gateway.v1alpha1.clientTrafficPolicy
"ClientTrafficPolicy allows the user to configure the behavior of the connection\nbetween the downstream client and Envoy Proxy listener."
Index
fn new(name)obj metadatafn withAnnotations(annotations)fn withAnnotationsMixin(annotations)fn withClusterName(clusterName)fn withCreationTimestamp(creationTimestamp)fn withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)fn withDeletionTimestamp(deletionTimestamp)fn withFinalizers(finalizers)fn withFinalizersMixin(finalizers)fn withGenerateName(generateName)fn withGeneration(generation)fn withLabels(labels)fn withLabelsMixin(labels)fn withName(name)fn withNamespace(namespace)fn withOwnerReferences(ownerReferences)fn withOwnerReferencesMixin(ownerReferences)fn withResourceVersion(resourceVersion)fn withSelfLink(selfLink)fn withUid(uid)
obj specfn withEnableProxyProtocol(enableProxyProtocol)fn withHttp3(http3)fn withHttp3Mixin(http3)fn withTargetRefs(targetRefs)fn withTargetRefsMixin(targetRefs)fn withTargetSelectors(targetSelectors)fn withTargetSelectorsMixin(targetSelectors)obj spec.clientIPDetectionobj spec.connectionobj spec.headersobj spec.healthCheckobj spec.http1obj spec.http2obj spec.pathobj spec.targetRefobj spec.targetRefsobj spec.targetSelectorsobj spec.tcpKeepaliveobj spec.timeoutobj spec.tlsfn withAlpnProtocols(alpnProtocols)fn withAlpnProtocolsMixin(alpnProtocols)fn withCiphers(ciphers)fn withCiphersMixin(ciphers)fn withEcdhCurves(ecdhCurves)fn withEcdhCurvesMixin(ecdhCurves)fn withMaxVersion(maxVersion)fn withMinVersion(minVersion)fn withSignatureAlgorithms(signatureAlgorithms)fn withSignatureAlgorithmsMixin(signatureAlgorithms)obj spec.tls.clientValidation
Fields
fn new
new(name)
new returns an instance of ClientTrafficPolicy
obj metadata
"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create."
fn metadata.withAnnotations
withAnnotations(annotations)
"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"
fn metadata.withAnnotationsMixin
withAnnotationsMixin(annotations)
"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"
Note: This function appends passed data to existing values
fn metadata.withClusterName
withClusterName(clusterName)
"The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request."
fn metadata.withCreationTimestamp
withCreationTimestamp(creationTimestamp)
"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."
fn metadata.withDeletionGracePeriodSeconds
withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)
"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only."
fn metadata.withDeletionTimestamp
withDeletionTimestamp(deletionTimestamp)
"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."
fn metadata.withFinalizers
withFinalizers(finalizers)
"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."
fn metadata.withFinalizersMixin
withFinalizersMixin(finalizers)
"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."
Note: This function appends passed data to existing values
fn metadata.withGenerateName
withGenerateName(generateName)
"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency"
fn metadata.withGeneration
withGeneration(generation)
"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only."
fn metadata.withLabels
withLabels(labels)
"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"
fn metadata.withLabelsMixin
withLabelsMixin(labels)
"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"
Note: This function appends passed data to existing values
fn metadata.withName
withName(name)
"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names"
fn metadata.withNamespace
withNamespace(namespace)
"Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces"
fn metadata.withOwnerReferences
withOwnerReferences(ownerReferences)
"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."
fn metadata.withOwnerReferencesMixin
withOwnerReferencesMixin(ownerReferences)
"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."
Note: This function appends passed data to existing values
fn metadata.withResourceVersion
withResourceVersion(resourceVersion)
"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
fn metadata.withSelfLink
withSelfLink(selfLink)
"SelfLink is a URL representing this object. Populated by the system. Read-only.\n\nDEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release."
fn metadata.withUid
withUid(uid)
"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids"
obj spec
"Spec defines the desired state of ClientTrafficPolicy."
fn spec.withEnableProxyProtocol
withEnableProxyProtocol(enableProxyProtocol)
"EnableProxyProtocol interprets the ProxyProtocol header and adds the\nClient Address into the X-Forwarded-For header.\nNote Proxy Protocol must be present when this field is set, else the connection\nis closed."
fn spec.withHttp3
withHttp3(http3)
"HTTP3 provides HTTP/3 configuration on the listener."
fn spec.withHttp3Mixin
withHttp3Mixin(http3)
"HTTP3 provides HTTP/3 configuration on the listener."
