Skip to content

Commit

Permalink
API for Wasm code source TLS configuration
Browse files Browse the repository at this point in the history
Signed-off-by: Huabing Zhao <[email protected]>
  • Loading branch information
zhaohuabing committed Oct 21, 2024
1 parent 26ec49a commit babbf4a
Show file tree
Hide file tree
Showing 5 changed files with 187 additions and 0 deletions.
21 changes: 21 additions & 0 deletions api/v1alpha1/wasm_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,11 @@ type HTTPWasmCodeSource struct {
// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
// +optional
SHA256 *string `json:"sha256"`

// TLS configuration when connecting to the Wasm code source.
// +optional
// +notImplementedHide
TLS *WasmCodeSourceTLS `json:"tls,omitempty"`
}

// ImageWasmCodeSource defines the OCI image containing the Wasm code.
Expand All @@ -137,6 +142,11 @@ type ImageWasmCodeSource struct {
// +kubebuilder:validation:XValidation:message="only support Secret kind.",rule="self.kind == 'Secret'"
// +optional
PullSecretRef *gwapiv1.SecretObjectReference `json:"pullSecretRef,omitempty"`

// TLS configuration when connecting to the Wasm code source.
// +optional
// +notImplementedHide
TLS *WasmCodeSourceTLS `json:"tls,omitempty"`
}

// ImagePullPolicy defines the policy to use when pulling an OIC image.
Expand All @@ -151,3 +161,14 @@ const (
// Note: EG does not update the Wasm module every time an Envoy proxy requests the Wasm module.
ImagePullPolicyAlways ImagePullPolicy = "Always"
)

// WasmCodeSourceTLS defines the TLS configuration when connecting to the Wasm code source.
type WasmCodeSourceTLS struct {
// CACertificateRef contains a references to
// Kubernetes objects that contain TLS certificates of
// the Certificate Authorities that can be used
// as a trust anchor to validate the certificates presented by the Wasm code source.
//
// Kubernetes ConfigMap and Kubernetes Secret are supported.
CACertificateRef gwapiv1.SecretObjectReference `json:"caCertificateRef"`
}
26 changes: 26 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -1115,6 +1115,61 @@ spec:
If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
type: string
tls:
description: TLS configuration when connecting to the
Wasm code source.
properties:
caCertificateRef:
description: |-
CACertificateRef contains a references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the Wasm code source.
Kubernetes ConfigMap and Kubernetes Secret are supported.
properties:
group:
default: ""
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For
example "Secret".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
required:
- caCertificateRef
type: object
url:
description: URL is the URL containing the Wasm code.
pattern: ^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*
Expand Down Expand Up @@ -1184,6 +1239,61 @@ spec:
If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
type: string
tls:
description: TLS configuration when connecting to the
Wasm code source.
properties:
caCertificateRef:
description: |-
CACertificateRef contains a references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the Wasm code source.
Kubernetes ConfigMap and Kubernetes Secret are supported.
properties:
group:
default: ""
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For
example "Secret".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
required:
- caCertificateRef
type: object
url:
description: |-
URL is the URL of the OCI image.
Expand Down
15 changes: 15 additions & 0 deletions site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -4118,6 +4118,21 @@ _Appears in:_
| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.<br />This field is only applicable when the SHA256 field is not set.<br /><br />If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.<br /><br />Note: EG does not update the Wasm module every time an Envoy proxy requests<br />the Wasm module even if the pull policy is set to Always.<br />It only updates the Wasm module when the EnvoyExtension resource version changes. |


#### WasmCodeSourceTLS



WasmCodeSourceTLS defines the TLS configuration when connecting to the Wasm code source.

_Appears in:_
- [HTTPWasmCodeSource](#httpwasmcodesource)
- [ImageWasmCodeSource](#imagewasmcodesource)

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `caCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CACertificateRef contains a references to<br />Kubernetes objects that contain TLS certificates of<br />the Certificate Authorities that can be used<br />as a trust anchor to validate the certificates presented by the Wasm code source.<br /><br />Kubernetes ConfigMap and Kubernetes Secret are supported. |


#### WasmCodeSourceType

_Underlying type:_ _string_
Expand Down
15 changes: 15 additions & 0 deletions site/content/zh/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -4118,6 +4118,21 @@ _Appears in:_
| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.<br />This field is only applicable when the SHA256 field is not set.<br /><br />If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.<br /><br />Note: EG does not update the Wasm module every time an Envoy proxy requests<br />the Wasm module even if the pull policy is set to Always.<br />It only updates the Wasm module when the EnvoyExtension resource version changes. |


#### WasmCodeSourceTLS



WasmCodeSourceTLS defines the TLS configuration when connecting to the Wasm code source.

_Appears in:_
- [HTTPWasmCodeSource](#httpwasmcodesource)
- [ImageWasmCodeSource](#imagewasmcodesource)

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `caCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CACertificateRef contains a references to<br />Kubernetes objects that contain TLS certificates of<br />the Certificate Authorities that can be used<br />as a trust anchor to validate the certificates presented by the Wasm code source.<br /><br />Kubernetes ConfigMap and Kubernetes Secret are supported. |


#### WasmCodeSourceType

_Underlying type:_ _string_
Expand Down

0 comments on commit babbf4a

Please sign in to comment.