From 4d954671969cf9e6eb0bb798560152efcf6a3722 Mon Sep 17 00:00:00 2001 From: Katarzyna Lach Date: Thu, 21 Aug 2025 10:01:44 +0000 Subject: [PATCH 1/2] Move BackendTLS configuration to GatewayTLSConfig --- apis/v1/gateway_types.go | 34 +- apis/v1/zz_generated.deepcopy.go | 16 +- applyconfiguration/apis/v1/gatewayspec.go | 9 - applyconfiguration/apis/v1/tlsconfig.go | 9 + applyconfiguration/internal/internal.go | 7 +- .../gateway.networking.k8s.io_gateways.yaml | 408 +++++++++++------- geps/gep-3155/index.md | 17 +- pkg/generated/openapi/zz_generated.openapi.go | 26 +- 8 files changed, 326 insertions(+), 200 deletions(-) diff --git a/apis/v1/gateway_types.go b/apis/v1/gateway_types.go index e85e81ba48..1fa9b150a7 100644 --- a/apis/v1/gateway_types.go +++ b/apis/v1/gateway_types.go @@ -279,15 +279,6 @@ type GatewaySpec struct { // +optional Infrastructure *GatewayInfrastructure `json:"infrastructure,omitempty"` - // BackendTLS configures TLS settings for when this Gateway is connecting to - // backends with TLS. - // - // Support: Core - // - // +optional - // - BackendTLS *GatewayBackendTLS `json:"backendTLS,omitempty"` - // AllowedListeners defines which ListenerSets can be attached to this Gateway. // While this feature is experimental, the default value is to allow no ListenerSets. // @@ -296,7 +287,7 @@ type GatewaySpec struct { // +optional AllowedListeners *AllowedListeners `json:"allowedListeners,omitempty"` // - // GatewayTLSConfig specifies frontend tls configuration for gateway. + // GatewayTLSConfig specifies frontend and backend tls configuration for gateway. // // Support: Extended // @@ -602,11 +593,11 @@ type ListenerTLSConfig struct { Options map[AnnotationKey]AnnotationValue `json:"options,omitempty"` } -// GatewayTLSConfig specifies frontend tls configuration for gateway. +// GatewayTLSConfig specifies frontend and backend tls configuration for gateway. type GatewayTLSConfig struct { - // Default specifies the default client certificate validation configuration - // for all Listeners handling HTTPS traffic, unless a per-port configuration - // is defined. + // Default specifies the default TLS configuration for the Gateway handling + // HTTPS traffic. + // Default FrontendTLS can be override with per-port configuration. // // support: Core // @@ -650,8 +641,7 @@ const ( ) // TLSConfig describes TLS configuration that can apply to multiple Listeners -// within this Gateway. Currently, it stores only the client certificate validation -// configuration, but this may be extended in the future. +// within this Gateway. type TLSConfig struct { // FrontendValidation holds configuration information for validating the frontend (client). // Setting this field will result in mutual authentication when connecting to the gateway. @@ -661,9 +651,17 @@ type TLSConfig struct { // // Support: Core // - // +required + // +optional + // + FrontendValidation *FrontendTLSValidation `json:"frontendValidation,omitempty"` + + // GatewayBackendTLS describes TLS configuration for gateway when connecting + // to backends. + // Support: Core + // + // +optional // - FrontendValidation FrontendTLSValidation `json:"frontendValidation"` + BackendValidation *GatewayBackendTLS `json:"backendValidation,omitempty"` } type TLSPortConfig struct { diff --git a/apis/v1/zz_generated.deepcopy.go b/apis/v1/zz_generated.deepcopy.go index 6bbf75ba62..bcdc2bbe89 100644 --- a/apis/v1/zz_generated.deepcopy.go +++ b/apis/v1/zz_generated.deepcopy.go @@ -777,11 +777,6 @@ func (in *GatewaySpec) DeepCopyInto(out *GatewaySpec) { *out = new(GatewayInfrastructure) (*in).DeepCopyInto(*out) } - if in.BackendTLS != nil { - in, out := &in.BackendTLS, &out.BackendTLS - *out = new(GatewayBackendTLS) - (*in).DeepCopyInto(*out) - } if in.AllowedListeners != nil { in, out := &in.AllowedListeners, &out.AllowedListeners *out = new(AllowedListeners) @@ -1962,7 +1957,16 @@ func (in *SupportedFeature) DeepCopy() *SupportedFeature { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSConfig) DeepCopyInto(out *TLSConfig) { *out = *in - in.FrontendValidation.DeepCopyInto(&out.FrontendValidation) + if in.FrontendValidation != nil { + in, out := &in.FrontendValidation, &out.FrontendValidation + *out = new(FrontendTLSValidation) + (*in).DeepCopyInto(*out) + } + if in.BackendValidation != nil { + in, out := &in.BackendValidation, &out.BackendValidation + *out = new(GatewayBackendTLS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig. diff --git a/applyconfiguration/apis/v1/gatewayspec.go b/applyconfiguration/apis/v1/gatewayspec.go index b123a40f9c..e976dc4827 100644 --- a/applyconfiguration/apis/v1/gatewayspec.go +++ b/applyconfiguration/apis/v1/gatewayspec.go @@ -29,7 +29,6 @@ type GatewaySpecApplyConfiguration struct { Listeners []ListenerApplyConfiguration `json:"listeners,omitempty"` Addresses []GatewaySpecAddressApplyConfiguration `json:"addresses,omitempty"` Infrastructure *GatewayInfrastructureApplyConfiguration `json:"infrastructure,omitempty"` - BackendTLS *GatewayBackendTLSApplyConfiguration `json:"backendTLS,omitempty"` AllowedListeners *AllowedListenersApplyConfiguration `json:"allowedListeners,omitempty"` TLS *GatewayTLSConfigApplyConfiguration `json:"tls,omitempty"` } @@ -82,14 +81,6 @@ func (b *GatewaySpecApplyConfiguration) WithInfrastructure(value *GatewayInfrast return b } -// WithBackendTLS sets the BackendTLS field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the BackendTLS field is set to the value of the last call. -func (b *GatewaySpecApplyConfiguration) WithBackendTLS(value *GatewayBackendTLSApplyConfiguration) *GatewaySpecApplyConfiguration { - b.BackendTLS = value - return b -} - // WithAllowedListeners sets the AllowedListeners field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the AllowedListeners field is set to the value of the last call. diff --git a/applyconfiguration/apis/v1/tlsconfig.go b/applyconfiguration/apis/v1/tlsconfig.go index 1dfa5e024e..ba7378c5cd 100644 --- a/applyconfiguration/apis/v1/tlsconfig.go +++ b/applyconfiguration/apis/v1/tlsconfig.go @@ -22,6 +22,7 @@ package v1 // with apply. type TLSConfigApplyConfiguration struct { FrontendValidation *FrontendTLSValidationApplyConfiguration `json:"frontendValidation,omitempty"` + BackendValidation *GatewayBackendTLSApplyConfiguration `json:"backendValidation,omitempty"` } // TLSConfigApplyConfiguration constructs a declarative configuration of the TLSConfig type for use with @@ -37,3 +38,11 @@ func (b *TLSConfigApplyConfiguration) WithFrontendValidation(value *FrontendTLSV b.FrontendValidation = value return b } + +// WithBackendValidation sets the BackendValidation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the BackendValidation field is set to the value of the last call. +func (b *TLSConfigApplyConfiguration) WithBackendValidation(value *GatewayBackendTLSApplyConfiguration) *TLSConfigApplyConfiguration { + b.BackendValidation = value + return b +} diff --git a/applyconfiguration/internal/internal.go b/applyconfiguration/internal/internal.go index 953f2863cd..31d7f8ea32 100644 --- a/applyconfiguration/internal/internal.go +++ b/applyconfiguration/internal/internal.go @@ -598,9 +598,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: allowedListeners type: namedType: io.k8s.sigs.gateway-api.apis.v1.AllowedListeners - - name: backendTLS - type: - namedType: io.k8s.sigs.gateway-api.apis.v1.GatewayBackendTLS - name: gatewayClassName type: scalar: string @@ -1311,10 +1308,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: io.k8s.sigs.gateway-api.apis.v1.TLSConfig map: fields: + - name: backendValidation + type: + namedType: io.k8s.sigs.gateway-api.apis.v1.GatewayBackendTLS - name: frontendValidation type: namedType: io.k8s.sigs.gateway-api.apis.v1.FrontendTLSValidation - default: {} - name: io.k8s.sigs.gateway-api.apis.v1.TLSPortConfig map: fields: diff --git a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml index f04f7b978a..a82c099b80 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml @@ -215,70 +215,6 @@ spec: x-kubernetes-map-type: atomic type: object type: object - backendTLS: - description: |- - BackendTLS configures TLS settings for when this Gateway is connecting to - backends with TLS. - - Support: Core - properties: - clientCertificateRef: - description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - This setting can be overridden on the service level by use of BackendTLSPolicy. - - Support: Core - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -970,18 +906,82 @@ spec: == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' tls: description: |- - GatewayTLSConfig specifies frontend tls configuration for gateway. + GatewayTLSConfig specifies frontend and backend tls configuration for gateway. Support: Extended properties: default: description: |- - Default specifies the default client certificate validation configuration - for all Listeners handling HTTPS traffic, unless a per-port configuration - is defined. + Default specifies the default TLS configuration for the Gateway handling + HTTPS traffic. + Default FrontendTLS can be override with per-port configuration. support: Core properties: + backendValidation: + description: |- + GatewayBackendTLS describes TLS configuration for gateway when connecting + to backends. + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object frontendValidation: description: |- FrontendValidation holds configuration information for validating the frontend (client). @@ -1095,8 +1095,6 @@ spec: required: - caCertificateRefs type: object - required: - - frontendValidation type: object perPort: description: |- @@ -1127,6 +1125,70 @@ spec: Support: Core properties: + backendValidation: + description: |- + GatewayBackendTLS describes TLS configuration for gateway when connecting + to backends. + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For + example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object frontendValidation: description: |- FrontendValidation holds configuration information for validating the frontend (client). @@ -1240,8 +1302,6 @@ spec: required: - caCertificateRefs type: object - required: - - frontendValidation type: object required: - port @@ -1762,70 +1822,6 @@ spec: x-kubernetes-map-type: atomic type: object type: object - backendTLS: - description: |- - BackendTLS configures TLS settings for when this Gateway is connecting to - backends with TLS. - - Support: Core - properties: - clientCertificateRef: - description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - This setting can be overridden on the service level by use of BackendTLSPolicy. - - Support: Core - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -2517,18 +2513,82 @@ spec: == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' tls: description: |- - GatewayTLSConfig specifies frontend tls configuration for gateway. + GatewayTLSConfig specifies frontend and backend tls configuration for gateway. Support: Extended properties: default: description: |- - Default specifies the default client certificate validation configuration - for all Listeners handling HTTPS traffic, unless a per-port configuration - is defined. + Default specifies the default TLS configuration for the Gateway handling + HTTPS traffic. + Default FrontendTLS can be override with per-port configuration. support: Core properties: + backendValidation: + description: |- + GatewayBackendTLS describes TLS configuration for gateway when connecting + to backends. + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object frontendValidation: description: |- FrontendValidation holds configuration information for validating the frontend (client). @@ -2642,8 +2702,6 @@ spec: required: - caCertificateRefs type: object - required: - - frontendValidation type: object perPort: description: |- @@ -2674,6 +2732,70 @@ spec: Support: Core properties: + backendValidation: + description: |- + GatewayBackendTLS describes TLS configuration for gateway when connecting + to backends. + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For + example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object frontendValidation: description: |- FrontendValidation holds configuration information for validating the frontend (client). @@ -2787,8 +2909,6 @@ spec: required: - caCertificateRefs type: object - required: - - frontendValidation type: object required: - port diff --git a/geps/gep-3155/index.md b/geps/gep-3155/index.md index b75b64cccf..41477c2266 100644 --- a/geps/gep-3155/index.md +++ b/geps/gep-3155/index.md @@ -43,13 +43,20 @@ Specifying credentials at the gateway level is the default operation mode, where backends will be presented with a single gateway certificate. Per-service overrides are subject for consideration as the future work. -**1. Add a new `BackendTLS` field at the top level of Gateways** +**1. Add a new `BackendValidation` field at TLSConfig struct located in GatewayTLSConfig.Default field** ```go -type GatewaySpec struct { - // BackendTLS configures TLS settings for when this Gateway is connecting to - // backends with TLS. - BackendTLS GatewayBackendTLS `json:"backendTLS,omitempty"'` +// TLSConfig describes TLS configuration that can apply to multiple Listeners +// within this Gateway. +type TLSConfig struct { + ... + // GatewayBackendTLS describes TLS configuration for gateway when connecting + // to backends. + // Support: Core + // + // +optional + // + BackendValidation *GatewayBackendTLS `json:"backendValidation,omitempty"` } type GatewayBackendTLS struct { // ClientCertificateRef is a reference to an object that contains a Client diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 588319b36e..d2e943f9fe 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -4149,12 +4149,6 @@ func schema_sigsk8sio_gateway_api_apis_v1_GatewaySpec(ref common.ReferenceCallba Ref: ref("sigs.k8s.io/gateway-api/apis/v1.GatewayInfrastructure"), }, }, - "backendTLS": { - SchemaProps: spec.SchemaProps{ - Description: "BackendTLS configures TLS settings for when this Gateway is connecting to backends with TLS.\n\nSupport: Core\n\n", - Ref: ref("sigs.k8s.io/gateway-api/apis/v1.GatewayBackendTLS"), - }, - }, "allowedListeners": { SchemaProps: spec.SchemaProps{ Description: "AllowedListeners defines which ListenerSets can be attached to this Gateway. While this feature is experimental, the default value is to allow no ListenerSets.\n\n", @@ -4163,7 +4157,7 @@ func schema_sigsk8sio_gateway_api_apis_v1_GatewaySpec(ref common.ReferenceCallba }, "tls": { SchemaProps: spec.SchemaProps{ - Description: "GatewayTLSConfig specifies frontend tls configuration for gateway.\n\nSupport: Extended\n\n", + Description: "GatewayTLSConfig specifies frontend and backend tls configuration for gateway.