Merge pull request #121405 from alexzielenski/apiserver/apiextensions/ratcheting-benchmarks

KEP-4008: CRDValidationRatcheting: Add Benchmarks

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test.go

@@ -22,18 +22,27 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 
 	jsonpatch "github.com/evanphx/json-patch"
+	apiextensionsinternal "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
+	apiservervalidation "k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
 	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/apiextensions-apiserver/pkg/features"
+	"k8s.io/apiextensions-apiserver/pkg/registry/customresource"
 	"k8s.io/apiextensions-apiserver/test/integration/fixtures"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -41,6 +50,8 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/dynamic"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+	"k8s.io/kube-openapi/pkg/validation/strfmt"
 )
 
 var stringSchema *apiextensionsv1.JSONSchemaProps = &apiextensionsv1.JSONSchemaProps{
@@ -1664,3 +1675,233 @@ func TestRatchetingFunctionality(t *testing.T) {
 func ptr[T any](v T) *T {
 	return &v
 }
+
+type validator func(new, old *unstructured.Unstructured)
+
+func newValidator(customResourceValidation *apiextensionsinternal.JSONSchemaProps, kind schema.GroupVersionKind, namespaceScoped bool) (validator, error) {
+	// Replicate customResourceStrategy validation
+	openapiSchema := &spec.Schema{}
+	if customResourceValidation != nil {
+		// TODO: replace with NewStructural(...).ToGoOpenAPI
+		if err := apiservervalidation.ConvertJSONSchemaPropsWithPostProcess(customResourceValidation, openapiSchema, apiservervalidation.StripUnsupportedFormatsPostProcess); err != nil {
+			return nil, err
+		}
+	}
+
+	schemaValidator := apiservervalidation.NewRatchetingSchemaValidator(
+		openapiSchema,
+		nil,
+		"",
+		strfmt.Default)
+	sts, err := structuralschema.NewStructural(customResourceValidation)
+	if err != nil {
+		return nil, err
+	}
+
+	strategy := customresource.NewStrategy(
+		nil, // No need for typer, since only using validation
+		namespaceScoped,
+		kind,
+		schemaValidator,
+		nil, // No status schema validator
+		sts,
+		nil, // No need for status
+		nil, // No need for scale
+	)
+
+	return func(new, old *unstructured.Unstructured) {
+		_ = strategy.ValidateUpdate(context.TODO(), new, old)
+	}, nil
+}
+
+// Recursively walks the provided directory and parses the YAML files into
+// unstructured objects. If there are more than one object in a single file,
+// they are all added to the returned slice.
+func loadObjects(dir string) []*unstructured.Unstructured {
+	result := []*unstructured.Unstructured{}
+	err := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		} else if d.IsDir() {
+			return nil
+		} else if filepath.Ext(d.Name()) != ".yaml" {
+			return nil
+		}
+		// Read the file in as []byte
+		data, err := os.ReadFile(path)
+		if err != nil {
+			return err
+		}
+
+		decoder := utilyaml.NewYAMLOrJSONDecoder(bytes.NewReader(data), 4096)
+
+		// Split the data by YAML drame
+		for {
+			parsed := &unstructured.Unstructured{}
+			if err := decoder.Decode(parsed); err != nil {
+				if errors.Is(err, io.EOF) {
+					break
+				}
+				return err
+			}
+
+			result = append(result, parsed)
+		}
+
+		return nil
+	})
+	if err != nil {
+		panic(err)
+	}
+	return result
+}
+
+func BenchmarkRatcheting(b *testing.B) {
+	// Walk directory with CRDs, for each file parse YAML with multiple CRDs in it.
+	// Keep track in a map a validator for each unique gvk
+	crdObjects := loadObjects("ratcheting_test_cases/crds")
+	invalidFiles := loadObjects("ratcheting_test_cases/invalid")
+	validFiles := loadObjects("ratcheting_test_cases/valid")
+
+	// Create a validator for each GVK.
+	validators := map[schema.GroupVersionKind]validator{}
+	for _, crd := range crdObjects {
+		parsed := apiextensionsv1.CustomResourceDefinition{}
+		if err := runtime.DefaultUnstructuredConverter.FromUnstructured(crd.Object, &parsed); err != nil {
+			b.Fatalf("Failed to parse CRD %v", err)
+			return
+		}
+
+		for _, v := range parsed.Spec.Versions {
+			gvk := schema.GroupVersionKind{
+				Group:   parsed.Spec.Group,
+				Version: v.Name,
