastTransitionTime- message- reason- status- typetype: objectmaxItems: 8type: arrayx-kubernetes-list-map-keys:- typex-kubernetes-list-type: maplisteners:description: Listeners provide status for each unique listener portdefined in the Spec.items:description: ListenerStatus is the status associated with a Listener.properties:conditions:description: Conditions describe the current condition of thislistener.items:description: "Condition contains details for one aspect ofthe current state of this API Resource. --- This structis intended for direct use as an array at the field path.status.conditions. For example, type FooStatus struct{\ // Represents the observations of a foo's current state.\ // Known .status.conditions.type are: \"Available\",\"Progressing\", and \"Degraded\" // +patchMergeKey=type\ // +patchStrategy=merge // +listType=map //+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n // other fields }"properties:lastTransitionTime:description: lastTransitionTime is the last time the conditiontransitioned from one status to another. This shouldbe when the underlying condition changed. If that isnot known, then using the time when the API field changedis acceptable.format: date-timetype: stringmessage:description: message is a human readable message indicatingdetails about the transition. This may be an empty string.maxLength: 32768type: stringobservedGeneration:description: observedGeneration represents the .metadata.generationthat the condition was set based upon. For instance,if .metadata.generation is currently 12, but the .status.conditions[x].observedGenerationis 9, the condition is out of date with respect to thecurrent state of the instance.format: int64minimum: 0type: integerreason:description: reason contains a programmatic identifierindicating the reason for the condition's last transition.Producers of specific condition types may define expectedvalues and meanings for this field, and whether thevalues are considered a guaranteed API. The value shouldbe a CamelCase string. This field may not be empty.maxLength: 1024minLength: 1pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$type: stringstatus:description: status of the condition, one of True, False,Unknown.enum:- "True"- "False"- Unknowntype: stringtype:description: type of condition in CamelCase or in foo.example.com/CamelCase.--- Many .condition.type values are consistent acrossresources like Available, but because arbitrary conditionscan be useful (see .node.status.conditions), the abilityto deconflict is important. The regex it matches is(dns1123SubdomainFmt/)?(qualifiedNameFmt)maxLength: 316pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$type: stringrequired:- lastTransitionTime- message- reason- status- typetype: objectmaxItems: 8type: arrayx-kubernetes-list-map-keys:- typex-kubernetes-list-type: maphostname:description: Hostname is the Listener hostname value for whichthis message is reporting the status.maxLength: 253minLength: 1type: stringport:description: Port is the unique Listener port value for whichthis message is reporting the status.format: int32maximum: 65535minimum: 1type: integerprotocol:description: Protocol is the Listener protocol value for whichthis message is reporting the status.type: stringrequired:- conditions- port- protocoltype: objectmaxItems: 64type: arrayx-kubernetes-list-map-keys:- portx-kubernetes-list-type: maptype: objecttype: objectserved: truestorage: truesubresources:status: {}status:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.5.0creationTimestamp: nullname: httproutes.networking.x-k8s.iospec:group: networking.x-k8s.ionames:categories:- gateway-apikind: HTTPRoutelistKind: HTTPRouteListplural: httproutessingular: httproutescope: Namespacedversions:- additionalPrinterColumns:- jsonPath: .spec.hostnamesname: Hostnamestype: string- jsonPath: .metadata.creationTimestampname: Agetype: datename: v1alpha1schema:openAPIV3Schema:description: HTTPRoute is the Schema for the HTTPRoute resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: Spec defines the desired state of HTTPRoute.properties:gateways:default:allow: SameNamespacedescription: Gateways defines which Gateways can use this Route.properties:allow:default: SameNamespacedescription: 'Allow indicates which Gateways will be allowed touse this route. Possible values are: * All: Gateways in anynamespace can use this route. * FromList: Only Gateways specifiedin GatewayRefs may use this route. * SameNamespace: Only Gatewaysin the same namespace may use this route.'enum:- All- FromList- SameNamespacetype: stringgatewayRefs:description: GatewayRefs must be specified when Allow is set to"FromList". In that case, only Gateways referenced in this listwill be allowed to use this route. This field is ignored forother values of "Allow".items:description: GatewayReference identifies a Gateway in a specifiednamespace.properties:name:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringnamespace:description: Namespace is the namespace of the referent.maxLength: 253minLength: 1type: stringrequired:- name- namespacetype: objecttype: arraytype: objecthostnames:description: "Hostnames defines a set of hostname that should matchagainst the HTTP Host header to select a HTTPRoute to process therequest. Hostname is the fully qualified domain name of a networkhost, as defined by RFC 3986. Note the following deviations fromthe \"host\" part of the URI as defined in the RFC: \n 1. IPs arenot allowed. 