You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/proposals/proxy-settings.md
+22-13Lines changed: 22 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,6 +50,12 @@ In the future, we can extend the Proxy Settings Policy to include more proxy-rel
50
50
51
51
The `ProxySettingsPolicy` API is a CRD that is a part of the `gateway.nginx.org` Group. It adheres to the guidelines and requirements of an Inherited Policy as outlined in the [Policy Attachment GEP (GEP-713)](https://gateway-api.sigs.k8s.io/geps/gep-713/).
52
52
53
+
The policy uses `targetRefs` (plural) to support targeting multiple resources with a single policy instance. This follows the current GEP-713 guidance and provides better user experience by:
54
+
55
+
- Avoiding policy duplication when applying the same settings to multiple targets
56
+
- Reducing maintenance burden and risk of configuration inconsistencies
57
+
- Preventing future migration challenges from singular to plural forms
58
+
53
59
Below is the Golang API for the `ProxySettingsPolicy` API:
54
60
55
61
### Go
@@ -85,14 +91,17 @@ type ProxySettingsPolicy struct {
85
91
86
92
// ProxySettingsPolicySpec defines the desired state of the ProxySettingsPolicy.
87
93
typeProxySettingsPolicySpecstruct {
88
-
//TargetRef identifies an API object to apply the policy to.
89
-
//Object must be in the same namespace as the policy.
94
+
//TargetRefs identifies API object(s) to apply the policy to.
95
+
//Objects must be in the same namespace as the policy.
90
96
//
91
97
// Support: Gateway, HTTPRoute, GRPCRoute
92
98
//
93
-
// +kubebuilder:validation:XValidation:message="TargetRef Kind must be one of: Gateway, HTTPRoute, or GRPCRoute",rule="self.kind == 'Gateway' || self.kind == 'HTTPRoute' || self.kind == 'GRPCRoute'"
94
-
// +kubebuilder:validation:XValidation:message="TargetRef Group must be gateway.networking.k8s.io",rule="self.group == 'gateway.networking.k8s.io'"
// +kubebuilder:validation:XValidation:message="TargetRefs entries must have kind Gateway, HTTPRoute, or GRPCRoute",rule="self.all(t, t.kind == 'Gateway' || t.kind == 'HTTPRoute' || t.kind == 'GRPCRoute')"
102
+
// +kubebuilder:validation:XValidation:message="TargetRefs entries must have group gateway.networking.k8s.io",rule="self.all(t, t.group == 'gateway.networking.k8s.io')"
103
+
// +kubebuilder:validation:XValidation:message="TargetRefs must be unique",rule="self.all(t1, self.exists_one(t2, t1.group == t2.group && t1.kind == t2.kind && t1.name == t2.name))"
The findings from the ClientSettingsPolicy proposal apply here as well. The strategy for implementing the effective policy is:
354
+
The strategy for implementing the effective policy is:
346
355
347
-
- When a `ProxySettingsPolicy` is attached to a Gateway, add the corresponding NGINX directives to each `server` block generated from that Gateway.
348
-
- When a `ProxySettingsPolicy` is attached to an HTTPRoute or GRPCRoute, add the corresponding NGINX directives to each of the final `location` blocks generated for the Route.
356
+
- When a `ProxySettingsPolicy` is attached to a Gateway, add the corresponding NGINX directives to the `http` block.
357
+
- When a `ProxySettingsPolicy` is attached to an HTTPRoute or GRPCRoute, add the corresponding NGINX directives to the final `location` blocks generated for the Route.
349
358
350
-
We can rely on NGINX to compute the effective policy by applying its own inheritance rules.
359
+
We can rely on NGINX to compute the effective policy by applying its own inheritance rules. Since each Gateway has a 1-1 relationship with an NGINX deployment, Gateway-level policies naturally map to the `http` context, and Route-level policies in the `location` context can override them as needed.
0 commit comments