\n\nSupport: Extended\n\n", Ref: ref("sigs.k8s.io/gateway-api/apis/v1.GatewayTLSConfig"), }, }, @@ -4172,7 +4166,7 @@ func schema_sigsk8sio_gateway_api_apis_v1_GatewaySpec(ref common.ReferenceCallba }, }, Dependencies: []string{ - "sigs.k8s.io/gateway-api/apis/v1.AllowedListeners", "sigs.k8s.io/gateway-api/apis/v1.GatewayBackendTLS", "sigs.k8s.io/gateway-api/apis/v1.GatewayInfrastructure", "sigs.k8s.io/gateway-api/apis/v1.GatewaySpecAddress", "sigs.k8s.io/gateway-api/apis/v1.GatewayTLSConfig", "sigs.k8s.io/gateway-api/apis/v1.Listener"}, + "sigs.k8s.io/gateway-api/apis/v1.AllowedListeners", "sigs.k8s.io/gateway-api/apis/v1.GatewayInfrastructure", "sigs.k8s.io/gateway-api/apis/v1.GatewaySpecAddress", "sigs.k8s.io/gateway-api/apis/v1.GatewayTLSConfig", "sigs.k8s.io/gateway-api/apis/v1.Listener"}, } } @@ -4314,12 +4308,12 @@ func schema_sigsk8sio_gateway_api_apis_v1_GatewayTLSConfig(ref common.ReferenceC return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GatewayTLSConfig specifies frontend tls configuration for gateway.", + Description: "GatewayTLSConfig specifies frontend and backend tls configuration for gateway.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "default": { SchemaProps: spec.SchemaProps{ - Description: "Default specifies the default client certificate validation configuration for all Listeners handling HTTPS traffic, unless a per-port configuration is defined.\n\nsupport: Core\n\n", + Description: "Default specifies the default TLS configuration for the Gateway handling HTTPS traffic. Default FrontendTLS can be override with per-port configuration.\n\nsupport: Core\n\n", Default: map[string]interface{}{}, Ref: ref("sigs.k8s.io/gateway-api/apis/v1.TLSConfig"), }, @@ -6227,22 +6221,26 @@ func schema_sigsk8sio_gateway_api_apis_v1_TLSConfig(ref common.ReferenceCallback return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TLSConfig describes TLS configuration that can apply to multiple Listeners within this Gateway. Currently, it stores only the client certificate validation configuration, but this may be extended in the future.", + Description: "TLSConfig describes TLS configuration that can apply to multiple Listeners within this Gateway.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "frontendValidation": { SchemaProps: spec.SchemaProps{ Description: "FrontendValidation holds configuration information for validating the frontend (client). Setting this field will result in mutual authentication when connecting to the gateway. In browsers this may result in a dialog appearing that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific.\n\nSupport: Core\n\n", - Default: map[string]interface{}{}, Ref: ref("sigs.k8s.io/gateway-api/apis/v1.FrontendTLSValidation"), }, }, + "backendValidation": { + SchemaProps: spec.SchemaProps{ + Description: "GatewayBackendTLS describes TLS configuration for gateway when connecting to backends. Support: Core\n\n", + Ref: ref("sigs.k8s.io/gateway-api/apis/v1.GatewayBackendTLS"), + }, + }, }, - Required: []string{"frontendValidation"}, }, }, Dependencies: []string{ - "sigs.k8s.io/gateway-api/apis/v1.FrontendTLSValidation"}, + "sigs.k8s.io/gateway-api/apis/v1.FrontendTLSValidation", "sigs.k8s.io/gateway-api/apis/v1.GatewayBackendTLS"}, } } From eb7f375b0ad2b0a7a17c840a5aa1320a64d4dff5 Mon Sep 17 00:00:00 2001 From: Katarzyna Lach Date: Fri, 22 Aug 2025 07:21:08 +0000 Subject: [PATCH 2/2] review --- apis/v1/gateway_types.go | 48 +- apis/v1/zz_generated.deepcopy.go | 48 +- .../apis/v1/frontendtlsconfig.go | 53 + .../apis/v1/gatewaytlsconfig.go | 27 +- applyconfiguration/apis/v1/tlsconfig.go | 19 +- applyconfiguration/internal/internal.go | 34 +- applyconfiguration/utils.go | 2 + .../gateway.networking.k8s.io_gateways.yaml | 1234 ++++++++--------- examples/experimental/backend-tls.yaml | 18 + .../frontend-cert-validation.yaml | 31 +- pkg/generated/openapi/zz_generated.openapi.go | 96 +- 11 files changed, 820 insertions(+), 790 deletions(-) create mode 100644 applyconfiguration/apis/v1/frontendtlsconfig.go create mode 100644 examples/experimental/backend-tls.yaml diff --git a/apis/v1/gateway_types.go b/apis/v1/gateway_types.go index 1fa9b150a7..652101ff76 100644 --- a/apis/v1/gateway_types.go +++ b/apis/v1/gateway_types.go @@ -287,7 +287,7 @@ type GatewaySpec struct { // +optional AllowedListeners *AllowedListeners `json:"allowedListeners,omitempty"` // - // GatewayTLSConfig specifies frontend and backend tls configuration for gateway. + // TLS specifies frontend and backend tls configuration for entire gateway. // // Support: Extended // @@ -516,8 +516,6 @@ type GatewayBackendTLS struct { // ClientCertificateRef can reference to standard Kubernetes resources, i.e. // Secret, or implementation-specific custom resources. // - // This setting can be overridden on the service level by use of BackendTLSPolicy. - // // Support: Core // // +optional @@ -595,9 +593,32 @@ type ListenerTLSConfig struct { // GatewayTLSConfig specifies frontend and backend tls configuration for gateway. type GatewayTLSConfig struct { - // Default specifies the default TLS configuration for the Gateway handling - // HTTPS traffic. - // Default FrontendTLS can be override with per-port configuration. + // Backend describes TLS configuration for gateway when connecting + // to backends. + // + // Note that this contains only details for the Gateway as a TLS client, + // and does _not_ imply behavior about how to choose which backend should + // get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + // + // Support: Core + // + // +optional + // + Backend *GatewayBackendTLS `json:"backend,omitempty"` + + // Frontend describes TLS config when client connects to Gateway. + // Support: Core + // + // +optional + // + Frontend *FrontendTLSConfig `json:"frontend,omitempty"` +} + +// FrontendTLSConfig specifies frontend tls configuration for gateway. +type FrontendTLSConfig struct { + // Default specifies the default client certificate validation configuration + // for all Listeners handling HTTPS traffic, unless a per-port configuration + // is defined. // // support: Core // @@ -641,9 +662,10 @@ const ( ) // TLSConfig describes TLS configuration that can apply to multiple Listeners -// within this Gateway. +// within this Gateway. Currently, it stores only the client certificate validation +// configuration, but this may be extended in the future. type TLSConfig struct { - // FrontendValidation holds configuration information for validating the frontend (client). + // Validation holds configuration information for validating the frontend (client). // Setting this field will result in mutual authentication when connecting to the gateway. // In browsers this may result in a dialog appearing // that requests a user to specify the client certificate. @@ -653,15 +675,7 @@ type TLSConfig struct { // // +optional // - FrontendValidation *FrontendTLSValidation `json:"frontendValidation,omitempty"` - - // GatewayBackendTLS describes TLS configuration for gateway when connecting - // to backends. - // Support: Core - // - // +optional - // - BackendValidation *GatewayBackendTLS `json:"backendValidation,omitempty"` + Validation *FrontendTLSValidation `json:"validation,omitempty"` } type TLSPortConfig struct { diff --git a/apis/v1/zz_generated.deepcopy.go b/apis/v1/zz_generated.deepcopy.go index bcdc2bbe89..bcbf489072 100644 --- a/apis/v1/zz_generated.deepcopy.go +++ b/apis/v1/zz_generated.deepcopy.go @@ -205,6 +205,29 @@ func (in *Fraction) DeepCopy() *Fraction { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FrontendTLSConfig) DeepCopyInto(out *FrontendTLSConfig) { + *out = *in + in.Default.DeepCopyInto(&out.Default) + if in.PerPort != nil { + in, out := &in.PerPort, &out.PerPort + *out = make([]TLSPortConfig, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrontendTLSConfig. +func (in *FrontendTLSConfig) DeepCopy() *FrontendTLSConfig { + if in == nil { + return nil + } + out := new(FrontendTLSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FrontendTLSValidation) DeepCopyInto(out *FrontendTLSValidation) { *out = *in @@ -878,13 +901,15 @@ func (in *GatewayStatusAddress) DeepCopy() *GatewayStatusAddress { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GatewayTLSConfig) DeepCopyInto(out *GatewayTLSConfig) { *out = *in - in.Default.DeepCopyInto(&out.Default) - if in.PerPort != nil { - in, out := &in.PerPort, &out.PerPort - *out = make([]TLSPortConfig, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } + if in.Backend != nil { + in, out := &in.Backend, &out.Backend + *out = new(GatewayBackendTLS) + (*in).DeepCopyInto(*out) + } + if in.Frontend != nil { + in, out := &in.Frontend, &out.Frontend + *out = new(FrontendTLSConfig) + (*in).DeepCopyInto(*out) } } @@ -1957,16 +1982,11 @@ func (in *SupportedFeature) DeepCopy() *SupportedFeature { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSConfig) DeepCopyInto(out *TLSConfig) { *out = *in - if in.FrontendValidation != nil { - in, out := &in.FrontendValidation, &out.FrontendValidation + if in.Validation != nil { + in, out := &in.Validation, &out.Validation *out = new(FrontendTLSValidation) (*in).DeepCopyInto(*out) } - if in.BackendValidation != nil { - in, out := &in.BackendValidation, &out.BackendValidation - *out = new(GatewayBackendTLS) - (*in).DeepCopyInto(*out) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig. diff --git a/applyconfiguration/apis/v1/frontendtlsconfig.go b/applyconfiguration/apis/v1/frontendtlsconfig.go new file mode 100644 index 0000000000..4cf8464927 --- /dev/null +++ b/applyconfiguration/apis/v1/frontendtlsconfig.go @@ -0,0 +1,53 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// FrontendTLSConfigApplyConfiguration represents a declarative configuration of the FrontendTLSConfig type for use +// with apply. +type FrontendTLSConfigApplyConfiguration struct { + Default *TLSConfigApplyConfiguration `json:"default,omitempty"` + PerPort []TLSPortConfigApplyConfiguration `json:"perPort,omitempty"` +} + +// FrontendTLSConfigApplyConfiguration constructs a declarative configuration of the FrontendTLSConfig type for use with +// apply. +func FrontendTLSConfig() *FrontendTLSConfigApplyConfiguration { + return &FrontendTLSConfigApplyConfiguration{} +} + +// WithDefault sets the Default field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Default field is set to the value of the last call. +func (b *FrontendTLSConfigApplyConfiguration) WithDefault(value *TLSConfigApplyConfiguration) *FrontendTLSConfigApplyConfiguration { + b.Default = value + return b +} + +// WithPerPort adds the given value to the PerPort field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the PerPort field. +func (b *FrontendTLSConfigApplyConfiguration) WithPerPort(values ...*TLSPortConfigApplyConfiguration) *FrontendTLSConfigApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithPerPort") + } + b.PerPort = append(b.PerPort, *values[i]) + } + return b +} diff --git a/applyconfiguration/apis/v1/gatewaytlsconfig.go b/applyconfiguration/apis/v1/gatewaytlsconfig.go index dbd3f443b1..4ec825dbee 100644 --- a/applyconfiguration/apis/v1/gatewaytlsconfig.go +++ b/applyconfiguration/apis/v1/gatewaytlsconfig.go @@ -21,8 +21,8 @@ package v1 // GatewayTLSConfigApplyConfiguration represents a declarative configuration of the GatewayTLSConfig type for use // with apply. type GatewayTLSConfigApplyConfiguration struct { - Default *TLSConfigApplyConfiguration `json:"default,omitempty"` - PerPort []TLSPortConfigApplyConfiguration `json:"perPort,omitempty"` + Backend *GatewayBackendTLSApplyConfiguration `json:"backend,omitempty"` + Frontend *FrontendTLSConfigApplyConfiguration `json:"frontend,omitempty"` } // GatewayTLSConfigApplyConfiguration constructs a declarative configuration of the GatewayTLSConfig type for use with @@ -31,23 +31,18 @@ func GatewayTLSConfig() *GatewayTLSConfigApplyConfiguration { return &GatewayTLSConfigApplyConfiguration{} } -// WithDefault sets the Default field in the declarative configuration to the given value +// WithBackend sets the Backend field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Default field is set to the value of the last call. -func (b *GatewayTLSConfigApplyConfiguration) WithDefault(value *TLSConfigApplyConfiguration) *GatewayTLSConfigApplyConfiguration { - b.Default = value +// If called multiple times, the Backend field is set to the value of the last call. +func (b *GatewayTLSConfigApplyConfiguration) WithBackend(value *GatewayBackendTLSApplyConfiguration) *GatewayTLSConfigApplyConfiguration { + b.Backend = value return b } -// WithPerPort adds the given value to the PerPort field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the PerPort field. -func (b *GatewayTLSConfigApplyConfiguration) WithPerPort(values ...*TLSPortConfigApplyConfiguration) *GatewayTLSConfigApplyConfiguration { - for i := range values { - if values[i] == nil { - panic("nil value passed to WithPerPort") - } - b.PerPort = append(b.PerPort, *values[i]) - } +// WithFrontend sets the Frontend field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Frontend field is set to the value of the last call. +func (b *GatewayTLSConfigApplyConfiguration) WithFrontend(value *FrontendTLSConfigApplyConfiguration) *GatewayTLSConfigApplyConfiguration { + b.Frontend = value return b } diff --git a/applyconfiguration/apis/v1/tlsconfig.go b/applyconfiguration/apis/v1/tlsconfig.go index ba7378c5cd..99a42ca482 100644 --- a/applyconfiguration/apis/v1/tlsconfig.go +++ b/applyconfiguration/apis/v1/tlsconfig.go @@ -21,8 +21,7 @@ package v1 // TLSConfigApplyConfiguration represents a declarative configuration of the TLSConfig type for use // with apply. type TLSConfigApplyConfiguration struct { - FrontendValidation *FrontendTLSValidationApplyConfiguration `json:"frontendValidation,omitempty"` - BackendValidation *GatewayBackendTLSApplyConfiguration `json:"backendValidation,omitempty"` + Validation *FrontendTLSValidationApplyConfiguration `json:"validation,omitempty"` } // TLSConfigApplyConfiguration constructs a declarative configuration of the TLSConfig type for use with @@ -31,18 +30,10 @@ func TLSConfig() *TLSConfigApplyConfiguration { return &TLSConfigApplyConfiguration{} } -// WithFrontendValidation sets the FrontendValidation field in the declarative configuration to the given value +// WithValidation sets the Validation field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the FrontendValidation field is set to the value of the last call. -func (b *TLSConfigApplyConfiguration) WithFrontendValidation(value *FrontendTLSValidationApplyConfiguration) *TLSConfigApplyConfiguration { - b.FrontendValidation = value - return b -} - -// WithBackendValidation sets the BackendValidation field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the BackendValidation field is set to the value of the last call. -func (b *TLSConfigApplyConfiguration) WithBackendValidation(value *GatewayBackendTLSApplyConfiguration) *TLSConfigApplyConfiguration { - b.BackendValidation = value +// If called multiple times, the Validation field is set to the value of the last call. +func (b *TLSConfigApplyConfiguration) WithValidation(value *FrontendTLSValidationApplyConfiguration) *TLSConfigApplyConfiguration { + b.Validation = value return b } diff --git a/applyconfiguration/internal/internal.go b/applyconfiguration/internal/internal.go