+				Kind:    parsed.Spec.Names.Kind,
+			}
+
+			// Create structural schema from v.Schema.OpenAPIV3Schema
+			internalValidation := &apiextensionsinternal.CustomResourceValidation{}
+			if err := apiextensionsv1.Convert_v1_CustomResourceValidation_To_apiextensions_CustomResourceValidation(v.Schema, internalValidation, nil); err != nil {
+				b.Fatal(fmt.Errorf("failed converting CRD validation to internal version: %v", err))
+				return
+			}
+
+			validator, err := newValidator(internalValidation.OpenAPIV3Schema, gvk, parsed.Spec.Scope == apiextensionsv1.NamespaceScoped)
+			if err != nil {
+				b.Fatal(err)
+				return
+			}
+			validators[gvk] = validator
+		}
+
+	}
+
+	// Organize all the files by GVK.
+	gvksToValidFiles := map[schema.GroupVersionKind][]*unstructured.Unstructured{}
+	gvksToInvalidFiles := map[schema.GroupVersionKind][]*unstructured.Unstructured{}
+
+	for _, valid := range validFiles {
+		gvk := valid.GroupVersionKind()
+		gvksToValidFiles[gvk] = append(gvksToValidFiles[gvk], valid)
+	}
+
+	for _, invalid := range invalidFiles {
+		gvk := invalid.GroupVersionKind()
+		gvksToInvalidFiles[gvk] = append(gvksToInvalidFiles[gvk], invalid)
+	}
+
+	// Remove any GVKs for which we dont have both valid and invalid files.
+	for gvk := range gvksToValidFiles {
+		if _, ok := gvksToInvalidFiles[gvk]; !ok {
+			delete(gvksToValidFiles, gvk)
+		}
+	}
+
+	for gvk := range gvksToInvalidFiles {
+		if _, ok := gvksToValidFiles[gvk]; !ok {
+			delete(gvksToInvalidFiles, gvk)
+		}
+	}
+
+	type pair struct {
+		old *unstructured.Unstructured
+		new *unstructured.Unstructured
+	}
+
+	// For each valid file, match it with every invalid file of the same GVK
+	validXValidPairs := []pair{}
+	validXInvalidPairs := []pair{}
+	invalidXInvalidPairs := []pair{}
+
+	for gvk, valids := range gvksToValidFiles {
+		for _, validOld := range valids {
+			for _, validNew := range gvksToValidFiles[gvk] {
+				validXValidPairs = append(validXValidPairs, pair{old: validOld, new: validNew})
+			}
+		}
+	}
+
+	for gvk, valids := range gvksToValidFiles {
+		for _, valid := range valids {
+			for _, invalid := range gvksToInvalidFiles[gvk] {
+				validXInvalidPairs = append(validXInvalidPairs, pair{old: valid, new: invalid})
+			}
+		}
+	}
+
+	// For each invalid file, add pair with every other invalid file of the same
+	// GVK including itself
+	for gvk, invalids := range gvksToInvalidFiles {
+		for _, invalid := range invalids {
+			for _, invalid2 := range gvksToInvalidFiles[gvk] {
+				invalidXInvalidPairs = append(invalidXInvalidPairs, pair{old: invalid, new: invalid2})
+			}
+		}
+	}
+
+	// For each pair, run the ratcheting algorithm on the update.
+	//
+	for _, ratchetingEnabled := range []bool{true, false} {
+		name := "RatchetingEnabled"
+		if !ratchetingEnabled {
+			name = "RatchetingDisabled"
+		}
+		b.Run(name, func(b *testing.B) {
+			defer featuregatetesting.SetFeatureGateDuringTest(b, utilfeature.DefaultFeatureGate, features.CRDValidationRatcheting, ratchetingEnabled)()
+			b.ResetTimer()
+
+			do := func(pairs []pair) {
+				for _, pair := range pairs {
+					// Create a validator for the GVK of the valid object.
+					validator, ok := validators[pair.old.GroupVersionKind()]
+					if !ok {
+						b.Log("No validator for GVK", pair.old.GroupVersionKind())
+						continue
+					}
+
+					// Run the ratcheting algorithm on the update.
+					// Don't care about result for benchmark
+					validator(pair.old, pair.new)
+				}
+			}
+
+			b.Run("ValidXValid", func(b *testing.B) {
+				for i := 0; i < b.N; i++ {
+					do(validXValidPairs)
+				}
+			})
+
+			b.Run("ValidXInvalid", func(b *testing.B) {
+				for i := 0; i < b.N; i++ {
+					do(validXInvalidPairs)
+				}
+			})
+
+			b.Run("InvalidXInvalid", func(b *testing.B) {
+				for i := 0; i < b.N; i++ {
+					do(invalidXInvalidPairs)
+				}
+			})
+		})
+	}
+}

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/gateway/duplicate-listeners.yaml

@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: duplicate-listeners
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: same
+    protocol: HTTP
+    port: 80
+  - name: same
+    protocol: HTTP
+    port: 443

