From fe8b4dc27ce97b51f677889d5b2904a90cfe4a10 Mon Sep 17 00:00:00 2001
From: bjee19 <139261241+bjee19@users.noreply.github.com>
Date: Tue, 10 Sep 2024 10:17:02 -0700
Subject: [PATCH] Add UpstreamSettingsPolicy CRD (#2515)
Problem: Users want to configure the behavior of the connection between NGINX and their upstream applications.
Solution: Add the UpstreamSettingsPolicy CRD, which is a direct policy that will attach to a Service that is referenced in an HTTPRoute or GRPCRoute.
Testing: Tested that validation works.
---
apis/v1alpha1/register.go | 2 +
apis/v1alpha1/upstreamsettingspolicy_types.go | 97 ++++
apis/v1alpha1/zz_generated.deepcopy.go | 124 +++++
...ay.nginx.org_upstreamsettingspolicies.yaml | 444 ++++++++++++++++++
docs/proposals/upstream-settings.md | 2 +-
examples/upstream-settings-policy/README.md | 4 +
.../upstream-settings-policy.yaml | 15 +
site/content/reference/api.md | 280 ++++++++++-
8 files changed, 965 insertions(+), 3 deletions(-)
create mode 100644 apis/v1alpha1/upstreamsettingspolicy_types.go
create mode 100644 config/crd/bases/gateway.nginx.org_upstreamsettingspolicies.yaml
create mode 100644 examples/upstream-settings-policy/README.md
create mode 100644 examples/upstream-settings-policy/upstream-settings-policy.yaml
diff --git a/apis/v1alpha1/register.go b/apis/v1alpha1/register.go
index f9970f4b4c..0d18c29eaa 100644
--- a/apis/v1alpha1/register.go
+++ b/apis/v1alpha1/register.go
@@ -42,6 +42,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&ClientSettingsPolicyList{},
&SnippetsFilter{},
&SnippetsFilterList{},
+ &UpstreamSettingsPolicy{},
+ &UpstreamSettingsPolicyList{},
)
// AddToGroupVersion allows the serialization of client types like ListOptions.
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
diff --git a/apis/v1alpha1/upstreamsettingspolicy_types.go b/apis/v1alpha1/upstreamsettingspolicy_types.go
new file mode 100644
index 0000000000..f3276d0f69
--- /dev/null
+++ b/apis/v1alpha1/upstreamsettingspolicy_types.go
@@ -0,0 +1,97 @@
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:categories=nginx-gateway-fabric,scope=Namespaced,shortName=uspolicy
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:metadata:labels="gateway.networking.k8s.io/policy=direct"
+
+// UpstreamSettingsPolicy is a Direct Attached Policy. It provides a way to configure the behavior of
+// the connection between NGINX and the upstream applications.
+type UpstreamSettingsPolicy struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ // Spec defines the desired state of the UpstreamSettingsPolicy.
+ Spec UpstreamSettingsPolicySpec `json:"spec"`
+
+ // Status defines the state of the UpstreamSettingsPolicy.
+ Status gatewayv1alpha2.PolicyStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// UpstreamSettingsPolicyList contains a list of UpstreamSettingsPolicies.
+type UpstreamSettingsPolicyList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []UpstreamSettingsPolicy `json:"items"`
+}
+
+// UpstreamSettingsPolicySpec defines the desired state of the UpstreamSettingsPolicy.
+type UpstreamSettingsPolicySpec struct {
+ // ZoneSize is the size of the shared memory zone used by the upstream. This memory zone is used to share
+ // the upstream configuration between nginx worker processes. The more servers that an upstream has,
+ // the larger memory zone is required.
+ // Default: OSS: 512k, Plus: 1m.
+ // Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone
+ //
+ // +optional
+ ZoneSize *Size `json:"zoneSize,omitempty"`
+
+ // KeepAlive defines the keep-alive settings.
+ //
+ // +optional
+ KeepAlive *UpstreamKeepAlive `json:"keepAlive,omitempty"`
+
+ // TargetRefs identifies API object(s) to apply the policy to.
+ // Objects must be in the same namespace as the policy.
+ // Support: Service
+ //
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=16
+ // +kubebuilder:validation:XValidation:message="TargetRefs Kind must be: Service",rule="self.all(t, t.kind=='Service')"
+ // +kubebuilder:validation:XValidation:message="TargetRefs Group must be core",rule="self.exists(t, t.group=='') || self.exists(t, t.group=='core')"
+ //nolint:lll
+ TargetRefs []gatewayv1alpha2.LocalPolicyTargetReference `json:"targetRefs"`
+}
+
+// UpstreamKeepAlive defines the keep-alive settings for upstreams.
+type UpstreamKeepAlive struct {
+ // Connections sets the maximum number of idle keep-alive connections to upstream servers that are preserved
+ // in the cache of each nginx worker process. When this number is exceeded, the least recently used
+ // connections are closed.
+ // Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+ //
+ // +optional
+ // +kubebuilder:validation:Minimum=1
+ Connections *int32 `json:"connections,omitempty"`
+
+ // Requests sets the maximum number of requests that can be served through one keep-alive connection.
+ // After the maximum number of requests are made, the connection is closed.
+ // Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests
+ //
+ // +optional
+ // +kubebuilder:validation:Minimum=0
+ Requests *int32 `json:"requests,omitempty"`
+
+ // Time defines the maximum time during which requests can be processed through one keep-alive connection.
+ // After this time is reached, the connection is closed following the subsequent request processing.
+ // Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_time
+ //
+ // +optional
+ Time *Duration `json:"time,omitempty"`
+
+ // Timeout defines the keep-alive timeout for upstreams.
+ // Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout
+ //
+ // +optional
+ Timeout *Duration `json:"timeout,omitempty"`
+}
diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go
index aa249ed430..9624b658aa 100644
--- a/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/v1alpha1/zz_generated.deepcopy.go
@@ -785,3 +785,127 @@ func (in *Tracing) DeepCopy() *Tracing {
in.DeepCopyInto(out)
return out
}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamKeepAlive) DeepCopyInto(out *UpstreamKeepAlive) {
+ *out = *in
+ if in.Connections != nil {
+ in, out := &in.Connections, &out.Connections
+ *out = new(int32)
+ **out = **in
+ }
+ if in.Requests != nil {
+ in, out := &in.Requests, &out.Requests
+ *out = new(int32)
+ **out = **in
+ }
+ if in.Time != nil {
+ in, out := &in.Time, &out.Time
+ *out = new(Duration)
+ **out = **in
+ }
+ if in.Timeout != nil {
+ in, out := &in.Timeout, &out.Timeout
+ *out = new(Duration)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamKeepAlive.
+func (in *UpstreamKeepAlive) DeepCopy() *UpstreamKeepAlive {
+ if in == nil {
+ return nil
+ }
+ out := new(UpstreamKeepAlive)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamSettingsPolicy) DeepCopyInto(out *UpstreamSettingsPolicy) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamSettingsPolicy.
+func (in *UpstreamSettingsPolicy) DeepCopy() *UpstreamSettingsPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(UpstreamSettingsPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpstreamSettingsPolicy) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamSettingsPolicyList) DeepCopyInto(out *UpstreamSettingsPolicyList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]UpstreamSettingsPolicy, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamSettingsPolicyList.