Note: This function appends passed data to existing values
fn spec.withTargetRefs
withTargetRefs(targetRefs)
"TargetRefs are the names of the Gateway resources this policy\nis being attached to."
fn spec.withTargetRefsMixin
withTargetRefsMixin(targetRefs)
"TargetRefs are the names of the Gateway resources this policy\nis being attached to."
Note: This function appends passed data to existing values
fn spec.withTargetSelectors
withTargetSelectors(targetSelectors)
"TargetSelectors allow targeting resources for this policy based on labels"
fn spec.withTargetSelectorsMixin
withTargetSelectorsMixin(targetSelectors)
"TargetSelectors allow targeting resources for this policy based on labels"
Note: This function appends passed data to existing values
obj spec.clientIPDetection
"ClientIPDetectionSettings provides configuration for determining the original client IP address for requests."
obj spec.clientIPDetection.customHeader
"CustomHeader provides configuration for determining the client IP address for a request based on\na trusted custom HTTP header. This uses the custom_header original IP detection extension.\nRefer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto\nfor more details."
fn spec.clientIPDetection.customHeader.withFailClosed
withFailClosed(failClosed)
"FailClosed is a switch used to control the flow of traffic when client IP detection\nfails. If set to true, the listener will respond with 403 Forbidden when the client\nIP address cannot be determined."
fn spec.clientIPDetection.customHeader.withName
withName(name)
"Name of the header containing the original downstream remote address, if present."
obj spec.clientIPDetection.xForwardedFor
"XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address."
fn spec.clientIPDetection.xForwardedFor.withNumTrustedHops
withNumTrustedHops(numTrustedHops)
"NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP\nheaders to trust when determining the origin client's IP address.\nRefer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for\nfor more details."
obj spec.connection
"Connection includes client connection settings."
fn spec.connection.withBufferLimit
withBufferLimit(bufferLimit)
"BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.\nFor example, 20Mi, 1Gi, 256Ki etc.\nNote that when the suffix is not provided, the value is interpreted as bytes.\nDefault: 32768 bytes."
obj spec.connection.connectionLimit
"ConnectionLimit defines limits related to connections"
fn spec.connection.connectionLimit.withCloseDelay
withCloseDelay(closeDelay)
"CloseDelay defines the delay to use before closing connections that are rejected\nonce the limit value is reached.\nDefault: none."
fn spec.connection.connectionLimit.withValue
withValue(value)
"Value of the maximum concurrent connections limit.\nWhen the limit is reached, incoming connections will be closed after the CloseDelay duration.\nDefault: unlimited."
obj spec.headers
"HeaderSettings provides configuration for header management."
fn spec.headers.withDisableRateLimitHeaders
withDisableRateLimitHeaders(disableRateLimitHeaders)
"DisableRateLimitHeaders configures Envoy Proxy to omit the \"X-RateLimit-\" response headers\nwhen rate limiting is enabled."
fn spec.headers.withEnableEnvoyHeaders
withEnableEnvoyHeaders(enableEnvoyHeaders)
"EnableEnvoyHeaders configures Envoy Proxy to add the \"X-Envoy-\" headers to requests\nand responses."
fn spec.headers.withPreserveXRequestID
withPreserveXRequestID(preserveXRequestID)
"PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge\n(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.\nIt defaults to false."
fn spec.headers.withWithUnderscoresAction
withWithUnderscoresAction(withUnderscoresAction)
"WithUnderscoresAction configures the action to take when an HTTP header with underscores\nis encountered. The default action is to reject the request."
obj spec.headers.xForwardedClientCert
"XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.\n\n\nx-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate\ninformation of part or all of the clients or proxies that a request has flowed through,\non its way from the client to the server.\n\n\nEnvoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.\n\n\nIf not set, the default behavior is sanitizing the XFCC header."
fn spec.headers.xForwardedClientCert.withCertDetailsToAdd
withCertDetailsToAdd(certDetailsToAdd)
"CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.\n\n\nHash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)\nare always included if the client certificate is forwarded.\n\n\nThis field is only applicable when the mode is set to AppendForward or\nSanitizeSet and the client connection is mTLS."
fn spec.headers.xForwardedClientCert.withCertDetailsToAddMixin
withCertDetailsToAddMixin(certDetailsToAdd)
"CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.\n\n\nHash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)\nare always included if the client certificate is forwarded.\n\n\nThis field is only applicable when the mode is set to AppendForward or\nSanitizeSet and the client connection is mTLS."