2. The `:` delimiter is not respected because portsare not allowed. \n Incoming requests are matched against the hostnamesbefore the HTTPRoute rules. If no hostname is specified, trafficis routed based on the HTTPRouteRules. \n Hostname can be \"precise\"which is a domain name without the terminating dot of a networkhost (e.g. \"foo.example.com\") or \"wildcard\", which is a domainname prefixed with a single wildcard label (e.g. `*.example.com`).The wildcard character `*` must appear by itself as the first DNSlabel and matches only a single label. You cannot have a wildcardlabel by itself (e.g. Host == `*`). Requests will be matched againstthe Host field in the following order: \n 1. If Host is precise,the request matches this rule if the HTTP Host header is equalto Host. 2. If Host is a wildcard, then the request matches thisrule if the HTTP Host header is to equal to the suffix (removingthe first label) of the wildcard rule. \n Support: Core"items:description: Hostname is used to specify a hostname that shouldbe matched.maxLength: 253minLength: 1type: stringmaxItems: 16type: arrayrules:default:- matches:- path:type: Prefixvalue: /description: Rules are a list of HTTP matchers, filters and actions.items:description: HTTPRouteRule defines semantics for matching an HTTPrequest based on conditions, optionally executing additional processingsteps, and forwarding the request to an API object.properties:filters:description: "Filters define the filters that are applied torequests that match this rule. \n The effects of orderingof multiple behaviors are currently unspecified. This canchange in the future based on feedback during the alpha stage.\n Conformance-levels at this level are defined based on thetype of filter: \n - ALL core filters MUST be supported byall implementations. - Implementers are encouraged to supportextended filters. - Implementation-specific custom filtershave no API guarantees across implementations. \n Specifyinga core filter multiple times has unspecified or custom conformance.\n Support: Core"items:description: 'HTTPRouteFilter defines additional processingsteps that must be completed during the request or responselifecycle. HTTPRouteFilters are meant as an extension pointto express additional processing that may be done in Gatewayimplementations. Some examples include request or responsemodification, implementing authentication strategies, rate-limiting,and traffic shaping. API guarantee/conformance is definedbased on the type of the filter. TODO(hbagdi): re-renderCRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298- https://github.com/kubernetes-sigs/controller-tools/issues/461'properties:extensionRef:description: "ExtensionRef is an optional, implementation-specificextension to the \"filter\" behavior. For example,resource \"myroutefilter\" in group \"networking.acme.io\").ExtensionRef MUST NOT be used for core and extendedfilters. \n Support: Implementation-specific"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringrequired:- group- kind- nametype: objectrequestHeaderModifier:description: "RequestHeaderModifier defines a schema fora filter that modifies request headers. \n Support:Core"properties:add:additionalProperties:type: stringdescription: "Add adds the given header (name, value)to the request before the action. It appends toany existing values associated with the header name.\n Input: GET /foo HTTP/1.1 my-header: foo \nConfig: add: {\"my-header\": \"bar\"} \n Output:\ GET /foo HTTP/1.1 my-header: foo my-header:bar \n Support: Extended"type: objectremove:description: "Remove the given header(s) from theHTTP request before the action. The value of RemoveHeaderis a list of HTTP header names. Note that the headernames are case-insensitive [RFC-2616 4.2]. \n Input:\ GET /foo HTTP/1.1 my-header1: foo my-header2:bar my-header3: baz \n Config: remove: [\"my-header1\",\"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:bar \n Support: Extended"items:type: stringmaxItems: 16type: arrayset:additionalProperties:type: stringdescription: "Set overwrites the request with thegiven header (name, value) before the action. \nInput: GET /foo HTTP/1.1 my-header: foo \n Config:\ set: {\"my-header\": \"bar\"} \n Output: GET/foo HTTP/1.1 my-header: bar \n Support: Extended"type: objecttype: objectrequestMirror:description: "RequestMirror defines a schema for a filterthat mirrors requests. \n Support: Extended"properties:backendRef:description: "BackendRef is a local object referenceto mirror matched requests to. If both BackendRefand ServiceName are specified, ServiceName willbe given precedence. \n If the referent cannot befound, the rule is not included in the route. Thecontroller should raise the \"ResolvedRefs\" conditionon the Gateway with the \"DegradedRoutes\" reason.The gateway status for this route should be updatedwith a condition that describes the error more specifically.