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/gateway/hostname-tcp.yaml

@@ -0,0 +1,11 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: hostname-tcp
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: example
+    hostname: example.com
+    protocol: TCP
+    port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/gateway/hostname-udp.yaml

@@ -0,0 +1,11 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: hostname-udp
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: example
+    hostname: example.com
+    protocol: UDP
+    port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/gateway/invalid-addresses.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: invalid-addresses
+spec:
+  gatewayClassName: acme-lb
+  addresses:
+  - value: 1200:0000:::AB00:1234:0000:2552:7777:1313
+  - value: 21DA:D3:0:2F3B:2AY:FF:FE28:9C5A
+  - value: "2001:db8:3c4d:15:0:d234:3eee:"
+  - value: "2001:db8:3c4d:15:0:d234:3eee:::"
+  - value: ":::1234::"
+  - value: "1.1.1"
+  - value: "1.a.3.4"
+  - value: "foo.com"
+  - type: IPAddress
+    value: "256.255.255.255"
+  - type: "Hostname"
+    value: "foo.com:80"
+  - type: "example.com/custom"
+    value: "anything goes"
+  listeners:
+  - protocol: HTTP
+    port: 80
+    name: prod-web-gw
+    allowedRoutes:
+      namespaces:
+        from: Same

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/gateway/invalid-listener-name.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: invalid-listener-name
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: bad>
+    protocol: HTTP
+    port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/gateway/invalid-listener-port.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: invalid-listener-port
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: foo
+    protocol: HTTP
+    port: 123456789

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/gateway/tlsconfig-tcp.yaml

@@ -0,0 +1,16 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: tlsconfig-tcp
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: example
+    protocol: TCP
+    port: 443
+    tls:
+      certificateRefs:
+      - kind: Secret
+        group: ""
+        name: bar-example-com-cert
+

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/gatewayclass/invalid-controller.yaml

@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+  name: invalid-controller
+spec:
+  controllerName: example

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/duplicate-header-match.yaml

@@ -0,0 +1,12 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: duplicate-header-match
+spec:
+  rules:
+  - matches:
+    - headers:
+      - name: foo
+        value: bar
+      - name: foo
+        value: bar

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/duplicate-query-match.yaml

@@ -0,0 +1,12 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: duplicate-query-match
+spec:
+  rules:
+  - matches:
+    - queryParams:
+      - name: foo
+        value: bar
+      - name: foo
+        value: bar

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/httproute-portless-backend.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: portless-backend
+spec:
+  parentRefs:
+  - name: prod-web
+  rules:
+  - backendRefs:
+    - name: foo

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/httproute-portless-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: portless-service
+spec:
+  parentRefs:
+  - name: prod-web
+  rules:
+  - backendRefs:
+    - name: foo
+      kind: Service
+      group: ""

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-backend-group.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-backend-group
+spec:
+  rules:
+  - backendRefs:
+    - group: "*"
+      name: foo
+      port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-backend-kind.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-backend-kind
+spec:
+  rules:
+  - backendRefs:
+    - kind: "*"
+      name: foo
+      port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-backend-port.yaml

@@ -0,0 +1,9 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-backend-port
+spec:
+  rules:
+  - backendRefs:
+    - name: my-service1
+      port: 800080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-filter-duplicate-header.yaml

@@ -0,0 +1,12 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-filter-duplicate-header
+spec:
+  rules:
+  - filters:
+    - type: RequestHeaderModifier
+      requestHeaderModifier:
+        remove:
+        - foo
+        - foo

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-filter-duplicate.yaml

@@ -0,0 +1,18 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-filter-duplicate
+spec:
+  rules:
+  - filters:
+    - type: RequestHeaderModifier
+      requestHeaderModifier:
+        add:
+        - name: my-header
+          value: foo
+    - type: RequestHeaderModifier
+      requestHeaderModifier:
+        add:
+        - name: my-header
+          value: bar
+

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-filter-empty.yaml

@@ -0,0 +1,8 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-filter-empty
+spec:
+  rules:
+  - filters:
+    - type: RequestHeaderModifier

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-filter-wrong-field.yaml

@@ -0,0 +1,11 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-filter-wrong-field
+spec:
+  rules:
+  - filters:
+    - type: RequestHeaderModifier
+      requestRedirect: 
+        port: 443
+

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-header-name.yaml

@@ -0,0 +1,11 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-header-name
+spec:
+  rules:
+  - matches:
+    - headers:
+      - type: Exact
+        name: magic/
+        value: foo

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-hostname.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-hostname
+spec:
+  hostnames:
+  - http://a<
+  rules:
+  - backendRefs:
+    - name: foo

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-httredirect-hostname.yaml

@@ -0,0 +1,14 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-backend-port
+spec:
+  rules:
+  - backendRefs:
+    - name: my-service
+      port: 8080
+    filters:
+    - type: RequestRedirect
+      requestRedirect:
+        hostname: "*.gateway.networking.k8s.io"
+

