1/*
2Copyright 2020 The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8    http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17package v1alpha2
18
19import (
20	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
21)
22
23// +genclient
24// +kubebuilder:object:root=true
25// +kubebuilder:resource:categories=gateway-api
26// +kubebuilder:subresource:status
27// +kubebuilder:storageversion
28// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
29
30// The TLSRoute resource is similar to TCPRoute, but can be configured
31// to match against TLS-specific metadata. This allows more flexibility
32// in matching streams for a given TLS listener.
33//
34// If you need to forward traffic to a single target for a TLS listener, you
35// could choose to use a TCPRoute with a TLS listener.
36type TLSRoute struct {
37	metav1.TypeMeta   `json:",inline"`
38	metav1.ObjectMeta `json:"metadata,omitempty"`
39
40	// Spec defines the desired state of TLSRoute.
41	Spec TLSRouteSpec `json:"spec"`
42
43	// Status defines the current state of TLSRoute.
44	Status TLSRouteStatus `json:"status,omitempty"`
45}
46
47// TLSRouteSpec defines the desired state of a TLSRoute resource.
48type TLSRouteSpec struct {
49	CommonRouteSpec `json:",inline"`
50
51	// Hostnames defines a set of SNI names that should match against the
52	// SNI attribute of TLS ClientHello message in TLS handshake. This matches
53	// the RFC 1123 definition of a hostname with 2 notable exceptions:
54	//
55	// 1. IPs are not allowed in SNI names per RFC 6066.
56	// 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
57	//    label must appear by itself as the first label.
58	//
59	// If a hostname is specified by both the Listener and TLSRoute, there
60	// must be at least one intersecting hostname for the TLSRoute to be
61	// attached to the Listener. For example:
62	//
63	// * A Listener with `test.example.com` as the hostname matches TLSRoutes
64	//   that have either not specified any hostnames, or have specified at
65	//   least one of `test.example.com` or `*.example.com`.
66	// * A Listener with `*.example.com` as the hostname matches TLSRoutes
67	//   that have either not specified any hostnames or have specified at least
68	//   one hostname that matches the Listener hostname. For example,
69	//   `test.example.com` and `*.example.com` would both match. On the other
70	//   hand, `example.com` and `test.example.net` would not match.
71	//
72	// If both the Listener and TLSRoute have specified hostnames, any
73	// TLSRoute hostnames that do not match the Listener hostname MUST be
74	// ignored. For example, if a Listener specified `*.example.com`, and the
75	// TLSRoute specified `test.example.com` and `test.example.net`,
76	// `test.example.net` must not be considered for a match.
77	//
78	// If both the Listener and TLSRoute have specified hostnames, and none
79	// match with the criteria above, then the TLSRoute is not accepted. The
80	// implementation must raise an 'Accepted' Condition with a status of
81	// `False` in the corresponding RouteParentStatus.
82	//
83	// Support: Core
84	//
85	// +optional
86	// +kubebuilder:validation:MaxItems=16
87	Hostnames []Hostname `json:"hostnames,omitempty"`
88
89	// Rules are a list of TLS matchers and actions.
90	//
91	// +kubebuilder:validation:MinItems=1
92	// +kubebuilder:validation:MaxItems=16
93	Rules []TLSRouteRule `json:"rules"`
94}
95
96// TLSRouteStatus defines the observed state of TLSRoute
97type TLSRouteStatus struct {
98	RouteStatus `json:",inline"`
99}
100
101// TLSRouteRule is the configuration for a given rule.
102type TLSRouteRule struct {
103	// BackendRefs defines the backend(s) where matching requests should be
104	// sent. If unspecified or invalid (refers to a non-existent resource or
105	// a Service with no endpoints), the rule performs no forwarding; if no
106	// filters are specified that would result in a response being sent, the
107	// underlying implementation must actively reject request attempts to this
108	// backend, by rejecting the connection or returning a 503 status code.
109	// Request rejections must respect weight; if an invalid backend is
110	// requested to have 80% of requests, then 80% of requests must be rejected
111	// instead.
112	//
113	// Support: Core for Kubernetes Service
114	// Support: Custom for any other resource
115	//
116	// Support for weight: Extended
117	//
118	// +kubebuilder:validation:MinItems=1
119	// +kubebuilder:validation:MaxItems=16
120	BackendRefs []BackendRef `json:"backendRefs,omitempty"`
121}
122
123// +kubebuilder:object:root=true
124
125// TLSRouteList contains a list of TLSRoute
126type TLSRouteList struct {
127	metav1.TypeMeta `json:",inline"`
128	metav1.ListMeta `json:"metadata,omitempty"`
129	Items           []TLSRoute `json:"items"`
130}
131