Note: This function appends passed data to existing values
fn spec.headers.xForwardedClientCert.withMode
withMode(mode)
"Mode defines how XFCC header is handled by Envoy Proxy.\nIf not set, the default mode is Sanitize."
obj spec.healthCheck
"HealthCheck provides configuration for determining whether the HTTP/HTTPS listener is healthy."
fn spec.healthCheck.withPath
withPath(path)
"Path specifies the HTTP path to match on for health check requests."
obj spec.http1
"HTTP1 provides HTTP/1 configuration on the listener."
fn spec.http1.withEnableTrailers
withEnableTrailers(enableTrailers)
"EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy."
fn spec.http1.withPreserveHeaderCase
withPreserveHeaderCase(preserveHeaderCase)
"PreserveHeaderCase defines if Envoy should preserve the letter case of headers.\nBy default, Envoy will lowercase all the headers."
obj spec.http1.http10
"HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests."
fn spec.http1.http10.withUseDefaultHost
withUseDefaultHost(useDefaultHost)
"UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,\nthen the hostname associated with the listener should be injected into the\nrequest.\nIf this is not set and an HTTP/1.0 request arrives without a host, then\nit will be rejected."
obj spec.http2
"HTTP2 provides HTTP/2 configuration on the listener."
fn spec.http2.withInitialConnectionWindowSize
withInitialConnectionWindowSize(initialConnectionWindowSize)
"InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.\nIf not set, the default value is 1 MiB."
fn spec.http2.withInitialStreamWindowSize
withInitialStreamWindowSize(initialStreamWindowSize)
"InitialStreamWindowSize sets the initial window size for HTTP/2 streams.\nIf not set, the default value is 64 KiB(64*1024)."
fn spec.http2.withMaxConcurrentStreams
withMaxConcurrentStreams(maxConcurrentStreams)
"MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.\nIf not set, the default value is 100."
obj spec.path
"Path enables managing how the incoming path set by clients can be normalized."
fn spec.path.withDisableMergeSlashes
withDisableMergeSlashes(disableMergeSlashes)
"DisableMergeSlashes allows disabling the default configuration of merging adjacent\nslashes in the path.\nNote that slash merging is not part of the HTTP spec and is provided for convenience."
fn spec.path.withEscapedSlashesAction
withEscapedSlashesAction(escapedSlashesAction)
"EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI\nshould be handled.\nThe default is UnescapeAndRedirect."
obj spec.targetRef
"TargetRef is the name of the resource this policy is being attached to.\nThis policy and the TargetRef MUST be in the same namespace for this\nPolicy to have effect\n\n\nDeprecated: use targetRefs/targetSelectors instead"
fn spec.targetRef.withGroup
withGroup(group)
"Group is the group of the target resource."
fn spec.targetRef.withKind
withKind(kind)
"Kind is kind of the target resource."
fn spec.targetRef.withName
withName(name)
"Name is the name of the target resource."
fn spec.targetRef.withSectionName
withSectionName(sectionName)
"SectionName is the name of a section within the target resource. When\nunspecified, this targetRef targets the entire resource. In the following\nresources, SectionName is interpreted as the following:\n\n\n Gateway: Listener name\n HTTPRoute: HTTPRouteRule name\n* Service: Port name\n\n\nIf a SectionName is specified, but does not exist on the targeted object,\nthe Policy must fail to attach, and the policy implementation should record\na ResolvedRefs or similar Condition in the Policy's status."
obj spec.targetRefs
"TargetRefs are the names of the Gateway resources this policy\nis being attached to."
fn spec.targetRefs.withGroup
withGroup(group)
"Group is the group of the target resource."
fn spec.targetRefs.withKind
withKind(kind)
"Kind is kind of the target resource."
fn spec.targetRefs.withName
withName(name)
"Name is the name of the target resource."