index 31d7f8ea32..974c4bd20f 100644 --- a/applyconfiguration/internal/internal.go +++ b/applyconfiguration/internal/internal.go @@ -304,6 +304,21 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: numeric default: 0 +- name: io.k8s.sigs.gateway-api.apis.v1.FrontendTLSConfig + map: + fields: + - name: default + type: + namedType: io.k8s.sigs.gateway-api.apis.v1.TLSConfig + default: {} + - name: perPort + type: + list: + elementType: + namedType: io.k8s.sigs.gateway-api.apis.v1.TLSPortConfig + elementRelationship: associative + keys: + - port - name: io.k8s.sigs.gateway-api.apis.v1.FrontendTLSValidation map: fields: @@ -663,18 +678,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: io.k8s.sigs.gateway-api.apis.v1.GatewayTLSConfig map: fields: - - name: default + - name: backend type: - namedType: io.k8s.sigs.gateway-api.apis.v1.TLSConfig - default: {} - - name: perPort + namedType: io.k8s.sigs.gateway-api.apis.v1.GatewayBackendTLS + - name: frontend type: - list: - elementType: - namedType: io.k8s.sigs.gateway-api.apis.v1.TLSPortConfig - elementRelationship: associative - keys: - - port + namedType: io.k8s.sigs.gateway-api.apis.v1.FrontendTLSConfig - name: io.k8s.sigs.gateway-api.apis.v1.HTTPAuthConfig map: fields: @@ -1308,10 +1317,7 @@ var schemaYAML = typed.YAMLObject(`types: - name: io.k8s.sigs.gateway-api.apis.v1.TLSConfig map: fields: - - name: backendValidation - type: - namedType: io.k8s.sigs.gateway-api.apis.v1.GatewayBackendTLS - - name: frontendValidation + - name: validation type: namedType: io.k8s.sigs.gateway-api.apis.v1.FrontendTLSValidation - name: io.k8s.sigs.gateway-api.apis.v1.TLSPortConfig diff --git a/applyconfiguration/utils.go b/applyconfiguration/utils.go index 5acafbc2c1..274736cd6c 100644 --- a/applyconfiguration/utils.go +++ b/applyconfiguration/utils.go @@ -56,6 +56,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &apisv1.ForwardBodyConfigApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("Fraction"): return &apisv1.FractionApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("FrontendTLSConfig"): + return &apisv1.FrontendTLSConfigApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("FrontendTLSValidation"): return &apisv1.FrontendTLSValidationApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("Gateway"): diff --git a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml index a82c099b80..6e154e9548 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml @@ -906,261 +906,144 @@ spec: == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' tls: description: |- - GatewayTLSConfig specifies frontend and backend tls configuration for gateway. + TLS specifies frontend and backend tls configuration for entire gateway. Support: Extended properties: - default: + backend: description: |- - Default specifies the default TLS configuration for the Gateway handling - HTTPS traffic. - Default FrontendTLS can be override with per-port configuration. + Backend describes TLS configuration for gateway when connecting + to backends. - support: Core + Note that this contains only details for the Gateway as a TLS client, + and does _not_ imply behavior about how to choose which backend should + get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + + Support: Core properties: - backendValidation: + clientCertificateRef: description: |- - GatewayBackendTLS describes TLS configuration for gateway when connecting - to backends. - Support: Core - properties: - clientCertificateRef: - description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - This setting can be overridden on the service level by use of BackendTLSPolicy. - - Support: Core - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - frontendValidation: - description: |- - FrontendValidation holds configuration information for validating the frontend (client). - Setting this field will result in mutual authentication when connecting to the gateway. - In browsers this may result in a dialog appearing - that requests a user to specify the client certificate. - The maximum depth of a certificate chain accepted in verification is Implementation specific. + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. Support: Core properties: - caCertificateRefs: + group: + default: "" description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - items: - description: |- - ObjectReference identifies an API object including its namespace. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When set to the empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "ConfigMap" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - mode: - default: AllowValidOnly + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: description: |- - FrontendValidationMode defines the mode for validating the client certificate. - There are two possible modes: - - - AllowValidOnly: In this mode, the gateway will accept connections only if - the client presents a valid certificate. This certificate must successfully - pass validation against the CA certificates specified in `CACertificateRefs`. - - AllowInsecureFallback: In this mode, the gateway will accept connections - even if the client certificate is not presented or fails verification. + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - This approach delegates client authorization to the backend and introduce - a significant security risk. It should be used in testing environments or - on a temporary basis in non-testing environments. - - Defaults to AllowValidOnly. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. Support: Core - enum: - - AllowValidOnly - - AllowInsecureFallback + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - - caCertificateRefs + - name type: object type: object - perPort: + frontend: description: |- - PerPort specifies tls configuration assigned per port. - Per port configuration is optional. Once set this configuration overrides - the default configuration for all Listeners handling HTTPS traffic - that match this port. - Each override port requires a unique TLS configuration. - - support: Core - items: - properties: - port: - description: |- - The Port indicates the Port Number to which the TLS configuration will be - applied. This configuration will be applied to all Listeners handling HTTPS - traffic that match this port. + Frontend describes TLS config when client connects to Gateway. + Support: Core + properties: + default: + description: |- + Default specifies the default client certificate validation configuration + for all Listeners handling HTTPS traffic, unless a per-port configuration + is defined. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - tls: - description: |- - TLS store the configuration that will be applied to all Listeners handling - HTTPS traffic and matching given port. + support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. - Support: Core - properties: - backendValidation: - description: |- - GatewayBackendTLS describes TLS configuration for gateway when connecting - to backends. - Support: Core - properties: - clientCertificateRef: + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one certificate in a ConfigMap + with different keys or more than one reference, or other kinds of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + ObjectReference identifies an API object including its namespace. - This setting can be overridden on the service level by use of BackendTLSPolicy. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. - Support: Core + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. properties: group: - default: "" description: |- Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. + When set to the empty string, core API group is inferred. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - default: Secret description: Kind is kind of the referent. For - example "Secret". + example "ConfigMap" or "Service". maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -1186,138 +1069,200 @@ spec: pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: + - group + - kind - name type: object - type: object - frontendValidation: + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: |- + PerPort specifies tls configuration assigned per port. + Per port configuration is optional. Once set this configuration overrides + the default configuration for all Listeners handling HTTPS traffic + that match this port. + Each override port requires a unique TLS configuration. + + support: Core + items: + properties: + port: description: |- - FrontendValidation holds configuration information for validating the frontend (client). - Setting this field will result in mutual authentication when connecting to the gateway. - In browsers this may result in a dialog appearing - that requests a user to specify the client certificate. - The maximum depth of a certificate chain accepted in verification is Implementation specific. + The Port indicates the Port Number to which the TLS configuration will be + applied. This configuration will be applied to all Listeners handling HTTPS + traffic that match this port. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: |- + TLS store the configuration that will be applied to all Listeners handling + HTTPS traffic and matching given port. Support: Core properties: - caCertificateRefs: + validation: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - items: - description: |- - ObjectReference identifies an API object including its namespace. + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When set to the empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. - For example "ConfigMap" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one certificate in a ConfigMap + with different keys or more than one reference, or other kinds of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - mode: - default: AllowValidOnly - description: |- - FrontendValidationMode defines the mode for validating the client certificate. - There are two possible modes: + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + For example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: - - AllowValidOnly: In this mode, the gateway will accept connections only if - the client presents a valid certificate. This certificate must successfully - pass validation against the CA certificates specified in `CACertificateRefs`. - - AllowInsecureFallback: In this mode, the gateway will accept connections - even if the client certificate is not presented or fails verification. + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. - This approach delegates client authorization to the backend and introduce - a significant security risk. It should be used in testing environments or - on a temporary basis in non-testing environments. + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. - Defaults to AllowValidOnly. + Defaults to AllowValidOnly. - Support: Core - enum: - - AllowValidOnly - - AllowInsecureFallback - type: string - required: - - caCertificateRefs + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object type: object + required: + - port + - tls type: object - required: - - port - - tls - type: object - maxItems: 64 - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: Port for TLS configuration must be unique within the - Gateway - rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) - required: - - default + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Port for TLS configuration must be unique within + the Gateway + rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) + required: + - default + type: object type: object required: - gatewayClassName @@ -2513,261 +2458,144 @@ spec: == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' tls: description: |- - GatewayTLSConfig specifies frontend and backend tls configuration for gateway. + TLS specifies frontend and backend tls configuration for entire gateway. Support: Extended properties: - default: + backend: description: |- - Default specifies the default TLS configuration for the Gateway handling - HTTPS traffic. - Default FrontendTLS can be override with per-port configuration. + Backend describes TLS configuration for gateway when connecting + to backends. - support: Core + Note that this contains only details for the Gateway as a TLS client, + and does _not_ imply behavior about how to choose which backend should + get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + + Support: Core properties: - backendValidation: + clientCertificateRef: description: |- - GatewayBackendTLS describes TLS configuration for gateway when connecting - to backends. - Support: Core - properties: - clientCertificateRef: - description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - This setting can be overridden on the service level by use of BackendTLSPolicy. - - Support: Core - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - frontendValidation: - description: |- - FrontendValidation holds configuration information for validating the frontend (client). - Setting this field will result in mutual authentication when connecting to the gateway. - In browsers this may result in a dialog appearing - that requests a user to specify the client certificate. - The maximum depth of a certificate chain accepted in verification is Implementation specific. + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. Support: Core properties: - caCertificateRefs: + group: + default: "" description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - items: - description: |- - ObjectReference identifies an API object including its namespace. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When set to the empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "ConfigMap" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - mode: - default: AllowValidOnly + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: description: |- - FrontendValidationMode defines the mode for validating the client certificate. - There are two possible modes: - - - AllowValidOnly: In this mode, the gateway will accept connections only if - the client presents a valid certificate. This certificate must successfully - pass validation against the CA certificates specified in `CACertificateRefs`. - - AllowInsecureFallback: In this mode, the gateway will accept connections - even if the client certificate is not presented or fails verification. + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - This approach delegates client authorization to the backend and introduce - a significant security risk. It should be used in testing environments or - on a temporary basis in non-testing environments. - - Defaults to AllowValidOnly. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. Support: Core - enum: - - AllowValidOnly - - AllowInsecureFallback + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - - caCertificateRefs + - name type: object type: object - perPort: + frontend: description: |- - PerPort specifies tls configuration assigned per port. - Per port configuration is optional. Once set this configuration overrides - the default configuration for all Listeners handling HTTPS traffic - that match this port. - Each override port requires a unique TLS configuration. - - support: Core - items: - properties: - port: - description: |- - The Port indicates the Port Number to which the TLS configuration will be - applied. This configuration will be applied to all Listeners handling HTTPS - traffic that match this port. + Frontend describes TLS config when client connects to Gateway. + Support: Core + properties: + default: + description: |- + Default specifies the default client certificate validation configuration + for all Listeners handling HTTPS traffic, unless a per-port configuration + is defined. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - tls: - description: |- - TLS store the configuration that will be applied to all Listeners handling - HTTPS traffic and matching given port. + support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. - Support: Core - properties: - backendValidation: - description: |- - GatewayBackendTLS describes TLS configuration for gateway when connecting - to backends. - Support: Core - properties: - clientCertificateRef: + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one certificate in a ConfigMap + with different keys or more than one reference, or other kinds of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + ObjectReference identifies an API object including its namespace. - This setting can be overridden on the service level by use of BackendTLSPolicy. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. - Support: Core + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. properties: group: - default: "" description: |- Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. + When set to the empty string, core API group is inferred. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - default: Secret description: Kind is kind of the referent. For - example "Secret". + example "ConfigMap" or "Service". maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -2793,138 +2621,200 @@ spec: pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: + - group + - kind - name type: object - type: object - frontendValidation: + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: |- + PerPort specifies tls configuration assigned per port. + Per port configuration is optional. Once set this configuration overrides + the default configuration for all Listeners handling HTTPS traffic + that match this port. + Each override port requires a unique TLS configuration. + + support: Core + items: + properties: + port: description: |- - FrontendValidation holds configuration information for validating the frontend (client). - Setting this field will result in mutual authentication when connecting to the gateway. - In browsers this may result in a dialog appearing - that requests a user to specify the client certificate. - The maximum depth of a certificate chain accepted in verification is Implementation specific. + The Port indicates the Port Number to which the TLS configuration will be + applied. This configuration will be applied to all Listeners handling HTTPS + traffic that match this port. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: |- + TLS store the configuration that will be applied to all Listeners handling + HTTPS traffic and matching given port. Support: Core properties: - caCertificateRefs: + validation: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - items: - description: |- - ObjectReference identifies an API object including its namespace. + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When set to the empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. - For example "ConfigMap" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one certificate in a ConfigMap + with different keys or more than one reference, or other kinds of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - mode: - default: AllowValidOnly - description: |- - FrontendValidationMode defines the mode for validating the client certificate. - There are two possible modes: + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + For example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: - - AllowValidOnly: In this mode, the gateway will accept connections only if - the client presents a valid certificate. This certificate must successfully - pass validation against the CA certificates specified in `CACertificateRefs`. - - AllowInsecureFallback: In this mode, the gateway will accept connections - even if the client certificate is not presented or fails verification. + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. - This approach delegates client authorization to the backend and introduce - a significant security risk. It should be used in testing environments or - on a temporary basis in non-testing environments. + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. - Defaults to AllowValidOnly. + Defaults to AllowValidOnly. - Support: Core - enum: - - AllowValidOnly - - AllowInsecureFallback - type: string - required: - - caCertificateRefs + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object type: object + required: + - port + - tls type: object - required: - - port - - tls - type: object - maxItems: 64 - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: Port for TLS configuration must be unique within the - Gateway - rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) - required: - - default + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Port for TLS configuration must be unique within + the Gateway + rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) + required: + - default + type: object type: object required: - gatewayClassName diff --git a/examples/experimental/backend-tls.yaml b/examples/experimental/backend-tls.yaml new file mode 100644 index 0000000000..94b8be09c7 --- /dev/null +++ b/examples/experimental/backend-tls.yaml @@ -0,0 +1,18 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: backend-tls +spec: + gatewayClassName: acme-lb + tls: + backend: + clientCertificateRef: + kind: Secret + group: "" + name: foo-example-cert + listeners: + - name: foo-https + protocol: HTTP + port: 80 + hostname: foo.example.com +--- diff --git a/examples/experimental/frontend-cert-validation.yaml b/examples/experimental/frontend-cert-validation.yaml index a7a9d4a14d..34ada262b4 100644 --- a/examples/experimental/frontend-cert-validation.yaml +++ b/examples/experimental/frontend-cert-validation.yaml @@ -5,12 +5,22 @@ metadata: spec: gatewayClassName: acme-lb tls: - default: - frontendValidation: - caCertificateRefs: - - kind: ConfigMap - group: "" - name: foo-example-com-ca-cert + frontend: + default: + validation: + caCertificateRefs: + - kind: ConfigMap + group: "" + name: foo-example-com-ca-cert + perPort: + - port: 8443 + tls: + validation: + caCertificateRefs: + - kind: ConfigMap + group: "" + name: foo-example-com-ca-cert + mode: "AllowInsecureFallback" listeners: - name: foo-https protocol: HTTPS @@ -21,5 +31,14 @@ spec: - kind: Secret group: "" name: foo-example-com-cert + - name: bar-https + protocol: HTTPS + port: 8443 + hostname: bar.example.com + tls: + certificateRefs: + - kind: Secret + group: "" + name: bar-example-com-cert --- diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index d2e943f9fe..1451e17d9e 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -90,6 +90,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "sigs.k8s.io/gateway-api/apis/v1.CookieConfig": schema_sigsk8sio_gateway_api_apis_v1_CookieConfig(ref), "sigs.k8s.io/gateway-api/apis/v1.ForwardBodyConfig": schema_sigsk8sio_gateway_api_apis_v1_ForwardBodyConfig(ref), "sigs.k8s.io/gateway-api/apis/v1.Fraction": schema_sigsk8sio_gateway_api_apis_v1_Fraction(ref), + "sigs.k8s.io/gateway-api/apis/v1.FrontendTLSConfig": schema_sigsk8sio_gateway_api_apis_v1_FrontendTLSConfig(ref), "sigs.k8s.io/gateway-api/apis/v1.FrontendTLSValidation": schema_sigsk8sio_gateway_api_apis_v1_FrontendTLSValidation(ref), "sigs.k8s.io/gateway-api/apis/v1.GRPCAuthConfig": schema_sigsk8sio_gateway_api_apis_v1_GRPCAuthConfig(ref), "sigs.k8s.io/gateway-api/apis/v1.GRPCBackendRef": schema_sigsk8sio_gateway_api_apis_v1_GRPCBackendRef(ref), @@ -3113,6 +3114,51 @@ func schema_sigsk8sio_gateway_api_apis_v1_Fraction(ref common.ReferenceCallback) } } +func schema_sigsk8sio_gateway_api_apis_v1_FrontendTLSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "FrontendTLSConfig specifies frontend tls configuration for gateway.