diff --git a/apis/v1alpha2/referencegrant_types.go b/apis/v1alpha2/referencegrant_types.go index 3c301b45f8..645b404d56 100644 --- a/apis/v1alpha2/referencegrant_types.go +++ b/apis/v1alpha2/referencegrant_types.go @@ -16,7 +16,11 @@ limitations under the License. package v1alpha2 -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "sigs.k8s.io/gateway-api/apis/v1beta1" +) // +genclient // +kubebuilder:object:root=true @@ -40,20 +44,10 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // grant allowed. // // Support: Core -// -type ReferenceGrant struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - // Spec defines the desired state of ReferenceGrant. - Spec ReferenceGrantSpec `json:"spec,omitempty"` - - // Note that `Status` sub-resource has been excluded at the - // moment as it was difficult to work out the design. - // `Status` sub-resource may be added in future. -} +type ReferenceGrant v1beta1.ReferenceGrant // +kubebuilder:object:root=true + // ReferenceGrantList contains a list of ReferenceGrant. type ReferenceGrantList struct { metav1.TypeMeta `json:",inline"` @@ -63,82 +57,14 @@ type ReferenceGrantList struct { // ReferenceGrantSpec identifies a cross namespace relationship that is trusted // for Gateway API. -type ReferenceGrantSpec struct { - // From describes the trusted namespaces and kinds that can reference the - // resources described in "To". Each entry in this list must be considered - // to be an additional place that references can be valid from, or to put - // this another way, entries must be combined using OR. - // - // Support: Core - // - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=16 - From []ReferenceGrantFrom `json:"from"` - - // To describes the resources that may be referenced by the resources - // described in "From". Each entry in this list must be considered to be an - // additional place that references can be valid to, or to put this another - // way, entries must be combined using OR. - // - // Support: Core - // - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=16 - To []ReferenceGrantTo `json:"to"` -} +// +k8s:deepcopy-gen=false +type ReferenceGrantSpec = v1beta1.ReferenceGrantSpec // ReferenceGrantFrom describes trusted namespaces and kinds. -type ReferenceGrantFrom struct { - // Group is the group of the referent. - // When empty, the Kubernetes core API group is inferred. - // - // Support: Core - Group Group `json:"group"` - - // Kind is the kind of the referent. Although implementations may support - // additional resources, the following types are part of the "Core" - // support level for this field. - // - // When used to permit a SecretObjectReference: - // - // * Gateway - // - // When used to permit a BackendObjectReference: - // - // * GRPCRoute - // * HTTPRoute - // * TCPRoute - // * TLSRoute - // * UDPRoute - Kind Kind `json:"kind"` - - // Namespace is the namespace of the referent. - // - // Support: Core - Namespace Namespace `json:"namespace"` -} +// +k8s:deepcopy-gen=false +type ReferenceGrantFrom = v1beta1.ReferenceGrantFrom // ReferenceGrantTo describes what Kinds are allowed as targets of the // references. -type ReferenceGrantTo struct { - // Group is the group of the referent. - // When empty, the Kubernetes core API group is inferred. - // - // Support: Core - Group Group `json:"group"` - - // Kind is the kind of the referent. Although implementations may support - // additional resources, the following types are part of the "Core" - // support level for this field: - // - // * Secret when used to permit a SecretObjectReference - // * Service when used to permit a BackendObjectReference - Kind Kind `json:"kind"` - - // Name is the name of the referent. When unspecified, this policy - // refers to all resources of the specified Group and Kind in the local - // namespace. - // - // +optional - Name *ObjectName `json:"name,omitempty"` -} +// +k8s:deepcopy-gen=false +type ReferenceGrantTo = v1beta1.ReferenceGrantTo diff --git a/apis/v1alpha2/zz_generated.deepcopy.go b/apis/v1alpha2/zz_generated.deepcopy.go index 4770750a39..5881559f4f 100644 --- a/apis/v1alpha2/zz_generated.deepcopy.go +++ b/apis/v1alpha2/zz_generated.deepcopy.go @@ -518,21 +518,6 @@ func (in *ReferenceGrant) DeepCopyObject() runtime.Object { return nil } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ReferenceGrantFrom) DeepCopyInto(out *ReferenceGrantFrom) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantFrom. -func (in *ReferenceGrantFrom) DeepCopy() *ReferenceGrantFrom { - if in == nil { - return nil - } - out := new(ReferenceGrantFrom) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ReferenceGrantList) DeepCopyInto(out *ReferenceGrantList) { *out = *in @@ -565,53 +550,6 @@ func (in *ReferenceGrantList) DeepCopyObject() runtime.Object { return nil } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ReferenceGrantSpec) DeepCopyInto(out *ReferenceGrantSpec) { - *out = *in - if in.From != nil { - in, out := &in.From, &out.From - *out = make([]ReferenceGrantFrom, len(*in)) - copy(*out, *in) - } - if in.To != nil { - in, out := &in.To, &out.To - *out = make([]ReferenceGrantTo, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantSpec. -func (in *ReferenceGrantSpec) DeepCopy() *ReferenceGrantSpec { - if in == nil { - return nil - } - out := new(ReferenceGrantSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ReferenceGrantTo) DeepCopyInto(out *ReferenceGrantTo) { - *out = *in - if in.Name != nil { - in, out := &in.Name, &out.Name - *out = new(v1beta1.ObjectName) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantTo. -func (in *ReferenceGrantTo) DeepCopy() *ReferenceGrantTo { - if in == nil { - return nil - } - out := new(ReferenceGrantTo) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TCPRoute) DeepCopyInto(out *TCPRoute) { *out = *in diff --git a/apis/v1beta1/referencegrant_types.go b/apis/v1beta1/referencegrant_types.go new file mode 100644 index 0000000000..634a8f4d19 --- /dev/null +++ b/apis/v1beta1/referencegrant_types.go @@ -0,0 +1,142 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +kubebuilder:object:root=true +// +kubebuilder:resource:categories=gateway-api,shortName=refgrant +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` + +// ReferenceGrant identifies kinds of resources in other namespaces that are +// trusted to reference the specified kinds of resources in the same namespace +// as the policy. +// +// Each ReferenceGrant can be used to represent a unique trust relationship. +// Additional Reference Grants can be used to add to the set of trusted +// sources of inbound references for the namespace they are defined within. +// +// All cross-namespace references in Gateway API (with the exception of cross-namespace +// Gateway-route attachment) require a ReferenceGrant. +// +// ReferenceGrant is a form of runtime verification. Implementations that support +// ReferenceGrant MUST respond to removal of a grant by revoking the access that +// grant allowed. +// +// Support: Core +type ReferenceGrant struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec defines the desired state of ReferenceGrant. + Spec ReferenceGrantSpec `json:"spec,omitempty"` + + // Note that `Status` sub-resource has been excluded at the + // moment as it was difficult to work out the design. + // `Status` sub-resource may be added in future. +} + +// +kubebuilder:object:root=true +// ReferenceGrantList contains a list of ReferenceGrant. +type ReferenceGrantList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ReferenceGrant `json:"items"` +} + +// ReferenceGrantSpec identifies a cross namespace relationship that is trusted +// for Gateway API. +type ReferenceGrantSpec struct { + // From describes the trusted namespaces and kinds that can reference the + // resources described in "To". Each entry in this list must be considered + // to be an additional place that references can be valid from, or to put + // this another way, entries must be combined using OR. + // + // Support: Core + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + From []ReferenceGrantFrom `json:"from"` + + // To describes the resources that may be referenced by the resources + // described in "From". Each entry in this list must be considered to be an + // additional place that references can be valid to, or to put this another + // way, entries must be combined using OR. + // + // Support: Core + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + To []ReferenceGrantTo `json:"to"` +} + +// ReferenceGrantFrom describes trusted namespaces and kinds. +type ReferenceGrantFrom struct { + // Group is the group of the referent. + // When empty, the Kubernetes core API group is inferred. + // + // Support: Core + Group Group `json:"group"` + + // Kind is the kind of the referent. Although implementations may support + // additional resources, the following types are part of the "Core" + // support level for this field. + // + // When used to permit a SecretObjectReference: + // + // * Gateway + // + // When used to permit a BackendObjectReference: + // + // * GRPCRoute + // * HTTPRoute + // * TCPRoute + // * TLSRoute + // * UDPRoute + Kind Kind `json:"kind"` + + // Namespace is the namespace of the referent. + // + // Support: Core + Namespace Namespace `json:"namespace"` +} + +// ReferenceGrantTo describes what Kinds are allowed as targets of the +// references. +type ReferenceGrantTo struct { + // Group is the group of the referent. + // When empty, the Kubernetes core API group is inferred. + // + // Support: Core + Group Group `json:"group"` + + // Kind is the kind of the referent. Although implementations may support + // additional resources, the following types are part of the "Core" + // support level for this field: + // + // * Secret when used to permit a SecretObjectReference + // * Service when used to permit a BackendObjectReference + Kind Kind `json:"kind"` + + // Name is the name of the referent. When unspecified, this policy + // refers to all resources of the specified Group and Kind in the local + // namespace. + // + // +optional + Name *ObjectName `json:"name,omitempty"` +} diff --git a/apis/v1beta1/zz_generated.deepcopy.go b/apis/v1beta1/zz_generated.deepcopy.go index c09f5a5578..afda0d4dd2 100644 --- a/apis/v1beta1/zz_generated.deepcopy.go +++ b/apis/v1beta1/zz_generated.deepcopy.go @@ -1011,6 +1011,126 @@ func (in *ParentReference) DeepCopy() *ParentReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferenceGrant) DeepCopyInto(out *ReferenceGrant) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrant. +func (in *ReferenceGrant) DeepCopy() *ReferenceGrant { + if in == nil { + return nil + } + out := new(ReferenceGrant) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ReferenceGrant) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferenceGrantFrom) DeepCopyInto(out *ReferenceGrantFrom) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantFrom. +func (in *ReferenceGrantFrom) DeepCopy() *ReferenceGrantFrom { + if in == nil { + return nil + } + out := new(ReferenceGrantFrom) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferenceGrantList) DeepCopyInto(out *ReferenceGrantList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ReferenceGrant, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantList. +func (in *ReferenceGrantList) DeepCopy() *ReferenceGrantList { + if in == nil { + return nil + } + out := new(ReferenceGrantList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ReferenceGrantList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferenceGrantSpec) DeepCopyInto(out *ReferenceGrantSpec) { + *out = *in + if in.From != nil { + in, out := &in.From, &out.From + *out = make([]ReferenceGrantFrom, len(*in)) + copy(*out, *in) + } + if in.To != nil { + in, out := &in.To, &out.To + *out = make([]ReferenceGrantTo, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantSpec. +func (in *ReferenceGrantSpec) DeepCopy() *ReferenceGrantSpec { + if in == nil { + return nil + } + out := new(ReferenceGrantSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferenceGrantTo) DeepCopyInto(out *ReferenceGrantTo) { + *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(ObjectName) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantTo. +func (in *ReferenceGrantTo) DeepCopy() *ReferenceGrantTo { + if in == nil { + return nil + } + out := new(ReferenceGrantTo) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RouteGroupKind) DeepCopyInto(out *RouteGroupKind) { *out = *in diff --git a/apis/v1beta1/zz_generated.register.go b/apis/v1beta1/zz_generated.register.go index 7cb684d1cf..05d7898b38 100644 --- a/apis/v1beta1/zz_generated.register.go +++ b/apis/v1beta1/zz_generated.register.go @@ -64,6 +64,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &GatewayList{}, &HTTPRoute{}, &HTTPRouteList{}, + &ReferenceGrant{}, + &ReferenceGrantList{}, ) // AddToGroupVersion allows the serialization of client types like ListOptions. v1.AddToGroupVersion(scheme, SchemeGroupVersion) diff --git a/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml index 56fb8764ec..8bd6c852ca 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml @@ -143,6 +143,129 @@ spec: served: true storage: true subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces + that are trusted to reference the specified kinds of resources in the same + namespace as the policy. \n Each ReferenceGrant can be used to represent + a unique trust relationship. Additional Reference Grants can be used to + add to the set of trusted sources of inbound references for the namespace + they are defined within. \n All cross-namespace references in Gateway API + (with the exception of cross-namespace Gateway-route attachment) require + a ReferenceGrant. \n ReferenceGrant is a form of runtime verification. Implementations + that support ReferenceGrant MUST respond to removal of a grant by revoking + the access that grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that + can reference the resources described in \"To\". Each entry in this + list must be considered to be an additional place that references + can be valid from, or to put this another way, entries must be combined + using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: "Group is the group of the referent. When empty, + the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations + may support additional resources, the following types are + part of the \"Core\" support level for this field. \n When + used to permit a SecretObjectReference: \n * Gateway \n When + used to permit a BackendObjectReference: \n * GRPCRoute * + HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n + Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by + the resources described in \"From\". Each entry in this list must + be considered to be an additional place that references can be valid + to, or to put this another way, entries must be combined using OR. + \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as + targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, + the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations + may support additional resources, the following types are + part of the \"Core\" support level for this field: \n * Secret + when used to permit a SecretObjectReference * Service when + used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, + this policy refers to all resources of the specified Group + and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} status: acceptedNames: kind: "" diff --git a/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml b/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml new file mode 100644 index 0000000000..207f1c89ba --- /dev/null +++ b/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml @@ -0,0 +1,274 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086 + gateway.networking.k8s.io/bundle-version: v0.6.0-dev + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces + that are trusted to reference the specified kinds of resources in the same + namespace as the policy. \n Each ReferenceGrant can be used to represent + a unique trust relationship. Additional Reference Grants can be used to + add to the set of trusted sources of inbound references for the namespace + they are defined within. \n All cross-namespace references in Gateway API + (with the exception of cross-namespace Gateway-route attachment) require + a ReferenceGrant. \n ReferenceGrant is a form of runtime verification. Implementations + that support ReferenceGrant MUST respond to removal of a grant by revoking + the access that grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that + can reference the resources described in \"To\". Each entry in this + list must be considered to be an additional place that references + can be valid from, or to put this another way, entries must be combined + using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: "Group is the group of the referent. When