@@ -10,6 +10,7 @@ import (
1010 "time"
1111
1212 corev1 "k8s.io/api/core/v1"
13+ "k8s.io/apimachinery/pkg/api/resource"
1314 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1415 "k8s.io/apimachinery/pkg/types"
1516 "k8s.io/client-go/rest"
@@ -357,6 +358,10 @@ type GatewayConfig struct {
357358 //
358359 // +default={"80": ["HTTP"], "443": ["HTTPS"]}
359360 ValidProtocolTypes map [int ][]gatewayv1.ProtocolType `json:"validProtocolTypes,omitempty"`
361+
362+ // ExtensionAPIValidationOptions provides configuration for validation of
363+ // extension APIs used by the Gateway.
364+ ExtensionAPIValidationOptions ExtensionAPIValidationOptions `json:"extensionAPIValidationOptions,omitempty"`
360365}
361366
362367func (c * GatewayConfig ) GatewayDNSAddress (gateway * gatewayv1.Gateway ) string {
@@ -365,6 +370,199 @@ func (c *GatewayConfig) GatewayDNSAddress(gateway *gatewayv1.Gateway) string {
365370
366371// +k8s:deepcopy-gen=true
367372
373+ type ExtensionAPIValidationOptions struct {
374+ // BackendTrafficPolicies specifies validation options for BackendTrafficPolicy resources.
375+ BackendTrafficPolicies BackendTrafficPolicyValidationOptions `json:"backendTrafficPolicies"`
376+
377+ // HTTPRouteFilters specifies validation options for HTTPRouteFilter resources.
378+ HTTPRouteFilters HTTPRouteFilterValidationOptions `json:"httpRouteFilters"`
379+
380+ // SecurityPolicies specifies validation options for SecurityPolicy resources.
381+ SecurityPolicies SecurityPolicyValidationOptions `json:"securityPolicies"`
382+ }
383+
384+ // +k8s:deepcopy-gen=true
385+
386+ type BackendTrafficPolicyValidationOptions struct {
387+ ClusterSettings ClusterSettingsValidationOptions
388+ }
389+
390+ // +k8s:deepcopy-gen=true
391+
392+ type ClusterSettingsValidationOptions struct {
393+ // Minimum amount for the total number of unacknowledged probes to send before
394+ // deciding the connection is dead.
395+ //
396+ // +default=9
397+ TCPKeepaliveMinProbes uint32
398+
399+ // Minimum amount for the duration a connection needs to be idle before
400+ // keep-alive probes start being sent.
401+ //
402+ // +default="5m"
403+ TCPKeepaliveMinIdleTime * metav1.Duration
404+
405+ // Minimum amount for the duration between keep-alive probes.
406+ //
407+ // +default="30s"
408+ TCPKeepaliveMinInterval * metav1.Duration
409+
410+ // Maximum time allowed for a connection timeout
411+ //
412+ // +default="10s"
413+ TCPMaxConnectionTimeout * metav1.Duration
414+
415+ // Maximum amount for the duration a connection can be idle.
416+ //
417+ // +default="1h"
418+ HTTPMaxConnectionIdleTimeout * metav1.Duration
419+
420+ // Maximum amount for the duration of a connection.
421+ //
422+ // +default="1h"
423+ HTTPMaxConnectionDuration * metav1.Duration
424+
425+ // Maximum amount for the duration until an entire request is received by the
426+ // upstream.
427+ //
428+ // +default="1h"
429+ HTTPMaxRequestTimeout * metav1.Duration
430+
431+ // Maximum size for upstream connection buffers
432+ //
433+ // +default="512Ki"
434+ ConnectionMaxBufferLimit * resource.Quantity
435+
436+ // Minimum amount for the duration between DNS refreshes.
437+ //
438+ // +default="30s"
439+ DNSMinRefreshRate * metav1.Duration
440+
441+ // Maximum size for the initial stream window size for HTTP/2 connections.
442+ //
443+ // +default="64Ki"
444+ HTTP2MaxInitialStreamWindowSize * resource.Quantity
445+
446+ // Maximum size for the initial connection window size for HTTP/2 connections.
