From eeebf80ec10e6cf98da093579c285e4f5e6e3391 Mon Sep 17 00:00:00 2001 From: Lahiru Udayanga Date: Fri, 5 Dec 2025 00:11:00 +0530 Subject: [PATCH 1/3] feat: allow TLS termination for TLSRoute Signed-off-by: Lahiru Udayanga --- internal/gatewayapi/listener.go | 2 +- internal/gatewayapi/route.go | 28 ++- ...nttrafficpolicy-for-tcp-listeners.out.yaml | 2 + ...enttrafficpolicy-invalid-settings.out.yaml | 6 + ...s-client-verification-expired-crl.out.yaml | 2 + ...icpolicy-mtls-client-verification.out.yaml | 2 + ...nvoyproxy-tls-settings-invalid-ns.out.yaml | 2 + .../envoyproxy-tls-settings-invalid.out.yaml | 2 + .../testdata/envoyproxy-tls-settings.out.yaml | 2 + ...teway-with-listener-tls-terminate.out.yaml | 4 + ...-with-tls-terminate-hostname-match.in.yaml | 50 +++++ ...with-tls-terminate-hostname-match.out.yaml | 184 +++++++++++++++++ ...ith-tls-terminate-invalid-hostname.in.yaml | 50 +++++ ...th-tls-terminate-invalid-hostname.out.yaml | 121 +++++++++++ ...with-tls-terminate-multiple-routes.in.yaml | 82 ++++++++ ...ith-tls-terminate-multiple-routes.out.yaml | 189 ++++++++++++++++++ .../tlsroute-with-tls-terminate.in.yaml | 47 +++++ .../tlsroute-with-tls-terminate.out.yaml | 181 +++++++++++++++++ .../testdata/tlsroute-tls-termination.yaml | 86 ++++++++ test/e2e/tests/tlsroute_tls_termination.go | 173 ++++++++++++++++ 20 files changed, 1209 insertions(+), 6 deletions(-) create mode 100644 internal/gatewayapi/testdata/tlsroute-with-tls-terminate-hostname-match.in.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-with-tls-terminate-hostname-match.out.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.in.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.in.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.out.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-with-tls-terminate.in.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-with-tls-terminate.out.yaml create mode 100644 test/e2e/testdata/tlsroute-tls-termination.yaml create mode 100644 test/e2e/tests/tlsroute_tls_termination.go diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 2332f444dc7..1ec714f078f 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -66,7 +66,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource case gwapiv1.TLSModePassthrough: t.validateAllowedRoutes(listener, resource.KindTLSRoute) case gwapiv1.TLSModeTerminate: - t.validateAllowedRoutes(listener, resource.KindTCPRoute) + t.validateAllowedRoutes(listener, resource.KindTCPRoute, resource.KindTLSRoute) default: t.validateAllowedRoutes(listener, resource.KindTCPRoute, resource.KindTLSRoute) } diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index f9ce28d2eb5..0db16f748cc 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -1356,15 +1356,33 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour hasHostnameIntersection = true irKey := t.getIRKey(listener.gateway.Gateway) - gwXdsIR := xdsIR[irKey] irListener := gwXdsIR.GetTCPListener(irListenerName(listener)) if irListener != nil { + var tlsConfig *ir.TLS + if irListener.TLS != nil { + // Listener is in terminate mode. + tlsConfig = &ir.TLS{ + Terminate: irListener.TLS, + } + // If hostnames specified, add SNI config for routing + if len(hosts) > 0 { + tlsConfig.TLSInspectorConfig = &ir.TLSInspectorConfig{ + SNIs: hosts, + } + } + } else { + // Passthrough mode - only SNI inspection + tlsConfig = &ir.TLS{ + TLSInspectorConfig: &ir.TLSInspectorConfig{ + SNIs: hosts, + }, + } + } + irRoute := &ir.TCPRoute{ Name: irTCPRouteName(tlsRoute), - TLS: &ir.TLS{TLSInspectorConfig: &ir.TLSInspectorConfig{ - SNIs: hosts, - }}, + TLS: tlsConfig, Destination: &ir.RouteDestination{ Name: destName, Settings: destSettings, @@ -1385,7 +1403,7 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour gwapiv1.RouteConditionAccepted, metav1.ConditionFalse, gwapiv1.RouteReasonNoMatchingListenerHostname, - "There were no hostname intersections between the HTTPRoute and this parent ref's Listener(s).", + "There were no hostname intersections between the TLSRoute and this parent ref's Listener(s).", ) } diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml index 5aefbbd7b14..fb90d6105e5 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml @@ -101,6 +101,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute - attachedRoutes: 1 conditions: - lastTransitionTime: null diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml index 0dc07bd6445..0bc828967f6 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml @@ -229,6 +229,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute - attachedRoutes: 1 conditions: - lastTransitionTime: null @@ -365,6 +367,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute - attachedRoutes: 0 conditions: - lastTransitionTime: null @@ -501,6 +505,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute - attachedRoutes: 0 conditions: - lastTransitionTime: null diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification-expired-crl.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification-expired-crl.out.yaml index cbcc91e69e6..31f1cdd0e81 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification-expired-crl.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification-expired-crl.out.yaml @@ -375,6 +375,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute infraIR: envoy-gateway/gateway-1: proxy: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml index 57cd0c8f063..d5f9c602f03 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml @@ -368,6 +368,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute infraIR: envoy-gateway/gateway-1: proxy: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml index 427b210510d..9e566f8fe78 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml @@ -81,6 +81,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute - attachedRoutes: 1 conditions: - lastTransitionTime: null diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml index c3da99097ea..46f626bc0cc 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml @@ -81,6 +81,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute - attachedRoutes: 1 conditions: - lastTransitionTime: null diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml index 5fb088afdf9..687101d6bae 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml @@ -81,6 +81,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute - attachedRoutes: 1 conditions: - lastTransitionTime: null diff --git a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml index 7486b9cbc9f..e7a9e2c11fe 100644 --- a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml @@ -55,6 +55,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute - attachedRoutes: 1 conditions: - lastTransitionTime: null @@ -76,6 +78,8 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute infraIR: envoy-gateway/gateway-1: proxy: diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-hostname-match.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-hostname-match.in.yaml new file mode 100644 index 00000000000..c6b3168bf00 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-hostname-match.in.yaml @@ -0,0 +1,50 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls + hostname: "*.example.com" + protocol: TLS + port: 90 + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-secret-1 + mode: Terminate + allowedRoutes: + namespaces: + from: All +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + namespace: default + name: tlsroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: tls + hostnames: + - "foo.example.com" + rules: + - backendRefs: + - name: service-1 + port: 8080 + +secrets: + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-1 + type: kubernetes.io/tls + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-hostname-match.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-hostname-match.out.yaml new file mode 100644 index 00000000000..52d451638ec --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-hostname-match.out.yaml @@ -0,0 +1,184 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.example.com' + name: tls + port: 90 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-secret-1 + mode: Terminate + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tls + supportedKinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10090 + name: tls-90 + protocol: TLS + servicePort: 90 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: envoy-gateway-system +tlsRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: tlsroute-1 + namespace: default + spec: + hostnames: + - foo.