+func (in *UpstreamSettingsPolicyList) DeepCopy() *UpstreamSettingsPolicyList {
+ if in == nil {
+ return nil
+ }
+ out := new(UpstreamSettingsPolicyList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpstreamSettingsPolicyList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamSettingsPolicySpec) DeepCopyInto(out *UpstreamSettingsPolicySpec) {
+ *out = *in
+ if in.ZoneSize != nil {
+ in, out := &in.ZoneSize, &out.ZoneSize
+ *out = new(Size)
+ **out = **in
+ }
+ if in.KeepAlive != nil {
+ in, out := &in.KeepAlive, &out.KeepAlive
+ *out = new(UpstreamKeepAlive)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.TargetRefs != nil {
+ in, out := &in.TargetRefs, &out.TargetRefs
+ *out = make([]v1alpha2.LocalPolicyTargetReference, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamSettingsPolicySpec.
+func (in *UpstreamSettingsPolicySpec) DeepCopy() *UpstreamSettingsPolicySpec {
+ if in == nil {
+ return nil
+ }
+ out := new(UpstreamSettingsPolicySpec)
+ in.DeepCopyInto(out)
+ return out
+}
diff --git a/config/crd/bases/gateway.nginx.org_upstreamsettingspolicies.yaml b/config/crd/bases/gateway.nginx.org_upstreamsettingspolicies.yaml
new file mode 100644
index 0000000000..dbe0462862
--- /dev/null
+++ b/config/crd/bases/gateway.nginx.org_upstreamsettingspolicies.yaml
@@ -0,0 +1,444 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.2
+ labels:
+ gateway.networking.k8s.io/policy: direct
+ name: upstreamsettingspolicies.gateway.nginx.org
+spec:
+ group: gateway.nginx.org
+ names:
+ categories:
+ - nginx-gateway-fabric
+ kind: UpstreamSettingsPolicy
+ listKind: UpstreamSettingsPolicyList
+ plural: upstreamsettingspolicies
+ shortNames:
+ - uspolicy
+ singular: upstreamsettingspolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ UpstreamSettingsPolicy is a Direct Attached Policy. It provides a way to configure the behavior of
+ the connection between NGINX and the upstream applications.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of the UpstreamSettingsPolicy.
+ properties:
+ keepAlive:
+ description: KeepAlive defines the keep-alive settings.
+ properties:
+ connections:
+ description: |-
+ Connections sets the maximum number of idle keep-alive connections to upstream servers that are preserved
+ in the cache of each nginx worker process. When this number is exceeded, the least recently used
+ connections are closed.
+ Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+ format: int32
+ minimum: 1
+ type: integer
+ requests:
+ description: |-
+ Requests sets the maximum number of requests that can be served through one keep-alive connection.
+ After the maximum number of requests are made, the connection is closed.
+ Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests
+ format: int32
+ minimum: 0
+ type: integer
+ time:
+ description: |-
+ Time defines the maximum time during which requests can be processed through one keep-alive connection.
+ After this time is reached, the connection is closed following the subsequent request processing.
+ Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_time
+ pattern: ^\d{1,4}(ms|s)?$
+ type: string
+ timeout:
+ description: |-
+ Timeout defines the keep-alive timeout for upstreams.
+ Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout
+ pattern: ^\d{1,4}(ms|s)?$
+ type: string
+ type: object
+ targetRefs:
+ description: |-
+ TargetRefs identifies API object(s) to apply the policy to.
+ Objects must be in the same namespace as the policy.
+ Support: Service
+ items:
+ description: |-
+ LocalPolicyTargetReference identifies an API object to apply a direct or
+ inherited policy to. This should be used as part of Policy resources
+ that can target Gateway API resources. For more information on how this
+ policy attachment model works, and a sample Policy resource, refer to
+ the policy attachment documentation for Gateway API.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-validations:
+ - message: 'TargetRefs Kind must be: Service'
+ rule: self.all(t, t.kind=='Service')
+ - message: TargetRefs Group must be core
+ rule: self.exists(t, t.group=='') || self.exists(t, t.group=='core')
+ zoneSize:
+ description: |-
+ ZoneSize is the size of the shared memory zone used by the upstream. This memory zone is used to share
+ the upstream configuration between nginx worker processes. The more servers that an upstream has,
+ the larger memory zone is required.