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-method.yaml

@@ -0,0 +1,8 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-method
+spec:
+  rules:
+  - matches:
+    - method: NOTREAL

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-path-alphanum-specialchars-mix.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-path-alphanum-specialchars-mix
+spec:
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /my[/]path01

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-path-specialchars.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: invalid-path-specialchars
+spec:
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /[]

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/httproute/invalid-request-redirect-with-backendref.yaml

@@ -0,0 +1,16 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-rewrite
+spec:
+  hostnames:
+    - rewrite.example
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301
+      backendRefs:
+        - name: example-svc
+          port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/referencegrant/missing-from.yaml

@@ -0,0 +1,8 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: missing-from
+spec:
+  to:
+  - group: ""
+    kind: "Service"

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/referencegrant/missing-ns.yaml

@@ -0,0 +1,11 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: missing-ns
+spec:
+  to:
+  - group: ""
+    kind: "Service"
+  from:
+  - group: "gateway.networking.k8s.io"
+    kind: "HTTPRoute"

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/invalid/referencegrant/missing-to.yaml

@@ -0,0 +1,9 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: missing-to
+spec:
+  from:
+  - group: ""
+    kind: "Service"
+    namespace: "example"

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/0-namespaces.yaml

@@ -0,0 +1,11 @@
+# These namespaces can be used for examples without recreating them each time.
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-api-example-ns1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-api-example-ns2

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/basic-http.yaml

@@ -0,0 +1,57 @@
+#$ Used in:
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+  name: acme-lb
+spec:
+  controllerName: acme.io/gateway-controller
+  parametersRef:
+    name: acme-lb
+    group: acme.io
+    kind: Parameters
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-gateway
+spec:
+  gatewayClassName: acme-lb
+  listeners:  # Use GatewayClass defaults for listener definition.
+  - name: http
+    protocol: HTTP
+    port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-app-1
+spec:
+  parentRefs:
+  - name: my-gateway
+  hostnames:
+  - "foo.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /bar
+    backendRefs:
+    - name: my-service1
+      port: 8080
+  - matches:
+    - headers:
+      - type: Exact
+        name: magic
+        value: foo
+      queryParams:
+      - type: Exact
+        name: great
+        value: example
+      path:
+        type: PathPrefix
+        value: /some/thing
+      method: GET
+    backendRefs:
+    - name: my-service2
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/cross-namespace-routing/0-namespaces.yaml

@@ -0,0 +1,27 @@
+#$ Used in:
+#$ - site-src/guides/multiple-ns.md
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-ns
+  labels:
+    shared-gateway-access: "true"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: site-ns
+  labels:
+    shared-gateway-access: "true"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: store-ns
+  labels:
+    shared-gateway-access: "true"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: no-external-access

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/cross-namespace-routing/gateway.yaml

@@ -0,0 +1,23 @@
+#$ Used in:
+#$ - site-src/guides/multiple-ns.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: shared-gateway
+  namespace: infra-ns
+spec:
+  gatewayClassName: shared-gateway-class
+  listeners:
+  - name: https
+    hostname: "foo.example.com"
+    protocol: HTTPS
+    port: 443
+    allowedRoutes:
+      namespaces:
+        from: Selector
+        selector:
+          matchLabels:
+            shared-gateway-access: "true"
+    tls:
+      certificateRefs:
+      - name: foo-example-com

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/cross-namespace-routing/site-route.yaml

@@ -0,0 +1,36 @@
+#$ Used in:
+#$ - site-src/guides/multiple-ns.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: home
+  namespace: site-ns
+spec:
+  parentRefs:
+  - name: shared-gateway
+    namespace: infra-ns
+  rules:
+  - backendRefs:
+    - name: home
+      port: 8080
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: login
+  namespace: site-ns
+spec:
+  parentRefs:
+  - name: shared-gateway
+    namespace: infra-ns
+  rules:
+  - matches:
+    - path:
+        value: /login
+    backendRefs:
+    - name: login-v1
+      port: 8080
+      weight: 90
+    - name: login-v2
+      port: 8080
+      weight: 10

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/cross-namespace-routing/store-route.yaml

@@ -0,0 +1,18 @@
+#$ Used in:
+#$ - site-src/guides/multiple-ns.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: store
+  namespace: store-ns
+spec:
+  parentRefs:
+  - name: shared-gateway
+    namespace: infra-ns
+  rules:
+  - matches:
+    - path:
+        value: /store
+    backendRefs:
+    - name: store
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/default-match-http.yaml