empty, + the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations + may support additional resources, the following types are + part of the \"Core\" support level for this field. \n When + used to permit a SecretObjectReference: \n * Gateway \n When + used to permit a BackendObjectReference: \n * GRPCRoute * + HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n + Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by + the resources described in \"From\". Each entry in this list must + be considered to be an additional place that references can be valid + to, or to put this another way, entries must be combined using OR. + \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as + targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, + the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations + may support additional resources, the following types are + part of the \"Core\" support level for this field: \n * Secret + when used to permit a SecretObjectReference * Service when + used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, + this policy refers to all resources of the specified Group + and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces + that are trusted to reference the specified kinds of resources in the same + namespace as the policy. \n Each ReferenceGrant can be used to represent + a unique trust relationship. Additional Reference Grants can be used to + add to the set of trusted sources of inbound references for the namespace + they are defined within. \n All cross-namespace references in Gateway API + (with the exception of cross-namespace Gateway-route attachment) require + a ReferenceGrant. \n ReferenceGrant is a form of runtime verification. Implementations + that support ReferenceGrant MUST respond to removal of a grant by revoking + the access that grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that + can reference the resources described in \"To\". Each entry in this + list must be considered to be an additional place that references + can be valid from, or to put this another way, entries must be combined + using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: "Group is the group of the referent. When empty, + the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations + may support additional resources, the following types are + part of the \"Core\" support level for this field. \n When + used to permit a SecretObjectReference: \n * Gateway \n When + used to permit a BackendObjectReference: \n * GRPCRoute * + HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n + Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by + the resources described in \"From\". Each entry in this list must + be considered to be an additional place that references can be valid + to, or to put this another way, entries must be combined using OR. + \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as + targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, + the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations + may support additional resources, the following types are + part of the \"Core\" support level for this field: \n * Secret + when used to permit a SecretObjectReference * Service when + used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, + this policy refers to all resources of the specified Group + and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/conformance/tests/gateway-secret-invalid-reference-grant.yaml b/conformance/tests/gateway-secret-invalid-reference-grant.yaml index 51b719202b..ff201fd2de 100644 --- a/conformance/tests/gateway-secret-invalid-reference-grant.yaml +++ b/conformance/tests/gateway-secret-invalid-reference-grant.yaml @@ -19,7 +19,7 @@ spec: name: certificate namespace: gateway-conformance-web-backend --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-wrong-namespace @@ -34,7 +34,7 @@ spec: kind: Secret name: certificate --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-wrong-from-group @@ -49,7 +49,7 @@ spec: kind: Secret name: certificate --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-wrong-from-kind @@ -64,7 +64,7 @@ spec: kind: Secret name: certificate --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-wrong-from-namespace @@ -79,7 +79,7 @@ spec: kind: Secret name: certificate --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-wrong-to-group @@ -94,7 +94,7 @@ spec: kind: Secret name: not-the-certificate-youre-looking-for --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-wrong-to-kind @@ -109,7 +109,7 @@ spec: kind: Service name: certificate --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-wrong-to-name diff --git a/conformance/tests/gateway-secret-reference-grant-all-in-namespace.yaml b/conformance/tests/gateway-secret-reference-grant-all-in-namespace.yaml index 57e7faed3e..aaed62f8b8 100644 --- a/conformance/tests/gateway-secret-reference-grant-all-in-namespace.yaml +++ b/conformance/tests/gateway-secret-reference-grant-all-in-namespace.yaml @@ -19,7 +19,7 @@ spec: name: certificate namespace: gateway-conformance-web-backend --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-all-in-namespace diff --git a/conformance/tests/gateway-secret-reference-grant-specific.yaml b/conformance/tests/gateway-secret-reference-grant-specific.yaml index e604f5da5c..0eb1e5fbec 100644 --- a/conformance/tests/gateway-secret-reference-grant-specific.yaml +++ b/conformance/tests/gateway-secret-reference-grant-specific.yaml @@ -19,7 +19,7 @@ spec: name: certificate namespace: gateway-conformance-web-backend --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant-specific diff --git