andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/airlock/microgateway/4.3.1/crds/sidecargateways.microgatewa...

759 lines
45 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.1
name: sidecargateways.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: SidecarGateway
listKind: SidecarGatewayList
plural: sidecargateways
singular: sidecargateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired sidecar gateway behavior.
properties:
applications:
description: Applications defines applications which run on different ports.
items:
properties:
containerPort:
default: 8080
description: |-
ContainerPort refers to the container port.
This must be a valid port number, 0 < x < 65536.
format: int32
maximum: 65535
minimum: 1
type: integer
downstream:
description: Downstream defines the downstream configuration for this application
properties:
protocol:
description: |-
Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies that the protocol should be inferred.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies that the client is assumed to speak HTTP/1.1.
type: object
http2:
description: HTTP2 specifies that the client is assumed to speak HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
remoteIP:
description: |-
RemoteIP defines how the remote IP of a client is propagated.
Default: xff: {...}
properties:
connectionIP:
description: ConnectionIP configures to use the source IP address of the direct downstream connection.
type: object
customHeader:
description: CustomHeader specifies to use a custom header for remote IP extraction.
properties:
headerName:
description: HeaderName specifies the name of the custom header containing the remote IP.
minLength: 1
type: string
required:
default: true
description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403.
type: boolean
required:
- headerName
type: object
xff:
description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction.
properties:
numTrustedHops:
default: 1
description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
format: int32
minimum: 1
type: integer
type: object
type: object
requestNormalizations:
description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching.
properties:
mergeSlashes:
default: true
description: MergeSlashes ensures that adjacent slashes in the path are merged into one.
type: boolean
normalizePath:
default: true
description: NormalizePath ensures normalization according to RFC 3986 without case normalization.
type: boolean
type: object
restrictions:
description: Restrictions defines restrictions for downstream.
properties:
http:
description: HTTP defines limits for the HTTP protocol.
properties:
headersLength:
anyOf:
- type: integer
- type: string
default: 60Ki
description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
timeouts:
description: Timeouts defines timeouts for downstream
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
default: 5m
description: |-
Idle defines the settings for the idle timeout when no data is sent or received.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
maxDuration:
default: 5m
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
A value of 0 will completely disable the timeout.
Default: 5m
type: string
requestHeaders:
default: 10s
description: |-
RequestHeaders defines the duration before all request headers must be received.
A value of 0 will completely disable the timeout.
Default: 10s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
clientCertificate:
description: |-
ClientCertificate defines the TLS settings for verification of client certificates.
At most one of ignored, optional and required can be set.
Default: ignored: {}
properties:
ignored:
description: Ignored disables verification of the client certificate.
type: object
optional:
description: |-
Optional enables verification of the client certificate if one is presented.
In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
properties:
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
required:
- trustedCA
type: object
required:
description: |-
Required contains settings for client certificate verification. A client must present a valid certificate.
At least one of trustedCA and certificatePinning must be set.
properties:
allowedSANs:
description: |-
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
items:
description: |-
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers.
properties:
matcher:
description: Matcher defines the string matcher for the SAN value.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
sanType:
description: SanType defines the type of SAN matcher.
enum:
- DNS
- Email
- URI
- IPAddress
type: string
required:
- matcher
- sanType
type: object
minItems: 1
type: array
certificatePinning:
description: |-
CertificatePinning defines the constraints a client certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
properties:
allowedHashes:
description: |-
AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
allowedSPKIs:
description: |-
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
items:
type: string
minItems: 1
type: array
type: object
crl:
description: CRL defines the Certificate Revocation List (CRL) settings.
properties:
lists:
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
validationMode:
default: VerifyChain
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
enum:
- VerifyLeafCertOnly
- VerifyChain
type: string
type: object
trustedCA:
description: TrustedCA defines which CA certificates are trusted.
properties:
certificates:
description: Certificates defines the list of secretRefs containing trusted CA certificates.
items:
properties:
secretRef:
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
minItems: 1
type: array
verificationDepth:
default: 1
description: |-
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
format: int32
type: integer
required:
- certificates
type: object
type: object
type: object
enable:
default: false
description: Enable defines if the downstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
secretRef:
description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls).
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
xfcc:
description: |-
XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values:
_Sanitize_: Do not send the XFCC header to the next hop. This is the default value.
_ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.
_AppendAndForward_: When the client connection is mTLS, append the client certificate information to the requests XFCC header and forward it.
_SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
_AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)
enum:
- Sanitize
- ForwardOnly
- AppendAndForward
- SanitizeAndSet
- AlwaysForwardOnly
type: string
type: object
type: object
envoyHTTPFilterRefs:
description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
properties:
prepend:
description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
type: object
routes:
description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies.
items:
description: |-
SidecarGatewayApplicationRoute defines the security configurations for different paths.
At most one of secured and unsecured can be set.
Default: secured: {...}
properties:
pathPrefix:
default: /
description: PathPrefix defines the path prefix used during route selection.
minLength: 1
type: string
secured:
description: Secured enables WAF processing for this route.
properties:
accessControlRef:
description: |-
AccessControlRef selects the relevant AccessControl configuration resource.
If undefined, Airlock Microgateway does not perform any access control.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
contentSecurityRef:
description: |-
ContentSecurityRef selects the relevant ContentSecurity configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: object
unsecured:
description: |-
Unsecured disables all WAF functionality and therefore protection for this route.
WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
type: object
type: object
type: array
x-kubernetes-list-map-keys:
- pathPrefix
x-kubernetes-list-type: map
telemetryRef:
description: |-
TelemetryRef selects the relevant Telemetry configuration resource.
If undefined, default settings are applied, designed to work with most upstream web application services.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
upstream:
description: Upstream defines the upstream configuration for this application
properties:
protocol:
description: |-
Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
Default: auto: {}
properties:
auto:
description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection.
properties:
http2:
description: HTTP2 specifies the settings for when HTTP/2 is inferred.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
http1:
description: HTTP1 specifies to use HTTP/1.1.
type: object
http2:
description: HTTP2 specifies to use HTTP/2.
properties:
allowConnect:
default: false
description: Allows proxying Websocket and other upgrades over H2 connect.
type: boolean
type: object
type: object
timeouts:
description: Timeouts defines the timeout settings.
properties:
http:
description: HTTP defines the settings for HTTP timeouts.
properties:
idle:
description: |-
Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
A value of 0 will completely disable the timeout.
type: string
maxDuration:
default: 15s
description: |-
MaxDuration defines the total duration for a HTTP request/response stream.
Default: 15s
type: string
type: object
type: object
tls:
description: TLS defines the TLS settings.
properties:
ciphers:
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
items:
type: string
minItems: 1
type: array
enable:
default: false
description: Enable defines if the upstream connection is encrypted.
type: boolean
protocol:
description: Protocol defines the supported TLS protocol versions.
properties:
maximum:
description: Maximum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
minimum:
description: Minimum supported TLS version.
enum:
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
type: string
type: object
type: object
type: object
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- containerPort
x-kubernetes-list-type: map
envoyClusterRefs:
description: EnvoyClusterRefs selects the relevant EnvoyClusters.
items:
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
podSelector:
description: PodSelector defines to which Pods the configuration will be applied to.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels.
type: object
type: object
sessionHandlingRef:
description: SessionHandlingRef selects the SessionHandling configuration to apply.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- applications
type: object
status:
description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date.
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human-readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of SidecarGateway condition.
type: string
required:
- status
- type
type: object
type: array
pods:
items:
properties:
envoyConfig:
description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod.
type: string
name:
description: Name indicates the name of a Pod selected by the SidecarGateway.
type: string
sessionAgentSecret:
type: string
required:
- name
type: object
type: array
status:
type: string
unmanagedPods:
items:
properties:
managedBy:
description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod.
type: string
name:
description: Name indicates the name of a Pod selected by the SidecarGateway.
type: string
sessionAgentSecret:
type: string
required:
- name
type: object
type: array
required:
- status
type: object
type: object
served: true
storage: true
subresources:
status: {}
Reference in New Issue View Git Blame Copy Permalink