@@ -0,0 +1,51 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+  name: default-match-example
+spec:
+  controllerName: acme.io/gateway-controller
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: default-match-gw
+spec:
+  gatewayClassName: default-match-example
+  listeners:
+  - name: http
+    protocol: HTTP
+    port: 80
+---
+# This HTTPRoute demonstrates patch match defaulting. If no path match is
+# specified, CRD defaults adds a default PathPrefix match on the path "/". This
+# matches every HTTP request and ensures that route rules always have at
+# least one valid match.
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: default-match-route
+  labels:
+    app: default-match
+spec:
+  parentRefs:
+  - name: default-match-gw
+  hostnames:
+  - default-match.com
+  rules:
+  - matches:
+    - headers:
+      - type: Exact
+        name: magic
+        value: default-match
+    backendRefs:
+    - group: acme.io
+      kind: CustomBackend
+      name: my-custom-resource
+      port: 8080
+  - matches:
+    - path:
+        type: Exact
+        value: /example/exact
+    backendRefs:
+    - name: my-service-2
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/gateway-addresses.yaml

@@ -0,0 +1,27 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: gateway-addresses
+spec:
+  gatewayClassName: acme-lb
+  addresses:
+  - value: 1200:0000:AB00:1234:0000:2552:7777:1313
+  - value: 21DA:D3:0:2F3B:2AA:FF:FE28:9C5A
+  - value: "2001:db8:3c4d:15:0:d234:3eee::"
+  - value: "1234::"
+  - value: "1.1.1.1"
+  - value: "1.2.3.4"
+  - value: "0.0.0.0"
+  - value: "9.255.255.255"
+  - value: "11.0.0.0"
+  - type: IPAddress
+    value: "255.255.255.255"
+  - type: "Hostname"
+    value: "example.com"
+  listeners:
+  - protocol: HTTP
+    port: 80
+    name: prod-web-gw
+    allowedRoutes:
+      namespaces:
+        from: Same

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-filter.yaml

@@ -0,0 +1,20 @@
+#$ Used in:
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-1
+spec:
+  hostnames:
+    - my.filter.com
+  rules:
+    - filters:
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            add:
+              - name: my-header
+                value: foo
+      backendRefs:
+        - name: my-filter-svc1
+          weight: 1
+          port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-redirect-path.yaml

@@ -0,0 +1,18 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-1
+  namespace: gateway-api-example-ns1
+spec:
+  parentRefs:
+  - name: my-filter-gateway
+    sectionName: http
+  hostnames:
+  - my-filter.example.com
+  rules:
+  - filters:
+    - type: RequestRedirect
+      requestRedirect:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /foo

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-redirect-rewrite/httproute-redirect-full.yaml

@@ -0,0 +1,21 @@
+#$ Used in:
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-redirect
+spec:
+  hostnames:
+    - redirect.example
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /cayenne
+      filters:
+        - type: RequestRedirect
+          requestRedirect:
+            path:
+              type: ReplaceFullPath
+              replaceFullPath: /paprika
+            statusCode: 302

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-redirect-rewrite/httproute-redirect-https.yaml

@@ -0,0 +1,15 @@
+#$ Used in:
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-redirect
+spec:
+  hostnames:
+    - redirect.example
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-redirect-rewrite/httproute-redirect-prefix.yaml

@@ -0,0 +1,21 @@
+#$ Used in:
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-redirect
+spec:
+  hostnames:
+    - redirect.example
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /cayenne
+      filters:
+        - type: RequestRedirect
+          requestRedirect:
+            path:
+              type: ReplacePrefixMatch
+              replacePrefixMatch: /paprika
+            statusCode: 302

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-redirect-rewrite/httproute-rewrite-path.yaml

@@ -0,0 +1,25 @@
+#$ Used in:
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-rewrite
+spec:
+  hostnames:
+    - rewrite.example
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /cardamom
+      filters:
+        - type: URLRewrite
+          urlRewrite:
+            hostname: elsewhere.example
+            path:
+              type: ReplaceFullPath
+              replaceFullPath: /fennel
+      backendRefs:
+        - name: example-svc
+          weight: 1
+          port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-redirect-rewrite/httproute-rewrite.yaml

@@ -0,0 +1,18 @@
+#$ Used in:
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-rewrite
+spec:
+  hostnames:
+    - rewrite.example
+  rules:
+    - filters:
+        - type: URLRewrite
+          urlRewrite:
+            hostname: elsewhere.example
+      backendRefs:
+        - name: example-svc
+          weight: 1
+          port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-redirect-rewrite/httproute-rewritepath.yaml

@@ -0,0 +1,21 @@
+#$ Used in:
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-rewrite
+spec:
+  hostnames:
+    - rewrite.example
+  rules:
+    - filters:
+        - type: URLRewrite
+          urlRewrite:
+            hostname: elsewhere.example
+            path:
+              type: ReplacePrefixMatch
+              replacePrefixMatch: /fennel
+      backendRefs:
+        - name: example-svc
+          weight: 1
+          port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-redirect.yaml