\n Support: Custom"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringrequired:- group- kind- nametype: objectport:description: "Port specifies the destination portnumber to use for the backend referenced by theServiceName or BackendRef field. \n If unspecified,the destination port in the request is used whenforwarding to a backendRef or serviceName."format: int32maximum: 65535minimum: 1type: integerserviceName:description: "ServiceName refers to the name of theService to mirror matched requests to. When specified,this takes the place of BackendRef. If both BackendRefand ServiceName are specified, ServiceName willbe given precedence. \n If the referent cannot befound, the rule is not included in the route. Thecontroller should raise the \"ResolvedRefs\" conditionon the Gateway with the \"DegradedRoutes\" reason.The gateway status for this route should be updatedwith a condition that describes the error more specifically.\n Support: Core"maxLength: 253type: stringtype: objecttype:description: "Type identifies the type of filter to apply.As with other API fields, types are classified intothree conformance levels: \n - Core: Filter types andtheir corresponding configuration defined by \"Support:Core\" in this package, e.g. \"RequestHeaderModifier\".All implementations must support core filters. \n- Extended: Filter types and their corresponding configurationdefined by \"Support: Extended\" in this package,e.g. \"RequestMirror\". Implementers are encouragedto support extended filters. \n - Custom: Filters thatare defined and supported by specific vendors. Inthe future, filters showing convergence in behavioracross multiple implementations will be consideredfor inclusion in extended or core conformance levels.Filter-specific configuration for such filters isspecified using the ExtensionRef field. `Type` shouldbe set to \"ExtensionRef\" for custom filters. \nImplementers are encouraged to define custom implementationtypes to extend the core API with implementation-specificbehavior."enum:- RequestHeaderModifier- RequestMirror- ExtensionReftype: stringrequired:- typetype: objectmaxItems: 16type: arrayforwardTo:description: ForwardTo defines the backend(s) where matchingrequests should be sent. If unspecified, the rule performsno forwarding. If unspecified and no filters are specifiedthat would result in a response being sent, a 503 error codeis returned.items:description: HTTPRouteForwardTo defines how a HTTPRoute shouldforward a request.properties:backendRef:description: "BackendRef is a reference to a backend toforward matched requests to. If both BackendRef andServiceName are specified, ServiceName will be givenprecedence. \n If the referent cannot be found, theroute must be dropped from the Gateway. The controllershould raise the \"ResolvedRefs\" condition on the Gatewaywith the \"DegradedRoutes\" reason. The gateway statusfor this route should be updated with a condition thatdescribes the error more specifically. \n Support: Custom"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringrequired:- group- kind- nametype: objectfilters:description: "Filters defined at this-level should beexecuted if and only if the request is being forwardedto the backend defined here. \n Support: Custom (Forbroader support of filters, use the Filters field inHTTPRouteRule.)"items:description: 'HTTPRouteFilter defines additional processingsteps that must be completed during the request orresponse lifecycle. HTTPRouteFilters are meant asan extension point to express additional processingthat may be done in Gateway implementations. Someexamples include request or response modification,implementing authentication strategies, rate-limiting,and traffic shaping. API guarantee/conformance isdefined based on the type of the filter. TODO(hbagdi):re-render CRDs once controller-tools supports uniontags: - https://github.com/kubernetes-sigs/controller-tools/pull/298- https://github.com/kubernetes-sigs/controller-tools/issues/461'properties:extensionRef:description: "ExtensionRef is an optional, implementation-specificextension to the \"filter\" behavior. For example,resource \"myroutefilter\" in group \"networking.acme.io\").ExtensionRef MUST NOT be used for core and