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "default": { + SchemaProps: spec.SchemaProps{ + Description: "Default specifies the default client certificate validation configuration for all Listeners handling HTTPS traffic, unless a per-port configuration is defined.\n\nsupport: Core\n\n", + Default: map[string]interface{}{}, + Ref: ref("sigs.k8s.io/gateway-api/apis/v1.TLSConfig"), + }, + }, + "perPort": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "port", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "PerPort specifies tls configuration assigned per port. Per port configuration is optional. Once set this configuration overrides the default configuration for all Listeners handling HTTPS traffic that match this port. Each override port requires a unique TLS configuration.\n\nsupport: Core\n\n", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("sigs.k8s.io/gateway-api/apis/v1.TLSPortConfig"), + }, + }, + }, + }, + }, + }, + Required: []string{"default"}, + }, + }, + Dependencies: []string{ + "sigs.k8s.io/gateway-api/apis/v1.TLSConfig", "sigs.k8s.io/gateway-api/apis/v1.TLSPortConfig"}, + } +} + func schema_sigsk8sio_gateway_api_apis_v1_FrontendTLSValidation(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -3779,7 +3825,7 @@ func schema_sigsk8sio_gateway_api_apis_v1_GatewayBackendTLS(ref common.Reference Properties: map[string]spec.Schema{ "clientCertificateRef": { SchemaProps: spec.SchemaProps{ - Description: "ClientCertificateRef is a reference to an object that contains a Client Certificate and the associated private key.\n\nReferences to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason.\n\nClientCertificateRef can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources.\n\nThis setting can be overridden on the service level by use of BackendTLSPolicy.\n\nSupport: Core\n\n", + Description: "ClientCertificateRef is a reference to an object that contains a Client Certificate and the associated private key.\n\nReferences to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason.\n\nClientCertificateRef can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources.\n\nSupport: Core\n\n", Ref: ref("sigs.k8s.io/gateway-api/apis/v1.SecretObjectReference"), }, }, @@ -4157,7 +4203,7 @@ func schema_sigsk8sio_gateway_api_apis_v1_GatewaySpec(ref common.ReferenceCallba }, "tls": { SchemaProps: spec.SchemaProps{ - Description: "GatewayTLSConfig specifies frontend and backend tls configuration for gateway.\n\nSupport: Extended\n\n", + Description: "TLS specifies frontend and backend tls configuration for entire gateway.\n\nSupport: Extended\n\n", Ref: ref("sigs.k8s.io/gateway-api/apis/v1.GatewayTLSConfig"), }, }, @@ -4311,41 +4357,23 @@ func schema_sigsk8sio_gateway_api_apis_v1_GatewayTLSConfig(ref common.ReferenceC Description: "GatewayTLSConfig specifies frontend and backend tls configuration for gateway.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "default": { + "backend": { SchemaProps: spec.SchemaProps{ - Description: "Default specifies the default TLS configuration for the Gateway handling HTTPS traffic. Default FrontendTLS can be override with per-port configuration.\n\nsupport: Core\n\n", - Default: map[string]interface{}{}, - Ref: ref("sigs.k8s.io/gateway-api/apis/v1.TLSConfig"), + Description: "Backend describes TLS configuration for gateway when connecting to backends.\n\nNote that this contains only details for the Gateway as a TLS client, and does _not_ imply behavior about how to choose which backend should get a TLS connection. That is determined by the presence of a BackendTLSPolicy.\n\nSupport: Core\n\n", + Ref: ref("sigs.k8s.io/gateway-api/apis/v1.GatewayBackendTLS"), }, }, - "perPort": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "port", - }, - "x-kubernetes-list-type": "map", - }, - }, + "frontend": { SchemaProps: spec.SchemaProps{ - Description: "PerPort specifies tls configuration assigned per port. Per port configuration is optional. Once set this configuration overrides the default configuration for all Listeners handling HTTPS traffic that match this port. Each override port requires a unique TLS configuration.\n\nsupport: Core\n\n", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("sigs.k8s.io/gateway-api/apis/v1.TLSPortConfig"), - }, - }, - }, + Description: "Frontend describes TLS config when client connects to Gateway. Support: Core\n\n", + Ref: ref("sigs.k8s.io/gateway-api/apis/v1.FrontendTLSConfig"), }, }, }, - Required: []string{"default"}, }, }, Dependencies: []string{ - "sigs.k8s.io/gateway-api/apis/v1.TLSConfig", "sigs.k8s.io/gateway-api/apis/v1.TLSPortConfig"}, + "sigs.k8s.io/gateway-api/apis/v1.FrontendTLSConfig", "sigs.k8s.io/gateway-api/apis/v1.GatewayBackendTLS"}, } } @@ -6221,26 +6249,20 @@ func schema_sigsk8sio_gateway_api_apis_v1_TLSConfig(ref common.ReferenceCallback return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TLSConfig describes TLS configuration that can apply to multiple Listeners within this Gateway.", + Description: "TLSConfig describes TLS configuration that can apply to multiple Listeners within this Gateway. Currently, it stores only the client certificate validation configuration, but this may be extended in the future.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "frontendValidation": { + "validation": { SchemaProps: spec.SchemaProps{ - Description: "FrontendValidation holds configuration information for validating the frontend (client). Setting this field will result in mutual authentication when connecting to the gateway. In browsers this may result in a dialog appearing that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific.\n\nSupport: Core\n\n", + Description: "Validation holds configuration information for validating the frontend (client). Setting this field will result in mutual authentication when connecting to the gateway. In browsers this may result in a dialog appearing that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific.\n\nSupport: Core\n\n", Ref: ref("sigs.k8s.io/gateway-api/apis/v1.FrontendTLSValidation"), }, }, - "backendValidation": { - SchemaProps: spec.SchemaProps{ - Description: "GatewayBackendTLS describes TLS configuration for gateway when connecting to backends. Support: Core\n\n", - Ref: ref("sigs.k8s.io/gateway-api/apis/v1.GatewayBackendTLS"), - }, - }, }, }, }, Dependencies: []string{ - "sigs.k8s.io/gateway-api/apis/v1.FrontendTLSValidation", "sigs.k8s.io/gateway-api/apis/v1.GatewayBackendTLS"}, + "sigs.k8s.io/gateway-api/apis/v1.FrontendTLSValidation"}, } }