a/conformance/tests/httproute-invalid-reference-grant.yaml b/conformance/tests/httproute-invalid-reference-grant.yaml index 562a6f6a05..41181b7665 100644 --- a/conformance/tests/httproute-invalid-reference-grant.yaml +++ b/conformance/tests/httproute-invalid-reference-grant.yaml @@ -1,4 +1,4 @@ -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: invalid-reference-grant diff --git a/conformance/tests/httproute-reference-grant.yaml b/conformance/tests/httproute-reference-grant.yaml index 16828b016a..f93d1b21d2 100644 --- a/conformance/tests/httproute-reference-grant.yaml +++ b/conformance/tests/httproute-reference-grant.yaml @@ -1,4 +1,4 @@ -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: reference-grant diff --git a/examples/experimental/reference-grant.yaml b/examples/standard/reference-grant.yaml similarity index 85% rename from examples/experimental/reference-grant.yaml rename to examples/standard/reference-grant.yaml index c852ab1ceb..0cad84bdcd 100644 --- a/examples/experimental/reference-grant.yaml +++ b/examples/standard/reference-grant.yaml @@ -1,7 +1,7 @@ #$ Used in: #$ - site-src/concepts/security-model.md #$ - site-src/blog/2021/introducing-v1alpha2.md -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-prod-traffic diff --git a/examples/experimental/tls-cert-cross-namespace.yaml b/examples/standard/tls-cert-cross-namespace.yaml similarity index 93% rename from examples/experimental/tls-cert-cross-namespace.yaml rename to examples/standard/tls-cert-cross-namespace.yaml index 4926da0350..4af79c1202 100644 --- a/examples/experimental/tls-cert-cross-namespace.yaml +++ b/examples/standard/tls-cert-cross-namespace.yaml @@ -19,7 +19,7 @@ spec: name: wildcard-example-com-cert namespace: gateway-api-example-ns2 --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-ns1-gateways-to-ref-secrets diff --git a/hack/invalid-examples/v1beta1/referencegrant/missing-from.yaml b/hack/invalid-examples/v1beta1/referencegrant/missing-from.yaml new file mode 100644 index 0000000000..f90cd2b84f --- /dev/null +++ b/hack/invalid-examples/v1beta1/referencegrant/missing-from.yaml @@ -0,0 +1,8 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: missing-from +spec: + to: + - group: "" + kind: "Service" diff --git a/hack/invalid-examples/v1beta1/referencegrant/missing-ns.yaml b/hack/invalid-examples/v1beta1/referencegrant/missing-ns.yaml new file mode 100644 index 0000000000..5dfbce303f --- /dev/null +++ b/hack/invalid-examples/v1beta1/referencegrant/missing-ns.yaml @@ -0,0 +1,11 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: missing-ns +spec: + to: + - group: "" + kind: "Service" + from: + - group: "gateway.networking.k8s.io" + kind: "HTTPRoute" diff --git a/hack/invalid-examples/v1beta1/referencegrant/missing-to.yaml b/hack/invalid-examples/v1beta1/referencegrant/missing-to.yaml new file mode 100644 index 0000000000..823db77e4c --- /dev/null +++ b/hack/invalid-examples/v1beta1/referencegrant/missing-to.yaml @@ -0,0 +1,9 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: missing-to +spec: + from: + - group: "" + kind: "Service" + namespace: "example" diff --git a/mkdocs.yml b/mkdocs.yml index bbab0b07c6..f20923e7f5 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -82,7 +82,6 @@ nav: - geps/gep-957.md - geps/gep-726.md - geps/gep-713.md - - geps/gep-709.md - Standard: - geps/gep-922.md - geps/gep-917.md @@ -91,6 +90,7 @@ nav: - geps/gep-746.md - geps/gep-724.md - geps/gep-718.md + - geps/gep-709.md - Contributing: - How to Get Involved: contributing/index.md - Developer Guide: contributing/devguide.md diff --git a/pkg/client/clientset/versioned/typed/apis/v1beta1/apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1beta1/apis_client.go index b3cb96de18..ef8e0e2977 100644 --- a/pkg/client/clientset/versioned/typed/apis/v1beta1/apis_client.go +++ b/pkg/client/clientset/versioned/typed/apis/v1beta1/apis_client.go @@ -31,6 +31,7 @@ type GatewayV1beta1Interface interface { GatewaysGetter GatewayClassesGetter HTTPRoutesGetter + ReferenceGrantsGetter } // GatewayV1beta1Client is used to interact with features provided by the gateway.networking.k8s.io group. @@ -50,6 +51,10 @@ func (c *GatewayV1beta1Client) HTTPRoutes(namespace string) HTTPRouteInterface { return newHTTPRoutes(c, namespace) } +func (c *GatewayV1beta1Client) ReferenceGrants(namespace string) ReferenceGrantInterface { + return newReferenceGrants(c, namespace) +} + // NewForConfig creates a new GatewayV1beta1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). diff --git a/pkg/client/clientset/versioned/typed/apis/v1beta1/fake/fake_apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1beta1/fake/fake_apis_client.go index 3760228b97..418e8161ad 100644 --- a/pkg/client/clientset/versioned/typed/apis/v1beta1/fake/fake_apis_client.go +++ b/pkg/client/clientset/versioned/typed/apis/v1beta1/fake/fake_apis_client.go @@ -40,6 +40,10 @@ func (c *FakeGatewayV1beta1) HTTPRoutes(namespace string) v1beta1.HTTPRouteInter return &FakeHTTPRoutes{c, namespace} } +func (c *FakeGatewayV1beta1) ReferenceGrants(namespace string) v1beta1.ReferenceGrantInterface { + return &FakeReferenceGrants{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeGatewayV1beta1) RESTClient() rest.Interface { diff --git a/pkg/client/clientset/versioned/typed/apis/v1beta1/fake/fake_referencegrant.go b/pkg/client/clientset/versioned/typed/apis/v1beta1/fake/fake_referencegrant.go new file mode 100644 index 0000000000..f63fc2512a --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1beta1/fake/fake_referencegrant.go @@ -0,0 +1,130 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" +) + +// FakeReferenceGrants implements