extendedfilters. \n Support: Implementation-specific"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringrequired:- group- kind- nametype: objectrequestHeaderModifier:description: "RequestHeaderModifier defines a schemafor a filter that modifies request headers. \nSupport: Core"properties:add:additionalProperties:type: stringdescription: "Add adds the given header (name,value) to the request before the action. Itappends to any existing values associatedwith the header name. \n Input: GET /fooHTTP/1.1 my-header: foo \n Config: add:{\"my-header\": \"bar\"} \n Output: GET/foo HTTP/1.1 my-header: foo my-header:bar \n Support: Extended"type: objectremove:description: "Remove the given header(s) fromthe HTTP request before the action. The valueof RemoveHeader is a list of HTTP header names.Note that the header names are case-insensitive[RFC-2616 4.2]. \n Input: GET /foo HTTP/1.1\ my-header1: foo my-header2: bar my-header3:baz \n Config: remove: [\"my-header1\",\"my-header3\"] \n Output: GET /foo HTTP/1.1\ my-header2: bar \n Support: Extended"items:type: stringmaxItems: 16type: arrayset:additionalProperties:type: stringdescription: "Set overwrites the request withthe given header (name, value) before theaction. \n Input: GET /foo HTTP/1.1 my-header:foo \n Config: set: {\"my-header\": \"bar\"}\n Output: GET /foo HTTP/1.1 my-header:bar \n Support: Extended"type: objecttype: objectrequestMirror:description: "RequestMirror defines a schema fora filter that mirrors requests. \n Support: Extended"properties:backendRef:description: "BackendRef is a local object referenceto mirror matched requests to. If both BackendRefand ServiceName are specified, ServiceNamewill be given precedence. \n If the referentcannot be found, the rule is not includedin the route. The controller should raisethe \"ResolvedRefs\" condition on the Gatewaywith the \"DegradedRoutes\" reason. The gatewaystatus for this route should be updated witha condition that describes the error morespecifically. \n Support: Custom"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringrequired:- group- kind- nametype: objectport:description: "Port specifies the destinationport number to use for the backend referencedby the ServiceName or BackendRef field. \nIf unspecified, the destination port in therequest is used when forwarding to a backendRefor serviceName."format: int32maximum: 65535minimum: 1type: integerserviceName:description: "ServiceName refers to the nameof the Service to mirror matched requeststo. When specified, this takes the place ofBackendRef. If both BackendRef and ServiceNameare specified, ServiceName will be given precedence.\n If the referent cannot be found, the ruleis not included in the route. The controllershould raise the \"ResolvedRefs\" conditionon the Gateway with the \"DegradedRoutes\"reason. The gateway status for this routeshould be updated with a condition that describesthe error more specifically. \n Support: Core"maxLength: 253type: stringtype: objecttype:description: "Type identifies the type of filterto apply. As with other API fields, types areclassified into three conformance levels: \n -Core: Filter types and their corresponding configurationdefined by \"Support: Core\" in this package,e.g. \"RequestHeaderModifier\". All implementationsmust support core filters. \n - Extended: Filtertypes and their corresponding configuration definedby \"Support: Extended\" in this package, e.g.\"RequestMirror\". Implementers are encouragedto support extended filters. \n - Custom: Filtersthat are defined and supported by specific vendors.\ In the future, filters showing convergencein behavior across multiple implementationswill be considered for inclusion in extended orcore conformance levels. Filter-specific configurationfor such filters is specified using the ExtensionReffield. `Type` should be set to \"ExtensionRef\"for custom filters. \n Implementers are encouragedto define custom implementation types to extendthe core API with implementation-specific behavior."enum:- RequestHeaderModifier- RequestMirror- ExtensionReftype: stringrequired:- typetype: objectmaxItems: 16type: arrayport:description: "Port specifies the destination port numberto use for the backend referenced by the ServiceNameor BackendRef field. If unspecified, the destinationport in the request is used when forwarding to a backendRefor serviceName. \n Support: Core"format: int32maximum: 65535minimum: 1type: integerserviceName:description: "ServiceName refers to the name of the Serviceto forward matched requests to. When specified, thistakes the place of BackendRef. If both BackendRef andServiceName are specified, ServiceName will be givenprecedence. \n If the referent cannot be found, theroute must be dropped from the Gateway. The controllershould raise the \"ResolvedRefs\" condition on the Gatewaywith the \"DegradedRoutes\" reason. The