fn spec.targetRefs.withSectionName
withSectionName(sectionName)
"SectionName is the name of a section within the target resource. When\nunspecified, this targetRef targets the entire resource. In the following\nresources, SectionName is interpreted as the following:\n\n\n Gateway: Listener name\n HTTPRoute: HTTPRouteRule name\n* Service: Port name\n\n\nIf a SectionName is specified, but does not exist on the targeted object,\nthe Policy must fail to attach, and the policy implementation should record\na ResolvedRefs or similar Condition in the Policy's status."
obj spec.targetSelectors
"TargetSelectors allow targeting resources for this policy based on labels"
fn spec.targetSelectors.withGroup
withGroup(group)
"Group is the group that this selector targets. Defaults to gateway.networking.k8s.io"
fn spec.targetSelectors.withKind
withKind(kind)
"Kind is the resource kind that this selector targets."
fn spec.targetSelectors.withMatchLabels
withMatchLabels(matchLabels)
"MatchLabels are the set of label selectors for identifying the targeted resource"
fn spec.targetSelectors.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"MatchLabels are the set of label selectors for identifying the targeted resource"
Note: This function appends passed data to existing values
obj spec.tcpKeepalive
"TcpKeepalive settings associated with the downstream client connection.\nIf defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.\nDisabled by default."
fn spec.tcpKeepalive.withIdleTime
withIdleTime(idleTime)
"The duration a connection needs to be idle before keep-alive\nprobes start being sent.\nThe duration format is\nDefaults to 7200s."
fn spec.tcpKeepalive.withInterval
withInterval(interval)
"The duration between keep-alive probes.\nDefaults to 75s."
fn spec.tcpKeepalive.withProbes
withProbes(probes)
"The total number of unacknowledged probes to send before deciding\nthe connection is dead.\nDefaults to 9."
obj spec.timeout
"Timeout settings for the client connections."
obj spec.timeout.http
"Timeout settings for HTTP."
fn spec.timeout.http.withIdleTimeout
withIdleTimeout(idleTimeout)
"IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.\nDefault: 1 hour."
fn spec.timeout.http.withRequestReceivedTimeout
withRequestReceivedTimeout(requestReceivedTimeout)
"RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request\ninitiation and stops when either the last byte of the request is sent upstream or when the response begins."
obj spec.timeout.tcp
"Timeout settings for TCP."
fn spec.timeout.tcp.withIdleTimeout
withIdleTimeout(idleTimeout)
"IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no\nbytes sent or received on either the upstream or downstream connection.\nDefault: 1 hour."
obj spec.tls
"TLS settings configure TLS termination settings with the downstream client."
fn spec.tls.withAlpnProtocols
withAlpnProtocols(alpnProtocols)
"ALPNProtocols supplies the list of ALPN protocols that should be\nexposed by the listener. By default h2 and http/1.1 are enabled.\nSupported values are:\n- http/1.0\n- http/1.1\n- h2"
fn spec.tls.withAlpnProtocolsMixin
withAlpnProtocolsMixin(alpnProtocols)
"ALPNProtocols supplies the list of ALPN protocols that should be\nexposed by the listener. By default h2 and http/1.1 are enabled.\nSupported values are:\n- http/1.0\n- http/1.1\n- h2"
Note: This function appends passed data to existing values
fn spec.tls.withCiphers
withCiphers(ciphers)
"Ciphers specifies the set of cipher suites supported when\nnegotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.\nIn non-FIPS Envoy Proxy builds the default cipher list is:\n- [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\n- [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\n- ECDHE-ECDSA-AES256-GCM-SHA384\n- ECDHE-RSA-AES256-GCM-SHA384\nIn builds using BoringSSL FIPS the default cipher list is:\n- ECDHE-ECDSA-AES128-GCM-SHA256\n- ECDHE-RSA-AES128-GCM-SHA256\n- ECDHE-ECDSA-AES256-GCM-SHA384\n- ECDHE-RSA-AES256-GCM-SHA384"
fn spec.tls.withCiphersMixin
withCiphersMixin(ciphers)
"Ciphers specifies the set of cipher suites supported when\nnegotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.\nIn non-FIPS Envoy Proxy builds the default cipher list is:\n- [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\n- [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\n- ECDHE-ECDSA-AES256-GCM-SHA384\n- ECDHE-RSA-AES256-GCM-SHA384\nIn builds using BoringSSL FIPS the default cipher list is:\n- ECDHE-ECDSA-AES128-GCM-SHA256\n- ECDHE-RSA-AES128-GCM-SHA256\n- ECDHE-ECDSA-AES256-GCM-SHA384\n- ECDHE-RSA-AES256-GCM-SHA384"
Note: This function appends passed data to existing values
fn spec.tls.withEcdhCurves
withEcdhCurves(ecdhCurves)
"ECDHCurves specifies the set of supported ECDH curves.\nIn non-FIPS Envoy Proxy builds the default curves are:\n- X25519\n- P-256\nIn builds using BoringSSL FIPS the default curve is:\n- P-256"
fn spec.tls.withEcdhCurvesMixin
withEcdhCurvesMixin(ecdhCurves)
"ECDHCurves specifies the set of supported ECDH curves.\nIn non-FIPS Envoy Proxy builds the default curves are:\n- X25519\n- P-256\nIn builds using BoringSSL FIPS the default curve is:\n- P-256"
Note: This function appends passed data to existing values
fn spec.tls.withMaxVersion
withMaxVersion(maxVersion)
"Max specifies the maximal TLS protocol version to allow\nThe default is TLS 1.3 if this is not specified."