447+ //
448+ // +default="1Mi"
449+ HTTP2MaxInitialConnectionWindowSize * resource.Quantity
450+
451+ // Maximum number of concurrent streams for HTTP/2 connections.
452+ //
453+ // +default=1024
454+ HTTP2MaxConcurrentStreams uint32
455+ }
456+
457+ type HTTPRouteFilterValidationOptions struct {
458+ // MaxInlineBodySize is the maximum allowed size for an inline body in a
459+ // direct response filter.
460+ //
461+ // +default=1024
462+ MaxInlineBodySize int
463+ }
464+
465+ // +k8s:deepcopy-gen=true
466+
467+ type SecurityPolicyValidationOptions struct {
468+ // APIKeyAuth specifies validation options for API key authentication
469+ APIKeyAuth APIKeyAuthValidationOptions
470+
471+ // CORS specifies validation options for CORS
472+ CORS CORSValidationOptions
473+
474+ // JWTProvider specifies validation options for JWT providers
475+ JWTProvider JWTProviderValidationOptions
476+
477+ // OIDC specifies validation options for OIDC
478+ OIDC OIDCValidationOptions
479+
480+ // Authorization specifies validation options for authorization
481+ Authorization AuthorizationValidationOptions
482+
483+ // ClusterSettings specifies validation options for cluster settings used
484+ // within security policies.
485+ ClusterSettings ClusterSettingsValidationOptions
486+ }
487+
488+ type APIKeyAuthValidationOptions struct {
489+ // MaxCredentialRefs is the maximum number of credential references per
490+ // SecurityPolicy.
491+ //
492+ // +default=5
493+ MaxCredentialRefs int
494+
495+ // MaxExtractFrom is the maximum number of extractFrom entries per SecurityPolicy
496+ //
497+ // +default=5
498+ MaxExtractFrom int
499+
500+ // MaxExtractFromFieldLength is the maximum length of each field in an
501+ // extractFrom entry.
502+ //
503+ // +default=10
504+ MaxExtractFromFieldLength int
505+
506+ // MaxForwardClientIDHeaderLength is the maximum length for the name of the
507+ // header to use when forwarding the client identity to the upstream service.
508+ //
509+ // +default=256
510+ MaxForwardClientIDHeaderLength int
511+ }
512+
513+ type CORSValidationOptions struct {
514+ // MaxFieldLength is the maximum length for each field in a CORS policy.
515+ //
516+ // +default=10
517+ MaxFieldLength int
518+ }
519+
520+ type JWTProviderValidationOptions struct {
521+ // MaxClaimToHeaders is the maximum number of claim to header mappings per
522+ // JWT provider.
523+ //
524+ // +default=5
525+ MaxClaimToHeaders int
526+
527+ // MaxExtractorLength is the maximum length of each extractor field.
528+ //
529+ // +default=5
530+ MaxExtractorLength int
531+ }
532+
533+ // +k8s:deepcopy-gen=true
534+
535+ type OIDCValidationOptions struct {
536+ // MaxScopes is the maximum number of scopes per OIDC configuration.
537+ //
538+ // +default=5
539+ MaxScopes int
540+
541+ // MaxResources is the maximum number of resources per OIDC configuration.
542+ //
543+ // +default=5
544+ MaxResources int
545+
546+ // MinRefreshTokenTTL is the minimum allowed TTL for refresh tokens.
547+ //
548+ // +default="5m"
549+ MinRefreshTokenTTL * metav1.Duration
550+ }
551+
552+ type AuthorizationValidationOptions struct {
553+ // MaxRules is the maximum number of authorization rules per SecurityPolicy.
554+ //
555+ // +default=20
556+ MaxRules int
557+
558+ // MaxClientCIDRs is the maximum number of client CIDRs per authorization rule.
559+ //
560+ // +default=5
561+ MaxClientCIDRs int
562+ }
563+
564+ // +k8s:deepcopy-gen=true
565+
368566type GatewayResourceReplicatorConfig struct {
369567 // Resources lists the upstream resource types that should be mirrored into
370568 // the downstream control plane.
0 commit comments