gateway statusfor this route should be updated with a condition thatdescribes the error more specifically. \n The protocolto use should be specified with the AppProtocol fieldon Service resources. This field was introduced in Kubernetes1.18. If using an earlier version of Kubernetes, a `networking.x-k8s.io/app-protocol`annotation on the BackendPolicy resource may be usedto define the protocol. If the AppProtocol field isavailable, this annotation should not be used. The AppProtocolfield, when populated, takes precedence over the annotationin the BackendPolicy resource. For custom backends,it is encouraged to add a semantically-equivalent fieldin the Custom Resource Definition. \n Support: Core"maxLength: 253type: stringweight:default: 1description: "Weight specifies the proportion of HTTPrequests forwarded to the backend referenced by theServiceName or BackendRef field. This is computed asweight/(sum of all weights in this ForwardTo list).For non-zero values, there may be some epsilon fromthe exact proportion defined here depending on the precisionan implementation supports. Weight is not a percentageand the sum of weights does not need to equal 100. \nIf only one backend is specified and it has a weightgreater than 0, 100% of the traffic is forwarded tothat backend. If weight is set to 0, no traffic shouldbe forwarded for this entry. If unspecified, weightdefaults to 1. \n Support: Core"format: int32maximum: 1000000minimum: 0type: integertype: objectmaxItems: 16type: arraymatches:default:- path:type: Prefixvalue: /description: "Matches define conditions used for matching therule against incoming HTTP requests. Each match is independent,i.e. this rule will be matched if **any** one of the matchesis satisfied. \n For example, take the following matches configuration:\n ``` matches: - path: value: \"/foo\" headers: values:\ version: \"2\" - path: value: \"/v2/foo\" ``` \nFor a request to match against this rule, a request shouldsatisfy EITHER of the two conditions: \n - path prefixed with`/foo` AND contains the header `version: \"2\"` - path prefixof `/v2/foo` \n See the documentation for HTTPRouteMatch onhow to specify multiple match conditions that should be ANDedtogether. \n If no matches are specified, the default is aprefix path match on \"/\", which has the effect of matchingevery HTTP request. \n Each client request MUST map to a maximumof one route rule. If a request matches multiple rules, matchingprecedence MUST be determined in order of the following criteria,continuing on ties: \n * The longest matching hostname. *The longest matching path. * The largest number of headermatches. \n If ties still exist across multiple Routes, matchingprecedence MUST be determined in order of the following criteria,continuing on ties: \n * The oldest Route based on creationtimestamp. For example, a Route with a creation timestampof \"2020-09-08 01:02:03\" is given precedence over a Routewith a creation timestamp of \"2020-09-08 01:02:04\". * TheRoute appearing first in alphabetical order by \"<namespace>/<name>\".For example, foo/bar is given precedence over foo/baz. \nIf ties still exist within the Route that has been given precedence,matching precedence MUST be granted to the first matchingrule meeting the above criteria."items:description: "HTTPRouteMatch defines the predicate used tomatch requests to a given action. Multiple match types areANDed together, i.e. the match will evaluate to true onlyif all conditions are satisfied. \n For example, the matchbelow will match a HTTP request only if its path startswith `/foo` AND it contains the `version: \"1\"` header:\n ``` match: path: value: \"/foo\" headers: values:\ version: \"1\" ```"properties:extensionRef:description: "ExtensionRef is an optional, implementation-specificextension to the \"match\" behavior. For example, resource\"myroutematcher\" in group \"networking.acme.io\".If the referent cannot be found, the rule is not includedin the route. The controller should raise the \"ResolvedRefs\"condition on the Gateway with the \"DegradedRoutes\"reason. The gateway status for this route should beupdated with a condition that describes the error morespecifically. \n Support: Custom"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringrequired:- group- kind- nametype: objectheaders:description: Headers specifies a HTTP request header matcher.properties:type:default: Exactdescription: "Type specifies how to match againstthe value of the header. \n Support: Core (Exact)\n Support: Custom (RegularExpression, ImplementationSpecific)\n Since RegularExpression PathType has custom conformance,implementations can support POSIX, PCRE or any otherdialects of regular expressions. Please read theimplementation's documentation to determine thesupported dialect. \n HTTP Header name matchingMUST be case-insensitive (RFC 2616 - section 4.2)."enum:- Exact- RegularExpression- ImplementationSpecifictype: stringvalues:additionalProperties:type: stringdescription: "Values is a map of HTTP Headers to bematched. It MUST contain at least one entry. \nThe HTTP header field name to match is the map key,and the value of the HTTP header is the map value.HTTP header field name matching MUST be case-insensitive.