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: tls + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: tls +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 90 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + port: 10090 + routes: + - destination: + metadata: + kind: TLSRoute + name: tlsroute-1 + namespace: default + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + kind: Service + name: service-1 + namespace: default + sectionName: "8080" + name: tlsroute/default/tlsroute-1/rule/-1/backend/0 + protocol: HTTPS + weight: 1 + metadata: + kind: TLSRoute + name: tlsroute-1 + namespace: default + name: tlsroute/default/tlsroute-1 + tls: + inspector: + snis: + - foo.example.com + terminate: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + tls: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.in.yaml new file mode 100644 index 00000000000..fc0281373a5 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.in.yaml @@ -0,0 +1,50 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls + hostname: "foo.example.com" + protocol: TLS + port: 90 + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-secret-1 + mode: Terminate + allowedRoutes: + namespaces: + from: All +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + namespace: default + name: tlsroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: tls + hostnames: + - "bar.different.com" + rules: + - backendRefs: + - name: service-1 + port: 8080 + +secrets: + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-1 + type: kubernetes.io/tls + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOTE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml new file mode 100644 index 00000000000..96223a51146 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml @@ -0,0 +1,121 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: foo.example.com + name: tls + port: 90 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-secret-1 + mode: Terminate + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: 'Secret envoy-gateway/tls-secret-1 must contain valid tls.crt and + tls.key, unable to validate certificate in tls.crt: x509: malformed extensions.' + reason: InvalidCertificateRef + status: "False" + type: ResolvedRefs + - lastTransitionTime: null + message: Listener is invalid, see other Conditions for details. + reason: Invalid + status: "False" + type: Programmed + name: tls + supportedKinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: envoy-gateway-system +tlsRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: tlsroute-1 + namespace: default + spec: + hostnames: + - bar.different.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: tls + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: There are no ready listeners for this parent ref + reason: NoReadyListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: tls +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.in.yaml new file mode 100644 index 00000000000..708f8750aa9 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.in.yaml @@ -0,0 +1,82 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls + hostname: "*.example.com" + protocol: TLS + port: 90 + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-secret-1 + mode: Terminate + allowedRoutes: + namespaces: + from: All +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + namespace: default + name: tlsroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: tls + hostnames: + - "foo.example.com" + rules: + - backendRefs: + - name: service-1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + namespace: default + name: tlsroute-2 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: tls + hostnames: + - "bar.example.com" + rules: + - backendRefs: + - name: service-2 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + namespace: default + name: tlsroute-3 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: tls + hostnames: + - "baz.example.com" + rules: + - backendRefs: + - name: service-3 + port: 8080 + +secrets: + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-1 + type: kubernetes.io/tls + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOTE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.out.yaml new file mode 100644 index 00000000000..0fc32fa4752 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.out.yaml @@ -0,0 +1,189 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.example.com' + name: tls + port: 90 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-secret-1 + mode: Terminate + status: + listeners: + - attachedRoutes: 3 + conditions: + - lastTransitionTime: null + message: 'Secret envoy-gateway/tls-secret-1 must contain valid tls.crt and + tls.key, unable to validate certificate in tls.crt: x509: malformed extensions.' + reason: InvalidCertificateRef + status: "False" + type: ResolvedRefs + - lastTransitionTime: null + message: Listener is invalid, see other Conditions for details. + reason: Invalid + status: "False" + type: Programmed + name: tls + supportedKinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: envoy-gateway-system +tlsRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: tlsroute-1 + namespace: default + spec: + hostnames: + - foo.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: tls + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: There are no ready listeners for this parent ref + reason: NoReadyListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: tls +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: tlsroute-2 + namespace: default + spec: + hostnames: + - bar.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: tls + rules: + - backendRefs: + - name: service-2 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: There are no ready listeners for this parent ref + reason: NoReadyListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: tls +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: tlsroute-3 + namespace: default + spec: + hostnames: + - baz.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: tls + rules: + - backendRefs: + - name: service-3 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: There are no ready listeners for this parent ref + reason: NoReadyListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: tls +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate.in.yaml new file mode 100644 index 00000000000..0fa7a438801 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate.in.yaml @@ -0,0 +1,47 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls + protocol: TLS + port: 90 + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-secret-1 + mode: Terminate + allowedRoutes: + namespaces: + from: All +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + namespace: default + name: tlsroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: tls + rules: + - backendRefs: + - name: service-1 + port: 8080 + +secrets: + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-1 + type: kubernetes.io/tls + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate.out.yaml new file mode 100644 index 00000000000..357ea935f66 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate.out.yaml @@ -0,0 +1,181 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: tls + port: 90 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-secret-1 + mode: Terminate + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tls + supportedKinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + - group: gateway.networking.k8s.io + kind: TLSRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10090 + name: tls-90 + protocol: TLS + servicePort: 90 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: envoy-gateway-system +tlsRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: tlsroute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: tls + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: tls +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 