ReferenceGrantInterface +type FakeReferenceGrants struct { + Fake *FakeGatewayV1beta1 + ns string +} + +var referencegrantsResource = schema.GroupVersionResource{Group: "gateway.networking.k8s.io", Version: "v1beta1", Resource: "referencegrants"} + +var referencegrantsKind = schema.GroupVersionKind{Group: "gateway.networking.k8s.io", Version: "v1beta1", Kind: "ReferenceGrant"} + +// Get takes name of the referenceGrant, and returns the corresponding referenceGrant object, and an error if there is any. +func (c *FakeReferenceGrants) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.ReferenceGrant, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(referencegrantsResource, c.ns, name), &v1beta1.ReferenceGrant{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ReferenceGrant), err +} + +// List takes label and field selectors, and returns the list of ReferenceGrants that match those selectors. +func (c *FakeReferenceGrants) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.ReferenceGrantList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(referencegrantsResource, referencegrantsKind, c.ns, opts), &v1beta1.ReferenceGrantList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1beta1.ReferenceGrantList{ListMeta: obj.(*v1beta1.ReferenceGrantList).ListMeta} + for _, item := range obj.(*v1beta1.ReferenceGrantList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested referenceGrants. +func (c *FakeReferenceGrants) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(referencegrantsResource, c.ns, opts)) + +} + +// Create takes the representation of a referenceGrant and creates it. Returns the server's representation of the referenceGrant, and an error, if there is any. +func (c *FakeReferenceGrants) Create(ctx context.Context, referenceGrant *v1beta1.ReferenceGrant, opts v1.CreateOptions) (result *v1beta1.ReferenceGrant, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(referencegrantsResource, c.ns, referenceGrant), &v1beta1.ReferenceGrant{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ReferenceGrant), err +} + +// Update takes the representation of a referenceGrant and updates it. Returns the server's representation of the referenceGrant, and an error, if there is any. +func (c *FakeReferenceGrants) Update(ctx context.Context, referenceGrant *v1beta1.ReferenceGrant, opts v1.UpdateOptions) (result *v1beta1.ReferenceGrant, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(referencegrantsResource, c.ns, referenceGrant), &v1beta1.ReferenceGrant{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ReferenceGrant), err +} + +// Delete takes name of the referenceGrant and deletes it. Returns an error if one occurs. +func (c *FakeReferenceGrants) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(referencegrantsResource, c.ns, name, opts), &v1beta1.ReferenceGrant{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeReferenceGrants) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(referencegrantsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1beta1.ReferenceGrantList{}) + return err +} + +// Patch applies the patch and returns the patched referenceGrant. +func (c *FakeReferenceGrants) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ReferenceGrant, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(referencegrantsResource, c.ns, name, pt, data, subresources...), &v1beta1.ReferenceGrant{}) + + if obj == nil { + return nil, err + } + return obj.(*v1beta1.ReferenceGrant), err +} diff --git a/pkg/client/clientset/versioned/typed/apis/v1beta1/generated_expansion.go b/pkg/client/clientset/versioned/typed/apis/v1beta1/generated_expansion.go index 98d1619998..97dc512a55 100644 --- a/pkg/client/clientset/versioned/typed/apis/v1beta1/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/apis/v1beta1/generated_expansion.go @@ -23,3 +23,5 @@ type GatewayExpansion interface{} type GatewayClassExpansion interface{} type HTTPRouteExpansion interface{} + +type ReferenceGrantExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/apis/v1beta1/referencegrant.go b/pkg/client/clientset/versioned/typed/apis/v1beta1/referencegrant.go new file mode 100644 index 0000000000..63b29e90f9 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1beta1/referencegrant.go @@ -0,0 +1,178 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "context" + "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" + scheme "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/scheme" +) + +// ReferenceGrantsGetter has a method to return a ReferenceGrantInterface. +// A group's client should implement this interface. +type ReferenceGrantsGetter interface { + ReferenceGrants(namespace string) ReferenceGrantInterface +} + +// ReferenceGrantInterface has methods to work with ReferenceGrant resources. +type ReferenceGrantInterface interface { + Create(ctx context.Context, referenceGrant *v1beta1.ReferenceGrant, opts v1.CreateOptions) (*v1beta1.ReferenceGrant, error) + Update(ctx context.Context, referenceGrant *v1beta1.ReferenceGrant, opts v1.UpdateOptions) (*v1beta1.ReferenceGrant, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1beta1.ReferenceGrant, error) + List(ctx context.Context, opts v1.ListOptions) (*v1beta1.ReferenceGrantList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ReferenceGrant, err error) + ReferenceGrantExpansion +} + +// referenceGrants implements ReferenceGrantInterface +type referenceGrants struct { + client rest.Interface + ns string +} + +// newReferenceGrants returns a ReferenceGrants +func newReferenceGrants(c *GatewayV1beta1Client, namespace string) *referenceGrants { + return &referenceGrants{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the