@@ -0,0 +1,73 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+  name: filter-lb
+spec:
+  controllerName: acme.io/gateway-controller
+  parametersRef:
+    name: acme-lb
+    group: acme.io
+    kind: Parameters
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-api-example-ns1
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-filter-gateway
+  namespace: gateway-api-example-ns1
+spec:
+  gatewayClassName: filter-lb
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        certificateRefs:
+          - kind: Secret
+            group: ""
+            name: example-com-cert
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-1
+  namespace: gateway-api-example-ns1
+spec:
+  parentRefs:
+    - name: my-filter-gateway
+      sectionName: http
+  hostnames:
+    - my-filter.example.com
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-2
+  namespace: gateway-api-example-ns1
+spec:
+  parentRefs:
+    - name: my-filter-gateway
+      sectionName: https
+  hostnames:
+    - my-filter.example.com
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: my-filter-svc1
+          weight: 1
+          port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-request-header-add.yaml

@@ -0,0 +1,21 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: header-http-echo
+spec:
+  parentRefs:
+    - name: acme-gw
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /add-a-request-header
+      filters:
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            add:
+              - name: my-header-name
+                value: my-header-value
+      backendRefs:
+        - name: echo
+          port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-request-header-remove.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: header-http-echo
+spec:
+  parentRefs:
+    - name: acme-gw
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /remove-a-request-header
+      filters:
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            remove:
+              - x-request-id
+      backendRefs:
+        - name: echo
+          port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-request-header-set.yaml

@@ -0,0 +1,21 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: header-http-echo
+spec:
+  parentRefs:
+    - name: acme-gw
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /edit-a-request-header
+      filters:
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            set:
+              - name: my-header-name
+                value: my-new-header-value
+      backendRefs:
+        - name: echo
+          port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-rewrite.yaml

@@ -0,0 +1,18 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-filter-1
+  namespace: gateway-api-example-ns1
+spec:
+  parentRefs:
+  - name: my-filter-gateway
+    sectionName: http
+  hostnames:
+  - my-filter.example.com
+  rules:
+  - filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /foo

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-route-attachment/gateway-namespaces.yaml

@@ -0,0 +1,21 @@
+#$ Used in:
+#$ - site-src/concepts/api-overview.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: prod-gateway
+  namespace: gateway-api-example-ns1
+spec:
+  gatewayClassName: foo-lb
+  listeners:
+  - name: prod-web
+    port: 80
+    protocol: HTTP
+    allowedRoutes:
+      kinds:
+      - kind: HTTPRoute
+      namespaces:
+        from: Selector
+        selector:
+          matchLabels:
+            expose-apps: "true"

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-route-attachment/gateway-strict.yaml

@@ -0,0 +1,23 @@
+#$ Used in:
+#$ - site-src/concepts/api-overview.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: foo-gateway
+  namespace: gateway-api-example-ns1
+spec:
+  gatewayClassName: foo-lb
+  listeners:
+  - name: prod-web
+    port: 80
+    protocol: HTTP
+    allowedRoutes:
+      kinds:
+      - kind: HTTPRoute
+      namespaces:
+        from: Selector
+        selector:
+          matchLabels:
+            # This label is added automatically as of K8s 1.22
+            # to all namespaces
+            kubernetes.io/metadata.name: gateway-api-example-ns2

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-route-attachment/httproute.yaml

@@ -0,0 +1,16 @@
+#$ Used in:
+#$ - site-src/concepts/api-overview.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: my-route
+  namespace: gateway-api-example-ns2
+spec:
+  parentRefs:
+  - kind: Gateway
+    name: foo-gateway
+    namespace: gateway-api-example-ns1
+  rules:
+  - backendRefs:
+    - name: foo-svc
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-routing/bar-httproute.yaml

@@ -0,0 +1,23 @@
+#$ Used in:
+#$ - site-src/guides/http-routing.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: bar-route
+spec:
+  parentRefs:
+  - name: example-gateway
+  hostnames:
+  - "bar.example.com"
+  rules:
+  - matches:
+    - headers:
+      - type: Exact
+        name: env
+        value: canary
+    backendRefs:
+    - name: bar-svc-canary
+      port: 8080
+  - backendRefs:
+    - name: bar-svc
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-routing/foo-httproute.yaml

@@ -0,0 +1,19 @@
+#$ Used in:
+#$ - site-src/guides/http-routing.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: foo-route
+spec:
+  parentRefs:
+  - name: example-gateway
+  hostnames:
+  - "foo.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /login
+    backendRefs:
+    - name: foo-svc
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/http-routing/gateway.yaml

