{ "description": "GatewayConfig is the Schema for the gatewayconfigs API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "GatewayConfigSpec defines the desired state of GatewayConfig", "properties": { "authLifetime": { "description": "AuthLifetime defines the lifetime of \"longterm\" authentication credentials in seconds.", "format": "int32", "type": "integer" }, "authRef": { "description": "Note that externally set credentials override any inline auth credentials (AuthType,\nAuthUsername, etc.): if AuthRef is nonempty then it is expected that the referenced\nSecret exists and *all* authentication credentials are correctly set in the referenced\nSecret (username/password or shared secret). Mixing of credential sources\n(inline/external) is not supported.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Secret", "description": "Kind is kind of the referent. For example \"Secret\".", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the referenced object. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "authType": { "default": "plaintext", "description": "AuthType is the type of the STUN/TURN authentication mechanism.", "pattern": "^plaintext|static|longterm|ephemeral|timewindowed$", "type": "string" }, "dataplane": { "default": "default", "description": "Dataplane defines the dataplane (stunnerd image, version, etc) for STUNner gateways\nusing this GatewayConfig.", "type": "string" }, "loadBalancerServiceAnnotations": { "additionalProperties": { "type": "string" }, "description": "LoadBalancerServiceAnnotations is a list of annotations that will go into the\nLoadBalancer services created automatically by the operator to wrap Gateways.\n\nNOTE: removing annotations from a GatewayConfig will not result in the removal of the\ncorresponding annotations from the LoadBalancer service, in order to prevent the\naccidental removal of an annotation installed there by Kubernetes or the cloud\nprovider. If you really want to remove an annotation, do this manually or simply remove\nall Gateways (which will remove the corresponding LoadBalancer services), update the\nGatewayConfig and then recreate the Gateways, so that the newly created LoadBalancer\nservices will contain the required annotations.", "type": "object" }, "logLevel": { "description": "LogLevel specifies the default loglevel for the STUNner daemon.", "type": "string" }, "password": { "description": "Password defines the `password` credential for \"plaintext\" authentication.", "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "realm": { "default": "stunner.l7mp.io", "description": "Realm defines the STUN/TURN authentication realm to be used for clients toauthenticate\nwith STUNner.\n\nThe realm must consist of lower case alphanumeric characters or '-', and must start and\nend with an alphanumeric character. No other punctuation is allowed.", "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "sharedSecret": { "description": "SharedSecret defines the shared secret to be used for \"longterm\" authentication.", "type": "string" }, "stunMode": { "description": "STUNMode toggles STUN-server mode. In this mode only STUN binding requests are handled,\nbut no TURN allocations are allowed by the gateway. This is useful to prevent a DDoS\nvector when STUNner is deployed as a user-facing STUN server, where a client creates and\nremoves empty allocations in a fast loop to overload the TURN server. When STUN-mode is\nenabled TURN credentials are optional and ignored even if provided, otherwise TURN\ncredentials are mandatory. Default is false, which disables pure-STUN mode. Not\nsupported in the free tier.", "type": "boolean" }, "userName": { "description": "Username defines the `username` credential for \"plaintext\" authentication.", "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "userQuota": { "description": "UserQuota limits the number of allocations active at one time for a given TURN username\n(see RFC8656/Section 5). Overlimit allocations are rejected with a 486 (Allocation Quota\nReached) error. Default is no quota. Not supported in the free tier.", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object" }