\n Multiple match values are ANDed together, meaning,a request must match all the specified headers toselect the route."type: objectrequired:- valuestype: objectpath:default:type: Prefixvalue: /description: Path specifies a HTTP request path matcher.If this field is not specified, a default prefix matchon the "/" path is provided.properties:type:default: Prefixdescription: "Type specifies how to match againstthe path Value. \n Support: Core (Exact, Prefix)\n Support: Custom (RegularExpression, ImplementationSpecific)\n Since RegularExpression PathType has custom conformance,implementations can support POSIX, PCRE or any otherdialects of regular expressions. Please read theimplementation's documentation to determine thesupported dialect."enum:- Exact- Prefix- RegularExpression- ImplementationSpecifictype: stringvalue:default: /description: Value of the HTTP path to match against.type: stringtype: objectqueryParams:description: QueryParams specifies a HTTP query parametermatcher.properties:type:default: Exactdescription: "Type specifies how to match againstthe value of the query parameter. \n Support: Extended(Exact) \n Support: Custom (RegularExpression, ImplementationSpecific)\n Since RegularExpression QueryParamMatchType hascustom conformance, implementations can supportPOSIX, PCRE or any other dialects of regular expressions.Please read the implementation's documentation todetermine the supported dialect."enum:- Exact- RegularExpression- ImplementationSpecifictype: stringvalues:additionalProperties:type: stringdescription: "Values is a map of HTTP query parametersto be matched. It MUST contain at least one entry.\n The query parameter name to match is the mapkey, and the value of the query parameter is themap value. \n Multiple match values are ANDed together,meaning, a request must match all the specifiedquery parameters to select the route. \n HTTP queryparameter matching MUST be case-sensitive for bothkeys and values. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).\n Note that the query parameter key MUST alwaysbe an exact match by string comparison."type: objectrequired:- valuestype: objecttype: objectmaxItems: 8type: arraytype: objectmaxItems: 16type: arraytls:description: "TLS defines the TLS certificate to use for Hostnamesdefined in this Route. This configuration only takes effect if theAllowRouteOverride field is set to true in the associated Gatewayresource. \n Collisions can happen if multiple HTTPRoutes definea TLS certificate for the same hostname. In such a case, conflictresolution guiding principles apply, specifically, if hostnamesare same and two different certificates are specified then the certificatein the oldest resource wins. \n Please note that HTTP Route-selectiontakes place after the TLS Handshake (ClientHello). Due to this,TLS certificate defined here will take precedence even if the requesthas the potential to match multiple routes (in case multiple HTTPRoutesshare the same hostname). \n Support: Core"properties:certificateRef:description: "CertificateRef is a reference to a Kubernetes objectthat contains a TLS certificate and private key. This certificateis used to establish a TLS handshake for requests that matchthe hostname of the associated HTTPRoute. The referenced objectMUST reside in the same namespace as HTTPRoute. \n This fieldis required when the TLS configuration mode of the associatedGateway listener is set to \"Passthrough\". \n CertificateRefcan reference a standard Kubernetes resource, i.e. Secret, oran implementation-specific custom resource. \n Support: Core(Kubernetes Secrets) \n Support: Implementation-specific (Otherresource types)"properties:group:description: Group is the group of the referent.maxLength: 253minLength: 1type: stringkind:description: Kind is kind of the referent.maxLength: 253minLength: 1type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringrequired:- group- kind- nametype: objectrequired:- certificateReftype: objecttype: objectstatus:description: Status defines the current state of HTTPRoute.properties:gateways:description: "Gateways is a list of Gateways that are associated withthe route, and the status of the route with respect to each Gateway.When a Gateway selects this route, the controller that manages theGateway must add an entry to this list when the controller firstsees the route and should update the entry as appropriate when theroute is modified. \n A maximum of 100 Gateways will be representedin this list. If this list is