Skip to content

Replace runtime TLS validation with API-level CEL rules #12338

Open
Bug
Open
Replace runtime TLS validation with API-level CEL rules#12338
Bug
Assignees
Sumitsh28
Labels
Good First IssueGood issue for newbies
@timflannagan

Description

@timflannagan
timflannagan
opened on Sep 19, 2025

kgateway version

main

Kubernetes Version

N/A

Describe the bug

The TLS plugin currently validates at runtime that a root CA is provided when verifySubjectAltName is specified in tls.go. This should be moved to CEL validation in the API types for faster feedback.

Expected Behavior

Investigate whether CEL/field validation can be used here instead of the code check.

Steps to reproduce the bug

Reproducer:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
  namespace: gwtest
spec:
  gatewayClassName: kgateway
  listeners:
  - name: https
    port: 8443
    protocol: HTTPS
    hostname: www.example.com
    allowedRoutes:
      namespaces:
        from: All
---
apiVersion: v1
kind: Service
metadata:
  name: example-svc
  namespace: gwtest
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: example
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: test-route
  namespace: gwtest
spec:
  parentRefs:
  - name: example-gateway
  rules:
  - backendRefs:
    - name: example-svc
      port: 80
---
apiVersion: gateway.kgateway.dev/v1alpha1
kind: BackendConfigPolicy
metadata:
  name: san-no-root-ca-policy
  namespace: gwtest
spec:
  targetRefs:
  - group: ""
    kind: Service
    name: example-svc
  tls:
    # No secretRef, tlsFiles, or wellKnownCACertificates - no root CA provided
    insecureSkipVerify: false
    sni: "backend.example.com"
    # SAN verification specified but no root CA - should cause error
    verifySubjectAltName:
    - "backend.example.com"
    - "alt.backend.example.com"

See comments on the individual fields.

Additional Environment Detail

No response

Additional Context

No response

Metadata

Metadata

Assignees

Labels

Good First IssueGood issue for newbies

Type

Bug

Projects

Kgateway Planning

Status

Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions