envoyproxy
diff --git a/‎api/v1alpha1/authorization_types.go‎
Lines changed: 21 additions & 18 deletions b/‎api/v1alpha1/authorization_types.go‎
Lines changed: 21 additions & 18 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 31 additions & 26 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 31 additions & 26 deletions
diff --git a/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml‎
Lines changed: 63 additions & 108 deletions b/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml‎
Lines changed: 63 additions & 108 deletions
@@ -72,7 +72,7 @@ type Operation struct {
 // or any other identity that can be extracted from a custom header.
 // If there are multiple principal types, all principals must match for the rule to match.
 //
-// +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt) || has(self.headers) || has(self.geoLocation))",message="at least one of clientCIDRs, jwt, headers, or geoLocation must be specified"
+// +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt) || has(self.headers) || has(self.geoLocations))",message="at least one of clientCIDRs, jwt, headers, or geoLocations must be specified"
 type Principal struct {
 	// ClientCIDRs are the IP CIDR ranges of the client.
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
@@ -129,40 +129,43 @@ type Principal struct {
 	// +notImplementedHide
 	SourceCIDRs []CIDR `json:"sourceCIDRs,omitempty"`
 
-	// GeoLocation authorizes the request based on geolocation metadata derived from the client IP.
+	// GeoLocations authorizes the request based on geolocation metadata derived from the client IP.
+	// If multiple entries are specified,  one of the GeoLocation entries must match for the rule to match.
 	//
 	// +optional
+	// +kubebuilder:validation:MinItems=1
 	// +notImplementedHide
-	GeoLocation *GeoLocationPrincipal `json:"geoLocation,omitempty"`
+	GeoLocations []GeoLocation `json:"geoLocations,omitempty"`
 }
 
-// GeoLocationPrincipal specifies geolocation-based match criteria for authorization.
+// GeoLocation specifies geolocation-based match criteria for authorization.
 //
-// +kubebuilder:validation:XValidation:rule="(has(self.countries) || has(self.regions) || has(self.cities) || has(self.asns) || has(self.anonymous))",message="at least one of countries, regions, cities, asns, or anonymous must be specified"
-type GeoLocationPrincipal struct {
-	// Countries is a list of ISO 3166-1 alpha-2 country codes.
+// +kubebuilder:validation:XValidation:rule="(has(self.country) ? 1 : 0) + (has(self.region) ? 1 : 0) + (has(self.city) ? 1 : 0) + (has(self.asn) ? 1 : 0) + (has(self.isp) ? 1 : 0) + (has(self.anonymous) ? 1 : 0) == 1",message="exactly one of country, region, city, asn, isp, or anonymous must be specified"
+type GeoLocation struct {
+	// Country is the country associated with the client IP.
 	//
 	// +optional
-	// +kubebuilder:validation:MinItems=1
-	Countries []string `json:"countries,omitempty"`
+	Country *string `json:"country,omitempty"`
 
-	// Regions refines matching to ISO 3166-2 subdivisions.
+	// Region is the region associated with the client IP.
 	//
 	// +optional
-	// +kubebuilder:validation:MinItems=1
-	Regions []GeoIPRegion `json:"regions,omitempty"`
+	Region *string `json:"region,omitempty"`
 
-	// Cities refines matching to specific city names.
+	// City is the city associated with the client IP.
 	//
 	// +optional
-	// +kubebuilder:validation:MinItems=1
-	Cities []GeoIPCity `json:"cities,omitempty"`
+	City *string `json:"city,omitempty"`
 
-	// ASNs matches the autonomous system numbers associated with the client IP.
+	// ASN is the autonomous system number associated with the client IP.
 	//
 	// +optional
-	// +kubebuilder:validation:MinItems=1
-	ASNs []uint32 `json:"asns,omitempty"`
+	ASN *uint32 `json:"asn,omitempty"`
+
+	// ISP is the internet service provider associated with the client IP.
+	//
+	// +optional
+	ISP *string `json:"isp,omitempty"`
 
 	// Anonymous matches anonymous network detection signals.
 	//
 
@@ -272,115 +272,70 @@ spec:
                                 type: string
                               minItems: 1
                               type: array
-                            geoLocation:
-                              description: GeoLocation authorizes the request based
-                                on geolocation metadata derived from the client IP.
-                              properties:
-                                anonymous:
-                                  description: Anonymous matches anonymous network
-                                    detection signals.
-                                  properties:
-                                    isAnonymous:
-                                      description: IsAnonymous matches whether the
-                                        client IP is considered anonymous.
-                                      type: boolean
-                                    isHosting:
-                                      description: IsHosting matches whether the client
-                                        IP belongs to a hosting provider.
-                                      type: boolean
-                                    isProxy:
-                                      description: IsProxy matches whether the client
-                                        IP belongs to a public proxy.
-                                      type: boolean
-                                    isTor:
-                                      description: IsTor matches whether the client
-                                        IP belongs to a Tor exit node.
-                                      type: boolean
-                                    isVPN:
-                                      description: IsVPN matches whether the client
-                                        IP is detected as VPN.
-                                      type: boolean
-                                  type: object
-                                asns:
-                                  description: ASNs matches the autonomous system
-                                    numbers associated with the client IP.
-                                  items:
-                                    format: int32
-                                    type: integer
-                                  minItems: 1
-                                  type: array
-                                cities:
-                                  description: Cities refines matching to specific
-                                    city names.
-                                  items:
-                                    description: GeoIPCity selects a city, optionally
-                                      scoped to a region.
+                            geoLocations:
+                              description: |-
+                                GeoLocations authorizes the request based on geolocation metadata derived from the client IP.
+                                If multiple entries are specified,  one of the GeoLocation entries must match for the rule to match.
+                              items:
+                                description: GeoLocation specifies geolocation-based
+                                  match criteria for authorization.
+                                properties:
+                                  anonymous:
+                                    description: Anonymous matches anonymous network
+                                      detection signals.
                                     properties:
-                                      cityName:
-                                        description: CityName is the city name.
-                                        minLength: 1
-                                        type: string
-                                      countryCode:
-                                        description: CountryCode is the ISO 3166-1
-                                          alpha-2 country code.
-                                        pattern: ^[A-Z]{2}$
-                                        type: string
-                                      regionCode:
-                                        description: RegionCode optionally scopes
-                                          the city to a subdivision (ISO 3166-2 without
-                                          country prefix).
-                                        maxLength: 32
-                                        type: string
-                                    required:
-                                    - cityName
-                                    - countryCode
+                                      isAnonymous:
+                                        description: IsAnonymous matches whether the
+                                          client IP is considered anonymous.
+                                        type: boolean
+                                      isHosting:
+                                        description: IsHosting matches whether the
+                                          client IP belongs to a hosting provider.
+                                        type: boolean
+                                      isProxy:
+                                        description: IsProxy matches whether the client
+                                          IP belongs to a public proxy.
+                                        type: boolean
+                                      isTor:
+                                        description: IsTor matches whether the client
+                                          IP belongs to a Tor exit node.
+                                        type: boolean
+                                      isVPN:
+                                        description: IsVPN matches whether the client
+                                          IP is detected as VPN.
+                                        type: boolean
                                     type: object
-                                    x-kubernetes-validations:
-                                    - message: countryCode and cityName must be set
-                                      rule: has(self.countryCode) && has(self.cityName)
-                                  minItems: 1
-                                  type: array
-                                countries:
-                                  description: Countries is a list of ISO 3166-1 alpha-2
-                                    country codes.
-                                  items:
+                                  asn:
+                                    description: ASN is the autonomous system number
+                                      associated with the client IP.
+                                    format: int32
+                                    type: integer
+                                  city:
+                                    description: City is the city associated with
+                                      the client IP.
                                     type: string
-                                  minItems: 1
-                                  type: array
-                                regions:
-                                  description: Regions refines matching to ISO 3166-2
-                                    subdivisions.
-                                  items:
-                                    description: GeoIPRegion selects a region within
-                                      a country.
-                                    properties:
-                                      countryCode:
-                                        description: CountryCode is the ISO 3166-1
-                                          alpha-2 country code.
-                                        pattern: ^[A-Z]{2}$
-                                        type: string
-                                      regionCode:
-                                        description: RegionCode is the ISO 3166-2
-                                          subdivision code (without country prefix).
-                                        maxLength: 32
-                                        minLength: 1
-                                        type: string
-                                    required:
-                                    - countryCode
-                                    - regionCode
-                                    type: object
-                                    x-kubernetes-validations:
-                                    - message: countryCode and regionCode must both
-                                        be set
-                                      rule: has(self.countryCode) && has(self.regionCode)
-                                  minItems: 1
-                                  type: array
-                              type: object
-                              x-kubernetes-validations:
-                              - message: at least one of countries, regions, cities,
-                                  asns, or anonymous must be specified
-                                rule: (has(self.countries) || has(self.regions) ||
-                                  has(self.cities) || has(self.asns) || has(self.anonymous))
+                                  country:
+                                    description: Country is the country associated
+                                      with the client IP.
+                                    type: string
+                                  isp:
+                                    description: ISP is the internet service provider
+                                      associated with the client IP.
+                                    type: string
+                                  region:
+                                    description: Region is the region associated with
+                                      the client IP.
+                                    type: string
+                                type: object
+                                x-kubernetes-validations:
+                                - message: exactly one of country, region, city, asn,
+                                    isp, or anonymous must be specified
+                                  rule: '(has(self.country) ? 1 : 0) + (has(self.region)
+                                    ? 1 : 0) + (has(self.city) ? 1 : 0) + (has(self.asn)
+                                    ? 1 : 0) + (has(self.isp) ? 1 : 0) + (has(self.anonymous)
+                                    ? 1 : 0) == 1'
+                              minItems: 1
+                              type: array
                             headers:
                               description: |-
                                 Headers authorize the request based on user identity extracted from custom headers.
@@ -524,9 +479,9 @@ spec:
                           type: object
                           x-kubernetes-validations:
                           - message: at least one of clientCIDRs, jwt, headers, or
-                              geoLocation must be specified
+                              geoLocations must be specified
                             rule: (has(self.clientCIDRs) || has(self.jwt) || has(self.headers)
-                              || has(self.geoLocation))
+                              || has(self.geoLocations))
                       required:
                       - action
                       - principal