fn spec.tls.withMinVersion
withMinVersion(minVersion)
"Min specifies the minimal TLS protocol version to allow.\nThe default is TLS 1.2 if this is not specified."
fn spec.tls.withSignatureAlgorithms
withSignatureAlgorithms(signatureAlgorithms)
"SignatureAlgorithms specifies which signature algorithms the listener should\nsupport."
fn spec.tls.withSignatureAlgorithmsMixin
withSignatureAlgorithmsMixin(signatureAlgorithms)
"SignatureAlgorithms specifies which signature algorithms the listener should\nsupport."
Note: This function appends passed data to existing values
obj spec.tls.clientValidation
"ClientValidation specifies the configuration to validate the client\ninitiating the TLS connection to the Gateway listener."
fn spec.tls.clientValidation.withCaCertificateRefs
withCaCertificateRefs(caCertificateRefs)
"CACertificateRefs contains one or more references to\nKubernetes objects that contain TLS certificates of\nthe Certificate Authorities that can be used\nas a trust anchor to validate the certificates presented by the client.\n\n\nA single reference to a Kubernetes ConfigMap or a Kubernetes Secret,\nwith the CA certificate in a key named ca.crt is currently supported.\n\n\nReferences to a resource in different namespace are invalid UNLESS there\nis a ReferenceGrant in the target namespace that allows the certificate\nto be attached."
fn spec.tls.clientValidation.withCaCertificateRefsMixin
withCaCertificateRefsMixin(caCertificateRefs)
"CACertificateRefs contains one or more references to\nKubernetes objects that contain TLS certificates of\nthe Certificate Authorities that can be used\nas a trust anchor to validate the certificates presented by the client.\n\n\nA single reference to a Kubernetes ConfigMap or a Kubernetes Secret,\nwith the CA certificate in a key named ca.crt is currently supported.\n\n\nReferences to a resource in different namespace are invalid UNLESS there\nis a ReferenceGrant in the target namespace that allows the certificate\nto be attached."
Note: This function appends passed data to existing values
fn spec.tls.clientValidation.withOptional
withOptional(optional)
"Optional set to true accepts connections even when a client doesn't present a certificate.\nDefaults to false, which rejects connections without a valid client certificate."
obj spec.tls.clientValidation.caCertificateRefs
"CACertificateRefs contains one or more references to\nKubernetes objects that contain TLS certificates of\nthe Certificate Authorities that can be used\nas a trust anchor to validate the certificates presented by the client.\n\n\nA single reference to a Kubernetes ConfigMap or a Kubernetes Secret,\nwith the CA certificate in a key named ca.crt is currently supported.\n\n\nReferences to a resource in different namespace are invalid UNLESS there\nis a ReferenceGrant in the target namespace that allows the certificate\nto be attached."
fn spec.tls.clientValidation.caCertificateRefs.withGroup
withGroup(group)
"Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred."
fn spec.tls.clientValidation.caCertificateRefs.withKind
withKind(kind)
"Kind is kind of the referent. For example \"Secret\"."
fn spec.tls.clientValidation.caCertificateRefs.withName
withName(name)
"Name is the name of the referent."
fn spec.tls.clientValidation.caCertificateRefs.withNamespace
withNamespace(namespace)
"Namespace is the namespace of the referenced object. When unspecified, the local\nnamespace is inferred.\n\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\n\nSupport: Core"