@@ -0,0 +1,26 @@
+#$ Used in:
+#$ - site-src/guides/http-routing.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: example-gateway
+spec:
+  gatewayClassName: example-gateway-class
+  listeners:
+  - name: http
+    protocol: HTTP
+    port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: example-route
+spec:
+  parentRefs:
+  - name: example-gateway
+  hostnames:
+  - "example.com"
+  rules:
+  - backendRefs:
+    - name: example-svc
+      port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/httproute.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: my-app
+spec:
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /mypath
+    backendRefs:
+    - name: my-service-1
+      port: 8080
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /mypath-012
+    backendRefs:
+    - name: my-service-2
+      port: 8080
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /my%20path/123
+    backendRefs:
+    - name: my-service-3
+      port: 8080
+

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/multicluster/0-namespaces.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foo
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/multicluster/httproute-gamma.yaml

@@ -0,0 +1,19 @@
+#$ Used in:
+#$ - geps/gep-1748.md
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: store
+spec:
+  parentRefs:
+  - group: multicluster.x-k8s.io
+    kind: ServiceImport
+    name: store
+  rules:
+  - matches:
+    - path:
+        value: "/cart"
+    backendRefs:
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: cart

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/multicluster/httproute-hybrid.yaml

@@ -0,0 +1,20 @@
+#$ Used in:
+#$ - geps/gep-1748.md
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: store
+spec:
+  parentRefs:
+  - name: external-http
+  rules:
+  - backendRefs:
+    - kind: Service
+      name: store
+      port: 8080
+      weight: 90
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: store-global
+      port: 8080
+      weight: 10

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/multicluster/httproute-location.yaml

@@ -0,0 +1,33 @@
+#$ Used in:
+#$ - geps/gep-1748.md
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: store
+spec:
+  parentRefs:
+  - name: external-http
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /west
+    backendRefs:
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: store-west
+      port: 8080
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /east
+    backendRefs:
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: store-east
+      port: 8080
+  - backendRefs:
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: store
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/multicluster/httproute-method.yaml

@@ -0,0 +1,24 @@
+#$ Used in:
+#$ - geps/gep-1748.md
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: api
+spec:
+  parentRefs:
+  - name: api-gw
+  rules:
+  - matches:
+    - method: POST
+    - method: PUT
+    - method: DELETE
+    backendRefs:
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: api-primary
+      port: 8080
+  - backendRefs:
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: api-replicas
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/multicluster/httproute-referencegrant.yaml

@@ -0,0 +1,32 @@
+#$ Used in:
+#$ - geps/gep-1748.md
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: foo
+  namespace: foo
+spec:
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /bar
+    backendRefs:
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: bar
+      namespace: bar
+---
+kind: ReferenceGrant
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: bar
+  namespace: bar
+spec:
+  from:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    namespace: foo
+  to:
+  - group: multicluster.x-k8s.io
+    kind: ServiceImport

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/multicluster/httproute-simple.yaml

@@ -0,0 +1,15 @@
+#$ Used in:
+#$ - geps/gep-1748.md
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: store
+spec:
+  parentRefs:
+  - name: external-http
+  rules:
+  - backendRefs:
+    - group: multicluster.x-k8s.io
+      kind: ServiceImport
+      name: store
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/reference-grant.yaml

@@ -0,0 +1,14 @@
+#$ Used in:
+#$ - site-src/concepts/security-model.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-prod-traffic
+spec:
+  from:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    namespace: prod
+  to:
+  - group: ""
+    kind: Service

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/simple-gateway/gateway.yaml

@@ -0,0 +1,16 @@
+#$ Used in:
+#$ - site-src/guides/traffic-splitting.md
+#$ - site-src/guides/simple-gateway.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: prod-web
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - protocol: HTTP
+    port: 80
+    name: prod-web-gw
+    allowedRoutes:
+      namespaces:
+        from: Same

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/simple-gateway/httproute.yaml

@@ -0,0 +1,14 @@
+#$ Used in:
+#$ - site-src/guides/simple-gateway.md
+#$ - site-src/blog/2021/introducing-v1beta1.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: foo
+spec:
+  parentRefs:
+  - name: prod-web
+  rules:
+  - backendRefs:
+    - name: foo-svc
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/simple-http-https/bar-route.yaml

@@ -0,0 +1,18 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: bar 
+spec:
+  parentRefs:
+  - name: example-gateway
+    sectionName: https
+  hostnames:
+  - bar.example.com
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: bar-app 
+      port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/simple-http-https/foo-route.yaml

@@ -0,0 +1,25 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: foo 
+spec:
+  parentRefs:
+  - name: example-gateway
+    sectionName: https
+  hostnames:
+  - foo.example.com
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: foo-app 
+      port: 80
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /orders
+    backendRefs:
+    - name: foo-orders-app 
+      port: 80