referenceGrant, and returns the corresponding referenceGrant object, and an error if there is any. +func (c *referenceGrants) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.ReferenceGrant, err error) { + result = &v1beta1.ReferenceGrant{} + err = c.client.Get(). + Namespace(c.ns). + Resource("referencegrants"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ReferenceGrants that match those selectors. +func (c *referenceGrants) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.ReferenceGrantList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1beta1.ReferenceGrantList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("referencegrants"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested referenceGrants. +func (c *referenceGrants) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("referencegrants"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a referenceGrant and creates it. Returns the server's representation of the referenceGrant, and an error, if there is any. +func (c *referenceGrants) Create(ctx context.Context, referenceGrant *v1beta1.ReferenceGrant, opts v1.CreateOptions) (result *v1beta1.ReferenceGrant, err error) { + result = &v1beta1.ReferenceGrant{} + err = c.client.Post(). + Namespace(c.ns). + Resource("referencegrants"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(referenceGrant). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a referenceGrant and updates it. Returns the server's representation of the referenceGrant, and an error, if there is any. +func (c *referenceGrants) Update(ctx context.Context, referenceGrant *v1beta1.ReferenceGrant, opts v1.UpdateOptions) (result *v1beta1.ReferenceGrant, err error) { + result = &v1beta1.ReferenceGrant{} + err = c.client.Put(). + Namespace(c.ns). + Resource("referencegrants"). + Name(referenceGrant.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(referenceGrant). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the referenceGrant and deletes it. Returns an error if one occurs. +func (c *referenceGrants) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("referencegrants"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *referenceGrants) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("referencegrants"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched referenceGrant. +func (c *referenceGrants) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ReferenceGrant, err error) { + result = &v1beta1.ReferenceGrant{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("referencegrants"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/informers/externalversions/apis/v1beta1/interface.go b/pkg/client/informers/externalversions/apis/v1beta1/interface.go index 8cfa2828a9..1f168ff559 100644 --- a/pkg/client/informers/externalversions/apis/v1beta1/interface.go +++ b/pkg/client/informers/externalversions/apis/v1beta1/interface.go @@ -30,6 +30,8 @@ type Interface interface { GatewayClasses() GatewayClassInformer // HTTPRoutes returns a HTTPRouteInformer. HTTPRoutes() HTTPRouteInformer + // ReferenceGrants returns a ReferenceGrantInformer. + ReferenceGrants() ReferenceGrantInformer } type version struct { @@ -57,3 +59,8 @@ func (v *version) GatewayClasses() GatewayClassInformer { func (v *version) HTTPRoutes() HTTPRouteInformer { return &hTTPRouteInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// ReferenceGrants returns a ReferenceGrantInformer. +func (v *version) ReferenceGrants() ReferenceGrantInformer { + return &referenceGrantInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/pkg/client/informers/externalversions/apis/v1beta1/referencegrant.go b/pkg/client/informers/externalversions/apis/v1beta1/referencegrant.go new file mode 100644 index 0000000000..0e533d2293 --- /dev/null +++ b/pkg/client/informers/externalversions/apis/v1beta1/referencegrant.go @@ -0,0 +1,90 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "context" + time "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" + apisv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" + versioned "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned" + internalinterfaces "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/internalinterfaces" + v1beta1 "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1beta1" +) + +// ReferenceGrantInformer provides access to a shared informer and lister for +// ReferenceGrants. +type ReferenceGrantInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1beta1.ReferenceGrantLister +} + +type referenceGrantInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewReferenceGrantInformer constructs a new informer for ReferenceGrant type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewReferenceGrantInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredReferenceGrantInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredReferenceGrantInformer constructs a new informer for ReferenceGrant type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredReferenceGrantInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.GatewayV1beta1().ReferenceGrants(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.GatewayV1beta1().ReferenceGrants(namespace).Watch(context.TODO(), options) + }, + }, + &apisv1beta1.ReferenceGrant{}, + resyncPeriod, + indexers, + ) +} + +func (f *referenceGrantInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredReferenceGrantInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *referenceGrantInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&apisv1beta1.ReferenceGrant{}, f.defaultInformer) +} + +func (f *referenceGrantInformer) Lister() v1beta1.ReferenceGrantLister { + return v1beta1.NewReferenceGrantLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go index 0a21206e42..ddf4bf9296 100644 --- a/pkg/client/informers/externalversions/generic.go +++ b/pkg/client/informers/externalversions/generic.go @@ -78,6 +78,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1beta1().GatewayClasses().Informer()}, nil case v1beta1.SchemeGroupVersion.WithResource("httproutes"): return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1beta1().HTTPRoutes().Informer()}, nil + case v1beta1.SchemeGroupVersion.WithResource("referencegrants"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1beta1().ReferenceGrants().Informer()}, nil } diff --git a/pkg/client/listers/apis/v1beta1/expansion_generated.go b/pkg/client/listers/apis/v1beta1/expansion_generated.go index bb25592a92..e76a343bd2 100644 --- a/pkg/client/listers/apis/v1beta1/expansion_generated.go +++ b/pkg/client/listers/apis/v1beta1/expansion_generated.go @@ -37,3 +37,11 @@ type HTTPRouteListerExpansion interface{} // HTTPRouteNamespaceListerExpansion allows custom methods to be added to // HTTPRouteNamespaceLister. type HTTPRouteNamespaceListerExpansion interface{} + +// ReferenceGrantListerExpansion allows custom methods to be added to +// ReferenceGrantLister. +type ReferenceGrantListerExpansion interface{} + +// ReferenceGrantNamespaceListerExpansion allows custom methods to be added to +// ReferenceGrantNamespaceLister. +type ReferenceGrantNamespaceListerExpansion interface{} diff --git a/pkg/client/listers/apis/v1beta1/referencegrant.go b/pkg/client/listers/apis/v1beta1/referencegrant.go new file mode 100644 index 0000000000..8144734b27 --- /dev/null +++ b/pkg/client/listers/apis/v1beta1/referencegrant.go @@ -0,0 +1,99 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" +) + +// ReferenceGrantLister helps list ReferenceGrants. +// All objects returned here must be treated as read-only. +type ReferenceGrantLister interface { + // List lists all ReferenceGrants in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1beta1.ReferenceGrant, err error) + // ReferenceGrants returns an object that can list and get ReferenceGrants. + ReferenceGrants(namespace string) ReferenceGrantNamespaceLister + ReferenceGrantListerExpansion +} + +// referenceGrantLister implements the ReferenceGrantLister interface. +type referenceGrantLister struct { + indexer cache.Indexer +} + +// NewReferenceGrantLister returns a new ReferenceGrantLister. +func NewReferenceGrantLister(indexer cache.Indexer) ReferenceGrantLister { + return &referenceGrantLister{indexer: indexer} +} + +// List lists all ReferenceGrants in the indexer. +func (s *referenceGrantLister) List(selector labels.Selector) (ret []*v1beta1.ReferenceGrant, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1beta1.ReferenceGrant)) + }) + return ret, err +} + +// ReferenceGrants returns an object that can list and get ReferenceGrants. +func (s *referenceGrantLister) ReferenceGrants(namespace string) ReferenceGrantNamespaceLister { + return referenceGrantNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// ReferenceGrantNamespaceLister helps list and get ReferenceGrants. +// All objects returned here must be treated as read-only. +type ReferenceGrantNamespaceLister interface { + // List lists all ReferenceGrants in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1beta1.ReferenceGrant, err error) + // Get retrieves the ReferenceGrant from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1beta1.ReferenceGrant, error) + ReferenceGrantNamespaceListerExpansion +} + +// referenceGrantNamespaceLister implements the ReferenceGrantNamespaceLister +// interface. +type referenceGrantNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all ReferenceGrants in the indexer for a given namespace. +func (s referenceGrantNamespaceLister) List(selector labels.Selector) (ret []*v1beta1.ReferenceGrant, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1beta1.ReferenceGrant)) + }) + return ret, err +} + +// Get retrieves the ReferenceGrant from the indexer for a given namespace and name. +func (s referenceGrantNamespaceLister) Get(name string) (*v1beta1.ReferenceGrant, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1beta1.Resource("referencegrant"), name) + } + return obj.(*v1beta1.ReferenceGrant), nil +} diff --git a/pkg/generator/main.go b/pkg/generator/main.go index 89c39980a7..6ccb459d95 100644 --- a/pkg/generator/main.go +++ b/pkg/generator/main.go @@ -41,9 +41,10 @@ const ( var ( standardKinds = map[string]bool{ - "GatewayClass": true, - "Gateway": true, - "HTTPRoute": true, + "GatewayClass": true, + "Gateway": true, + "HTTPRoute": true, + "ReferenceGrant": true, } ) diff --git a/site-src/geps/gep-709.md b/site-src/geps/gep-709.md index 3f95888a11..a4a8d21379 100644 --- a/site-src/geps/gep-709.md +++ b/site-src/geps/gep-709.md @@ -1,7 +1,7 @@ # GEP-709: Cross Namespace References from Routes * Issue: [#709](https://github.com/kubernetes-sigs/gateway-api/issues/709) -* Status: Experimental +* Status: Standard !!! note This resource was originally named "ReferencePolicy". It was renamed @@ -95,7 +95,7 @@ decisions: // ReferenceGrant identifies kinds of resources in other namespaces that are // trusted to reference the specified kinds of resources in the local namespace. // Each ReferenceGrant can be used to represent a unique trust relationship. -// Additional Reference Policies can be used to add to the set of trusted +// Additional ReferenceGrants can be used to add to the set of trusted // sources of inbound references for the namespace they are defined within. type ReferenceGrant struct { metav1.TypeMeta `json:",inline"`