full, there may be additional Gatewaysusing this Route that are not included in the list. An empty listmeans the route has not been admitted by any Gateway."items:description: RouteGatewayStatus describes the status of a routewith respect to an associated Gateway.properties:conditions:description: Conditions describes the status of the route withrespect to the Gateway. The "Admitted" condition must alwaysbe specified by controllers to indicate whether the routehas been admitted or rejected by the Gateway, and why. Notethat the route's availability is also subject to the Gateway'sown status conditions and listener status.items:description: "Condition contains details for one aspect ofthe current state of this API Resource. --- This structis intended for direct use as an array at the field path.status.conditions. For example, type FooStatus struct{\ // Represents the observations of a foo's current state.\ // Known .status.conditions.type are: \"Available\",\"Progressing\", and \"Degraded\" // +patchMergeKey=type\ // +patchStrategy=merge // +listType=map //+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n // other fields }"properties:lastTransitionTime:description: lastTransitionTime is the last time the conditiontransitioned from one status to another. This shouldbe when the underlying condition changed. If that isnot known, then using the time when the API field changedis acceptable.format: date-timetype: stringmessage:description: message is a human readable message indicatingdetails about the transition. This may be an empty string.maxLength: 32768type: stringobservedGeneration:description: observedGeneration represents the .metadata.generationthat the condition was set based upon. For instance,if .metadata.generation is currently 12, but the .status.conditions[x].observedGenerationis 9, the condition is out of date with respect to thecurrent state of the instance.format: int64minimum: 0type: integerreason:description: reason contains a programmatic identifierindicating the reason for the condition's last transition.Producers of specific condition types may define expectedvalues and meanings for this field, and whether thevalues are considered a guaranteed API. The value shouldbe a CamelCase string. This field may not be empty.maxLength: 1024minLength: 1pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$type: stringstatus:description: status of the condition, one of True, False,Unknown.enum:- "True"- "False"- Unknowntype: stringtype:description: type of condition in CamelCase or in foo.example.com/CamelCase.--- Many .condition.type values are consistent acrossresources like Available, but because arbitrary conditionscan be useful (see .node.status.conditions), the abilityto deconflict is important. The regex it matches is(dns1123SubdomainFmt/)?(qualifiedNameFmt)maxLength: 316pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$type: stringrequired:- lastTransitionTime- message- reason- status- typetype: objectmaxItems: 8type: arrayx-kubernetes-list-map-keys:- typex-kubernetes-list-type: mapgatewayRef:description: GatewayRef is a reference to a Gateway object thatis associated with the route.properties:controller:description: "Controller is a domain/path string that indicatesthe controller implementing the Gateway. This correspondswith the controller field on GatewayClass. \n Example:\"acme.io/gateway-controller\". \n The format of thisfield is DOMAIN \"/\" PATH, where DOMAIN and PATH arevalid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."maxLength: 253type: stringname:description: Name is the name of the referent.maxLength: 253minLength: 1type: stringnamespace:description: Namespace is the namespace of the referent.maxLength: 253minLength: 1type: stringrequired:- name- namespacetype: objectrequired:- gatewayReftype: objectmaxItems: 100type: arrayrequired:- gatewaystype: objecttype: objectserved: truestorage: truesubresources:status: {}status:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []
RBAC
---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: gateway-rolerules:- apiGroups:- ""resources:- services- endpoints- secretsverbs:- get- list- watch- apiGroups:- networking.x-k8s.ioresources:- gatewayclasses- gateways- httproutes- tcproutes- tlsroutesverbs:- get- list- watch- apiGroups:- networking.x-k8s.ioresources:- gatewayclasses/status- gateways/status- httproutes/status- tcproutes/status- tlsroutes/statusverbs:- update---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: gateway-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: gateway-rolesubjects:- kind: ServiceAccountname: traefik-controllernamespace: default
The Kubernetes Gateway API project provides several guides on how to use the APIs. These guides can help you to go further than the example above. The getting started guide details how to install the CRDs from their repository.