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/simple-http-https/gateway.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: example-gateway
+spec:
+  gatewayClassName: prod 
+  listeners:
+  - name: http
+    port: 80
+    protocol: HTTP
+    hostname: "*.example.com"
+  - name: https
+    port: 443
+    protocol: HTTPS
+    hostname: "*.example.com"
+    tls:
+      mode: Terminate
+      certificateRefs:
+      - kind: Secret
+        name: example-com

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/simple-http-https/tls-redirect-route.yaml

@@ -0,0 +1,17 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: tls-redirect
+spec:
+  parentRefs:
+  - name: example-gateway
+    sectionName: http
+  hostnames:
+  - foo.example.com
+  - bar.example.com
+  rules:
+  - filters:
+    - type: RequestRedirect
+      requestRedirect:
+        scheme: https
+        port: 443

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/tls-basic.yaml

@@ -0,0 +1,27 @@
+#$ Used in:
+#$ - site-src/guides/tls.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: tls-basic
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: foo-https
+    protocol: HTTPS
+    port: 443
+    hostname: foo.example.com
+    tls:
+      certificateRefs:
+      - kind: Secret
+        group: ""
+        name: foo-example-com-cert
+  - name: bar-https
+    protocol: HTTPS
+    port: 443
+    hostname: bar.example.com
+    tls:
+      certificateRefs:
+      - kind: Secret
+        group: ""
+        name: bar-example-com-cert

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/tls-cert-cross-namespace.yaml

@@ -0,0 +1,34 @@
+#$ Used in:
+#$ - site-src/v1alpha2/guides/tls.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: cross-namespace-tls-gateway
+  namespace: gateway-api-example-ns1
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: https
+    protocol: HTTPS
+    port: 443
+    hostname: "*.example.com"
+    tls:
+      certificateRefs:
+      - kind: Secret
+        group: ""
+        name: wildcard-example-com-cert
+        namespace: gateway-api-example-ns2
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-ns1-gateways-to-ref-secrets
+  namespace: gateway-api-example-ns2
+spec:
+  from:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    namespace: gateway-api-example-ns1
+  to:
+  - group: ""
+    kind: Secret

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/traffic-splitting/simple-split.yaml

@@ -0,0 +1,15 @@
+#$ Used in:
+#$ - site-src/guides/traffic-splitting.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: simple-split
+spec:
+  rules:
+  - backendRefs:
+    - name: foo-v1
+      port: 8080
+      weight: 90
+    - name: foo-v2
+      port: 8080
+      weight: 10

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/traffic-splitting/traffic-split-1.yaml

@@ -0,0 +1,22 @@
+#$ Used in:
+#$ - site-src/guides/traffic-splitting.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: foo-route
+  labels:
+    gateway: prod-web-gw
+spec:
+  hostnames:
+  - foo.example.com
+  rules:
+  - backendRefs:
+    - name: foo-v1
+      port: 8080
+  - matches:
+    - headers:
+      - name: traffic
+        value: test
+    backendRefs:
+    - name: foo-v2
+      port: 8080

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/traffic-splitting/traffic-split-2.yaml

@@ -0,0 +1,20 @@
+#$ Used in:
+#$ - site-src/guides/traffic-splitting.md
+#$ - site-src/api-types/httproute.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: foo-route
+  labels:
+    gateway: prod-web-gw
+spec:
+  hostnames:
+  - foo.example.com
+  rules:
+  - backendRefs:
+    - name: foo-v1
+      port: 8080
+      weight: 90
+    - name: foo-v2
+      port: 8080
+      weight: 10

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/traffic-splitting/traffic-split-3.yaml

@@ -0,0 +1,19 @@
+#$ Used in:
+#$ - site-src/guides/traffic-splitting.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: foo-route
+  labels:
+    gateway: prod-web-gw
+spec:
+  hostnames:
+  - foo.example.com
+  rules:
+  - backendRefs:
+    - name: foo-v1
+      port: 8080
+      weight: 0
+    - name: foo-v2
+      port: 8080
+      weight: 1

staging/src/k8s.io/apiextensions-apiserver/test/integration/ratcheting_test_cases/valid/wildcard-tls-gateway.yaml

@@ -0,0 +1,27 @@
+#$ Used in:
+#$ - site-src/guides/tls.md
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: wildcard-tls-gateway
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: foo-https
+    protocol: HTTPS
+    port: 443
+    hostname: foo.example.com
+    tls:
+      certificateRefs:
+      - kind: Secret
+        group: ""
+        name: foo-example-com-cert
+  - name: wildcard-https
+    protocol: HTTPS
+    port: 443
+    hostname: "*.example.com"
+    tls:
+      certificateRefs:
+      - kind: Secret
+        group: ""
+        name: wildcard-example-com-cert