+ Default: OSS: 512k, Plus: 1m.
+ Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone
+ pattern: ^\d{1,4}(k|m|g)?$
+ type: string
+ required:
+ - targetRefs
+ type: object
+ status:
+ description: Status defines the state of the UpstreamSettingsPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/docs/proposals/upstream-settings.md b/docs/proposals/upstream-settings.md
index a56b3346f3..7928220c5b 100644
--- a/docs/proposals/upstream-settings.md
+++ b/docs/proposals/upstream-settings.md
@@ -89,7 +89,7 @@ type UpstreamKeepAlive struct {
// Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
//
// +optional
- Connections *int32 `json"connections,omitempty"`
+ Connections *int32 `json:"connections,omitempty"`
// Requests sets the maximum number of requests that can be served through one keep-alive connection.
// After the maximum number of requests are made, the connection is closed.
diff --git a/examples/upstream-settings-policy/README.md b/examples/upstream-settings-policy/README.md
new file mode 100644
index 0000000000..a6ad17a087
--- /dev/null
+++ b/examples/upstream-settings-policy/README.md
@@ -0,0 +1,4 @@
+# UpstreamSettingsPolicy
+
+This directory contains example YAMLs for testing the UpstreamSettingsPolicy CRD. Eventually, this will be converted
+into a how-to-guide.
diff --git a/examples/upstream-settings-policy/upstream-settings-policy.yaml b/examples/upstream-settings-policy/upstream-settings-policy.yaml
new file mode 100644
index 0000000000..e49ed1dffd
--- /dev/null
+++ b/examples/upstream-settings-policy/upstream-settings-policy.yaml
@@ -0,0 +1,15 @@
+apiVersion: gateway.nginx.org/v1alpha1
+kind: UpstreamSettingsPolicy
+metadata:
+ name: upstream-settings-policy
+spec:
+ zoneSize: 512k
+ targetRefs:
+ - group: core
+ kind: Service
+ name: service
+ keepAlive:
+ connections: 32
+ requests: 1001
+ time: 300s
+ timeout: 60s
diff --git a/site/content/reference/api.md b/site/content/reference/api.md
index f74d7f984f..74ea08d3c8 100644
--- a/site/content/reference/api.md
+++ b/site/content/reference/api.md
@@ -27,6 +27,8 @@ Resource Types:
ObservabilityPolicy
SnippetsFilter
+
+UpstreamSettingsPolicy
ClientSettingsPolicy
@@ -576,6 +578,131 @@ SnippetsFilterStatus
+UpstreamSettingsPolicy
+
+
+
+
UpstreamSettingsPolicy is a Direct Attached Policy. It provides a way to configure the behavior of
+the connection between NGINX and the upstream applications.
+
+
Address
@@ -974,7 +1101,8 @@ longer necessary.
ClientBody,
ClientKeepAlive,
ClientKeepAliveTimeout,
-TelemetryExporter)
+TelemetryExporter,
+UpstreamKeepAlive)
Duration is a string value representing a duration in time.
@@ -1521,7 +1649,8 @@ IP address in the X-Forwarded-For HTTP header.
(Appears on:
-ClientBody)
+ClientBody,
+UpstreamSettingsPolicySpec)
Size is a string value representing a size. Size can be specified in bytes, kilobytes (k), megabytes (m),
@@ -2018,6 +2147,153 @@ Examples of invalid names: some-$value, quoted-“value”-name, unescap
+
UpstreamKeepAlive
+
+
+
+(Appears on:
+UpstreamSettingsPolicySpec)
+
+
+
UpstreamKeepAlive defines the keep-alive settings for upstreams.
+
+
+UpstreamSettingsPolicySpec
+
+
+
+(Appears on:
+UpstreamSettingsPolicy)
+
+
+
UpstreamSettingsPolicySpec defines the desired state of the UpstreamSettingsPolicy.
+
+
Generated with gen-crd-api-reference-docs