Keep in mind that the Traefik Gateway provider only supports the v0.3.0 (v1alpha1).
For now, the Traefik Gateway Provider can be used while following the below guides:
Resource Configuration
When using Kubernetes Gateway API as a provider, Traefik uses Kubernetes Custom Resource Definitions to retrieve its routing configuration.
All concepts can be found in the official API concepts documentation. Traefik implements the following resources:
GatewayClassdefines a set of Gateways that share a common configuration and behaviour.Gatewaydescribes how traffic can be translated to Services within the cluster.HTTPRoutedefines HTTP rules for mapping requests from a Gateway to Kubernetes Services.TCPRoutedefines TCP rules for mapping requests from a Gateway to Kubernetes Services.TLSRoutedefines TLS rules for mapping requests from a Gateway to Kubernetes Services.
Provider Configuration
endpoint
Optional, Default=””
The Kubernetes server endpoint URL.
When deployed into Kubernetes, Traefik reads the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT or KUBECONFIG to construct the endpoint.
The access token is looked up in /var/run/secrets/kubernetes.io/serviceaccount/token and the SSL CA certificate in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client. In this case, the endpoint is required. Specifically, it may be set to the URL used by kubectl proxy to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
File (YAML)
providers:kubernetesGateway:endpoint: "http://localhost:8080"# ...
File (TOML)
[providers.kubernetesGateway]endpoint = "http://localhost:8080"# ...
CLI
--providers.kubernetesgateway.endpoint=http://localhost:8080
token
Optional, Default=””
Bearer token used for the Kubernetes client configuration.
File (YAML)
providers:kubernetesGateway:token: "mytoken"# ...
File (TOML)
[providers.kubernetesGateway]token = "mytoken"# ...
CLI
--providers.kubernetesgateway.token=mytoken
certAuthFilePath
Optional, Default=””
Path to the certificate authority file. Used for the Kubernetes client configuration.
File (YAML)
providers:kubernetesGateway:certAuthFilePath: "/my/ca.crt"# ...
File (TOML)
[providers.kubernetesGateway]certAuthFilePath = "/my/ca.crt"# ...
CLI
--providers.kubernetesgateway.certauthfilepath=/my/ca.crt
namespaces
Optional, Default: []
Array of namespaces to watch. If left empty, watches all namespaces if the value of namespaces.
File (YAML)
providers:kubernetesGateway:namespaces:- "default"- "production"# ...
File (TOML)
[providers.kubernetesGateway]namespaces = ["default", "production"]# ...
CLI
--providers.kubernetesgateway.namespaces=default,production
labelselector
Optional, Default: “”
A label selector can be defined to filter on specific GatewayClass objects only. If left empty, Traefik processes all GatewayClass objects in the configured namespaces.
See label-selectors for details.
File (YAML)
providers:kubernetesGateway:labelselector: "app=traefik"# ...
File (TOML)
[providers.kubernetesGateway]labelselector = "app=traefik"# ...
CLI
--providers.kubernetesgateway.labelselector="app=traefik"
throttleDuration
Optional, Default: 0
The throttleDuration option defines how often the provider is allowed to handle events from Kubernetes. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
The value of throttleDuration should be provided in seconds or as a valid duration format, see time.ParseDuration.
File (YAML)
providers:kubernetesGateway:throttleDuration: "10s"# ...
File (TOML)
[providers.kubernetesGateway]throttleDuration = "10s"# ...
CLI
--providers.kubernetesgateway.throttleDuration=10s