90 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + port: 10090 + routes: + - destination: + metadata: + kind: TLSRoute + name: tlsroute-1 + namespace: default + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + kind: Service + name: service-1 + namespace: default + sectionName: "8080" + name: tlsroute/default/tlsroute-1/rule/-1/backend/0 + protocol: HTTPS + weight: 1 + metadata: + kind: TLSRoute + name: tlsroute-1 + namespace: default + name: tlsroute/default/tlsroute-1 + tls: + inspector: + snis: + - '*' + terminate: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + tls: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' diff --git a/test/e2e/testdata/tlsroute-tls-termination.yaml b/test/e2e/testdata/tlsroute-tls-termination.yaml new file mode 100644 index 00000000000..0677892fd0b --- /dev/null +++ b/test/e2e/testdata/tlsroute-tls-termination.yaml @@ -0,0 +1,86 @@ +# Certificate for TLS termination - Wildcard cert for *.example.com +# openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -subj '/O=example Inc./CN=*.example.com' -keyout tls.key -out tls.crt +apiVersion: v1 +data: + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVTUtDb255N01qWVhUREw0dWtHa1VQOGppd0Fnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERVZNQk1HQTFVRUF3d01LaTV0YjI1dVpYTjBaV1F0YVc4eER6QU5CZ05WQkFvTUJtVjRZVzF3YkdVdwpIaGNOTWpVd01UQTVNRGt5TmpRd1doY05Nek15T0RJd01Ea3lOalF3V2pBb01SVXdFd1lEVlFRRERBd3FMbTF2CmJtNWxjM1JsWkMxcGJ6RVBNQTBHQTFVRUNnd0daWGhoYlhCc1pUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFKM1I4OEpxU25FeUJHNDRSWUhWc0UwVGUrWEtmS0xwV2NTOVJxNzBlaU1POCs0NApzMGVGdnphUFp4bi9UR0Q5Z2tZNHJNK2Rac01Vc1hnYTZIQzNnUHBwTVl0Zm9nN3pYUXZxMGk4ZGQ4eEMwZ3A2Cm03ckQ3TzVobnlXYXZQUzRYcDVjcU9ONG9YR3VoK1M0ek1Mdjg0bG52OGIvRzN0bm1BWHBZZjZWUjE4MjJqT3oKcCsxQ0c4ZWlGSEpjT2ZxV2lZMjh1NnFSV2VKUFZlelh1QWwyZ3hxYmlPNkt0NnBucjRpcWhUaEgrdmpXc1dOcApDSVhrbDFydVlYbnhWLzRCOENxY1JJeTZHaEp6blpGNHc0ckE2RGVGUmZkeXQxZ3VtazNlYzVSZGY3aGpmYVRBCnNVUTdjYXlCRHk2SmtNRnk0OHIwWGdZUG5hM3BjM1E2UjdubmpFaTlWYWlCTGxiM0U5SENBd0VBQWFOU01GQXcKSFFZRFZSME9CQllFRkp0SEFmaWlnQzhBV2hBQ1ExVWo5K3pla1dTTE1COEdBMVVkSXdRWU1CYUFGSXRIN0FmaQppZ0M4QVdoQUNRMVVqOSt6ZWtXU0xNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQUJhWVFsSmo0U0hGTTRTOFhaSU14MFZhWDBhdjJMNTJrdVRMTytESmpEYkNoajZibFdGNm1NbG1hSzlwCnNaeGFzUWZvTGxIQ3BSbkRJb0p0ZEk3c0dySXdJOWNlNENoMFd1Q29ZOUVLK1piVnE4K3pDRlFjZHZJTGNoeVUKVjdUY2Qzb0V2SE5ZQXpyRW9NdFNhb1ZMWFV4cjA3VThJYmp2Y29iNFkyWGNXa0NnTUU1UWpGUlpFWXZRTUVPQQoySmJFQ05KdmdYWWRGdVhvN01WM0NMTHBXYjl3WEg4T2ZqQWQzU3R3RUJNK0VhRHdLaHJ0K01NajNLblFjWjFzCk5iVEJ2QnhqQjMwb3BTWC95U2JKYU9VejBMcHV3U21BUmFiUkNxRjk3bzEvVWdHU1M1ek9Eckx0ZlZJQkNVeEQKcnN0SlpGcFpCSEZ2dWR3SXpic1l5djlCVG5YSEhTRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVTUtDb255N01qWVhUREw0dWtHa1VQOGppd0Fnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERVZNQk1HQTFVRUF3d01LaTV0YjI1dVpYTjBaV1F0YVc4eER6QU5CZ05WQkFvTUJtVjRZVzF3YkdVdwpIaGNOTWpVd01UQTVNRGt5TmpRd1doY05Nek15T0RJd01Ea3lOalF3V2pBb01SVXdFd1lEVlFRRERBd3FMbTF2CmJtNWxjM1JsWkMxcGJ6RVBNQTBHQTFVRUNnd0daWGhoYlhCc1pUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFKM1I4OEpxU25FeUJHNDRSWUhWc0UwVGUrWEtmS0xwV2NTOVJxNzBlaU1POCs0NApzMGVGdnphUFp4bi9UR0Q5Z2tZNHJNK2Rac01Vc1hnYTZIQzNnUHBwTVl0Zm9nN3pYUXZxMGk4ZGQ4eEMwZ3A2Cm03ckQ3TzVobnlXYXZQUzRYcDVjcU9ONG9YR3VoK1M0ek1Mdjg0bG52OGIvRzN0bm1BWHBZZjZWUjE4MjJqT3oKcCsxQ0c4ZWlGSEpjT2ZxV2lZMjh1NnFSV2VKUFZlelh1QWwyZ3hxYmlPNkt0NnBucjRpcWhUaEgrdmpXc1dOcApDSVhrbDFydVlYbnhWLzRCOENxY1JJeTZHaEp6blpGNHc0ckE2RGVGUmZkeXQxZ3VtazNlYzVSZGY3aGpmYVRBCnNVUTdjYXlCRHk2SmtNRnk0OHIwWGdZUG5hM3BjM1E2UjdubmpFaTlWYWlCTGxiM0U5SENBd0VBQWFOU01GQXcKSFFZRFZSME9CQllFRkp0SEFmaWlnQzhBV2hBQ1ExVWo5K3pla1dTTE1COEdBMVVkSXdRWU1CYUFGSXRIN0FmaQppZ0M4QVdoQUNRMVVqOSt6ZWtXU0xNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQUJhWVFsSmo0U0hGTTRTOFhaSU14MFZhWDBhdjJMNTJrdVRMTytESmpEYkNoajZibFdGNm1NbG1hSzlwCnNaeGFzUWZvTGxIQ3BSbkRJb0p0ZEk3c0dySXdJOWNlNENoMFd1Q29ZOUVLK1piVnE4K3pDRlFjZHZJTGNoeVUKVjdUY2Qzb0V2SE5ZQXpyRW9NdFNhb1ZMWFV4cjA3VThJYmp2Y29iNFkyWGNXa0NnTUU1UWpGUlpFWXZRTUVPQQoySmJFQ05KdmdYWWRGdVhvN01WM0NMTHBXYjl3WEg4T2ZqQWQzU3R3RUJNK0VhRHdLaHJ0K01NajNLblFjWjFzCk5iVEJ2QnhqQjMwb3BTWC95U2JKYU9VejBMcHV3U21BUmFiUkNxRjk3bzEvVWdHU1M1ek9Eckx0ZlZJQkNVeEQKcnN0SlpGcFpCSEZ2dWR3SXpic1l5djlCVG5YSEhTRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= +kind: Secret +metadata: + name: tls-termination-certificate + namespace: gateway-conformance-infra +type: kubernetes.io/tls +--- +# Gateway with TLS listener in Terminate mode +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: tlsroute-termination-gateway + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: tls + protocol: TLS + port: 8443 + hostname: "*.example.com" + tls: + certificateRefs: + - group: "" + kind: Secret + name: tls-termination-certificate + mode: Terminate + allowedRoutes: + namespaces: + from: All +--- +# TLSRoute 1: foo.example.com -> infra-backend-v1 +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute +metadata: + name: tlsroute-terminate-1 + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: tlsroute-termination-gateway + sectionName: tls + hostnames: + - "foo.example.com" + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +# TLSRoute 2: bar.example.com -> infra-backend-v2 +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute +metadata: + name: tlsroute-terminate-2 + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: tlsroute-termination-gateway + sectionName: tls + hostnames: + - "bar.example.com" + rules: + - backendRefs: + - name: infra-backend-v2 + port: 8080 +--- +# TLSRoute 3: baz.example.com -> infra-backend-v3 +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute +metadata: + name: tlsroute-terminate-3 + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: tlsroute-termination-gateway + sectionName: tls + hostnames: + - "baz.example.com" + rules: + - backendRefs: + - name: infra-backend-v3 + port: 8080 diff --git a/test/e2e/tests/tlsroute_tls_termination.go b/test/e2e/tests/tlsroute_tls_termination.go new file mode 100644 index 00000000000..742eb8cf1c2 --- /dev/null +++ b/test/e2e/tests/tlsroute_tls_termination.go @@ -0,0 +1,173 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "testing" + "time" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/roundtripper" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + "sigs.k8s.io/gateway-api/conformance/utils/tlog" +) + +func init() { + ConformanceTests = append(ConformanceTests, TLSRouteTLSTerminationTest) +} + +var TLSRouteTLSTerminationTest = suite.ConformanceTest{ + ShortName: "TLSRouteTLSTermination", + Description: "TLSRoute with TLS Termination and SNI-based routing", + Manifests: []string{ + "testdata/tlsroute-tls-termination.yaml", + }, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + gwNN := types.NamespacedName{Name: "tlsroute-termination-gateway", Namespace: ns} + + t.Run("TLSRoute with TLS termination - route 1 (foo.example.com)", func(t *testing.T) { + routeNN := types.NamespacedName{Name: "tlsroute-terminate-1", Namespace: ns} + gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) + + certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} + cPem, _, caCertPem, err := GetTLSSecret(suite.Client, certNN) + if err != nil { + t.Fatalf("unexpected error finding TLS secret: %v", err) + } + + expected := http.ExpectedResponse{ + Request: http.Request{ + Host: "foo.example.com", + Path: "/", + }, + Response: http.Response{ + StatusCodes: []int{200}, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") + + // Use the CA cert to verify server certificate, cert is self-signed so it's also the CA + WaitForConsistentResponseWithCA( + t, + suite.RoundTripper, + &req, + &expected, + suite.TimeoutConfig.RequiredConsecutiveSuccesses, + suite.TimeoutConfig.MaxTimeToConsistency, + cPem, + caCertPem, + "foo.example.com") + }) + + t.Run("TLSRoute with TLS termination - route 2 (bar.example.com)", func(t *testing.T) { + routeNN := types.NamespacedName{Name: "tlsroute-terminate-2", Namespace: ns} + gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) + + certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} + cPem, _, caCertPem, err := GetTLSSecret(suite.Client, certNN) + if err != nil { + t.Fatalf("unexpected error finding TLS secret: %v", err) + } + + expected := http.ExpectedResponse{ + Request: http.Request{ + Host: "bar.example.com", + Path: "/", + }, + Response: http.Response{ + StatusCodes: []int{200}, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") + + WaitForConsistentResponseWithCA( + t, + suite.RoundTripper, + &req, + &expected, + suite.TimeoutConfig.RequiredConsecutiveSuccesses, + suite.TimeoutConfig.MaxTimeToConsistency, + cPem, + caCertPem, + "bar.example.com") + }) + + t.Run("TLSRoute with TLS termination - route 3 (baz.example.com)", func(t *testing.T) { + routeNN := types.NamespacedName{Name: "tlsroute-terminate-3", Namespace: ns} + gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) + + certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} + cPem, _, caCertPem, err := GetTLSSecret(suite.Client, certNN) + if err != nil { + t.Fatalf("unexpected error finding TLS secret: %v", err) + } + + expected := http.ExpectedResponse{ + Request: http.Request{ + Host: "baz.example.com", + Path: "/", + }, + Response: http.Response{ + StatusCodes: []int{200}, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") + + WaitForConsistentResponseWithCA( + t, + suite.RoundTripper, + &req, + &expected, + suite.TimeoutConfig.RequiredConsecutiveSuccesses, + suite.TimeoutConfig.MaxTimeToConsistency, + cPem, + caCertPem, + "baz.example.com") + }) + }, +} + +// WaitForConsistentResponseWithCA makes requests with TLS using a CA certificate to verify the server +func WaitForConsistentResponseWithCA(t *testing.T, r roundtripper.RoundTripper, req *roundtripper.Request, expected *http.ExpectedResponse, threshold int, maxTimeToConsistency time.Duration, certPem, caCertPem []byte, serverName string) { + if req == nil { + t.Fatalf("request cannot be nil") + } + if expected == nil { + t.Fatalf("expected response cannot be nil") + } + + http.AwaitConvergence(t, threshold, maxTimeToConsistency, func(elapsed time.Duration) bool { + updatedReq := *req + updatedReq.Server = serverName + // Use the certificate as CA for validation (self-signed cert) + updatedReq.CertPem = caCertPem + + cReq, cRes, err := r.CaptureRoundTrip(updatedReq) + if err != nil { + tlog.Logf(t, "Request failed, not ready yet: %v (after %v)", err.Error(), elapsed) + return false + } + + if err := http.CompareRoundTrip(t, &updatedReq, cReq, cRes, *expected); err != nil { + tlog.Logf(t, "Response expectation failed for request: %+v not ready yet: %v (after %v)", updatedReq, err, elapsed) + return false + } + + return true + }) + tlog.Logf(t, "Request passed") +} From e49bdb7cf584acd061571a53bf362c83c4a3359c Mon Sep 17 00:00:00 2001 From: Lahiru Udayanga Date: Fri, 5 Dec 2025 13:59:42 +0530 Subject: [PATCH 2/3] update certs with hosts added to SAN Signed-off-by: Lahiru Udayanga --- test/e2e/testdata/tlsroute-tls-termination.yaml | 6 +++--- test/e2e/tests/tlsroute_tls_termination.go | 14 +++++++++----- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/test/e2e/testdata/tlsroute-tls-termination.yaml b/test/e2e/testdata/tlsroute-tls-termination.yaml index 0677892fd0b..b9fa724e27c 100644 --- a/test/e2e/testdata/tlsroute-tls-termination.yaml +++ b/test/e2e/testdata/tlsroute-tls-termination.yaml @@ -2,9 +2,9 @@ # openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -subj '/O=example Inc./CN=*.example.com' -keyout tls.key -out tls.crt apiVersion: v1 data: - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVTUtDb255N01qWVhUREw0dWtHa1VQOGppd0Fnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERVZNQk1HQTFVRUF3d01LaTV0YjI1dVpYTjBaV1F0YVc4eER6QU5CZ05WQkFvTUJtVjRZVzF3YkdVdwpIaGNOTWpVd01UQTVNRGt5TmpRd1doY05Nek15T0RJd01Ea3lOalF3V2pBb01SVXdFd1lEVlFRRERBd3FMbTF2CmJtNWxjM1JsWkMxcGJ6RVBNQTBHQTFVRUNnd0daWGhoYlhCc1pUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFKM1I4OEpxU25FeUJHNDRSWUhWc0UwVGUrWEtmS0xwV2NTOVJxNzBlaU1POCs0NApzMGVGdnphUFp4bi9UR0Q5Z2tZNHJNK2Rac01Vc1hnYTZIQzNnUHBwTVl0Zm9nN3pYUXZxMGk4ZGQ4eEMwZ3A2Cm03ckQ3TzVobnlXYXZQUzRYcDVjcU9ONG9YR3VoK1M0ek1Mdjg0bG52OGIvRzN0bm1BWHBZZjZWUjE4MjJqT3oKcCsxQ0c4ZWlGSEpjT2ZxV2lZMjh1NnFSV2VKUFZlelh1QWwyZ3hxYmlPNkt0NnBucjRpcWhUaEgrdmpXc1dOcApDSVhrbDFydVlYbnhWLzRCOENxY1JJeTZHaEp6blpGNHc0ckE2RGVGUmZkeXQxZ3VtazNlYzVSZGY3aGpmYVRBCnNVUTdjYXlCRHk2SmtNRnk0OHIwWGdZUG5hM3BjM1E2UjdubmpFaTlWYWlCTGxiM0U5SENBd0VBQWFOU01GQXcKSFFZRFZSME9CQllFRkp0SEFmaWlnQzhBV2hBQ1ExVWo5K3pla1dTTE1COEdBMVVkSXdRWU1CYUFGSXRIN0FmaQppZ0M4QVdoQUNRMVVqOSt6ZWtXU0xNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQUJhWVFsSmo0U0hGTTRTOFhaSU14MFZhWDBhdjJMNTJrdVRMTytESmpEYkNoajZibFdGNm1NbG1hSzlwCnNaeGFzUWZvTGxIQ3BSbkRJb0p0ZEk3c0dySXdJOWNlNENoMFd1Q29ZOUVLK1piVnE4K3pDRlFjZHZJTGNoeVUKVjdUY2Qzb0V2SE5ZQXpyRW9NdFNhb1ZMWFV4cjA3VThJYmp2Y29iNFkyWGNXa0NnTUU1UWpGUlpFWXZRTUVPQQoySmJFQ05KdmdYWWRGdVhvN01WM0NMTHBXYjl3WEg4T2ZqQWQzU3R3RUJNK0VhRHdLaHJ0K01NajNLblFjWjFzCk5iVEJ2QnhqQjMwb3BTWC95U2JKYU9VejBMcHV3U21BUmFiUkNxRjk3bzEvVWdHU1M1ek9Eckx0ZlZJQkNVeEQKcnN0SlpGcFpCSEZ2dWR3SXpic1l5djlCVG5YSEhTRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVTUtDb255N01qWVhUREw0dWtHa1VQOGppd0Fnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERVZNQk1HQTFVRUF3d01LaTV0YjI1dVpYTjBaV1F0YVc4eER6QU5CZ05WQkFvTUJtVjRZVzF3YkdVdwpIaGNOTWpVd01UQTVNRGt5TmpRd1doY05Nek15T0RJd01Ea3lOalF3V2pBb01SVXdFd1lEVlFRRERBd3FMbTF2CmJtNWxjM1JsWkMxcGJ6RVBNQTBHQTFVRUNnd0daWGhoYlhCc1pUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFKM1I4OEpxU25FeUJHNDRSWUhWc0UwVGUrWEtmS0xwV2NTOVJxNzBlaU1POCs0NApzMGVGdnphUFp4bi9UR0Q5Z2tZNHJNK2Rac01Vc1hnYTZIQzNnUHBwTVl0Zm9nN3pYUXZxMGk4ZGQ4eEMwZ3A2Cm03ckQ3TzVobnlXYXZQUzRYcDVjcU9ONG9YR3VoK1M0ek1Mdjg0bG52OGIvRzN0bm1BWHBZZjZWUjE4MjJqT3oKcCsxQ0c4ZWlGSEpjT2ZxV2lZMjh1NnFSV2VKUFZlelh1QWwyZ3hxYmlPNkt0NnBucjRpcWhUaEgrdmpXc1dOcApDSVhrbDFydVlYbnhWLzRCOENxY1JJeTZHaEp6blpGNHc0ckE2RGVGUmZkeXQxZ3VtazNlYzVSZGY3aGpmYVRBCnNVUTdjYXlCRHk2SmtNRnk0OHIwWGdZUG5hM3BjM1E2UjdubmpFaTlWYWlCTGxiM0U5SENBd0VBQWFOU01GQXcKSFFZRFZSME9CQllFRkp0SEFmaWlnQzhBV2hBQ1ExVWo5K3pla1dTTE1COEdBMVVkSXdRWU1CYUFGSXRIN0FmaQppZ0M4QVdoQUNRMVVqOSt6ZWtXU0xNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQUJhWVFsSmo0U0hGTTRTOFhaSU14MFZhWDBhdjJMNTJrdVRMTytESmpEYkNoajZibFdGNm1NbG1hSzlwCnNaeGFzUWZvTGxIQ3BSbkRJb0p0ZEk3c0dySXdJOWNlNENoMFd1Q29ZOUVLK1piVnE4K3pDRlFjZHZJTGNoeVUKVjdUY2Qzb0V2SE5ZQXpyRW9NdFNhb1ZMWFV4cjA3VThJYmp2Y29iNFkyWGNXa0NnTUU1UWpGUlpFWXZRTUVPQQoySmJFQ05KdmdYWWRGdVhvN01WM0NMTHBXYjl3WEg4T2ZqQWQzU3R3RUJNK0VhRHdLaHJ0K01NajNLblFjWjFzCk5iVEJ2QnhqQjMwb3BTWC95U2JKYU9VejBMcHV3U21BUmFiUkNxRjk3bzEvVWdHU1M1ek9Eckx0ZlZJQkNVeEQKcnN0SlpGcFpCSEZ2dWR3SXpic1l5djlCVG5YSEhTRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRG5zbHN5Q21VQmxmMTgKT0htNkNKRkdYeGNMWkF2TGhyWkdZK0NGTFpwTW5IaVhDTTRYLzB4V0ViS2d3TGJTd3c4RURISXZlVElSajNvQQpta2l0d2t2UUZiUkZSUnlDSlNjOXNMb1MzY2hPcEp5TlUxdEYrenYraHAvQlR6L0VGMHBqMUZJdDBYc0g3UlZIClRaaDBnUzdlYm53T3RhNU51WEFuYmFCakhxdVJmQVZPUWcrZDNCSU9kZXhzZkJvNFN5TEc4VHRsYis4bXVOY24KTll6UFVtQW01NkE4SmNsblVxc2U3aTVDWXdZeWlRZnJCNk5NS043c1YwR2p6enE0RHB5WHMxZWoxZmpGQmpKUwpxVlAzTm5FcEoyaWFsbC9yYzlUNXQ0Q0lqTjNPTEVUSHNRdUFLekdVQTkxQkQ2KzhuUUd0eGhUREhzRlhWdnRJCmN0UmVtZFdMQWdNQkFBRUNnZ0VBRG9Pd1RkS3o0Q1VPdzV6Z0YwVFpJUER0QnlRbHp3S3A0WC81UFM2TnAzWDMKNGZKRnd1QVYzcUJ1TWI3UTFTUXVDU0ZrZDgvZVVKWk4zTUxOZ2NFVnNidmlWcUtOTmlQd3NOOGswUEMrenhwbAp5ajZxRFppKytlTmlGNkNJekpadTdSRU1jdDFZR1RlRGFUdVZyTnE0M210S2J6dDNaMXdTQ0E1SWlWME8vMmFJCmhMVTE4TXg4Y3d6c0dmMEdKRkJndkMzcVdkdG1uL1BZVlFVV2x0Wi83LzF6NG5CNGhjZ0oxU0N0Uk9PejNWbzcKMDRKMWpiRitQTWFkNWFQQVVGa1ozR0RNY3I2ZVlLbVc2a1pqa3hEWDRSTGJwTHl5Vm1MOTNndGNMc0ZWL0tIbQpSQS9GWXZQUXNjUTk3ZmVzSmZ3REl1eXpraUw0VTZSVkxqZ1FtUjk1T1FLQmdRRDF3WGw5SEN4NXQ3cWlpYXZjCmdoMTlGbXZZUHluUDc0Y1BSVmFYNkpvTEVrbXVtTFBHMk1rUjV1bkU4MjAxSWJHRitud2dIY2pvVThFYU1kREQKc1NFeWxBekNwZW9ZbE1Wa0FmSVRuWVdZU0pGZk5nc1JESEhXRnBabEFZR1poMU0zV3pZYkFzTk5UNnk3UXJUSAp5c20zZHF0ayt0SEFQNTRMMkFtRjlOZjdxUUtCZ1FEeFd0cU5kSWlUaVA5KzlMdVg0enFWT1dHMzE2REpyRlMyCmxrMFp3Z1N6Vk5HVS9DK2lrMzJ1ZUwzVTNnbFJhNy8xRUV3WDA2MFI3QTdzK0p3cUl2NGN3ZHNZbHhmY0hpd1IKWXc5K1haZlltaFFiRUllL3lxRFVnN1lmYXVPdjUzT0RWeGNNb1I5MDdTUHRRbERzQk9WbGgrVlBqQWdpa2cyLwo2OHdlcXhub0V3S0JnSHNqZElKUnlaODdobExHOU14S2pnZ05ZZ0E2dGZLd3JGWGtnbDBmZVlBdXE2akdidDRsCjVhb0lyLzIxazNUWjZ4K2N3UEUrdTFwZURSWFkvQ2Z4NnhaeXhHb0x4RjZJdk5jOWVsU0Z5MWpnazZiSFo0Z2wKV2l6UnFJMzMwVDVpWmpvSWcvWEl6cDlBV3VhQnFCK3I1cUw4M1NoOTNQZWRhTTI2ZEJzZzhjL3hBb0dCQUpVYwpKVlFwUDh1dVl2TGpiaFpiZXpFQUgzLytCc2N4NGJCZ1VVZnRsd3ZZQmhkK2FrdU54YU1KMDNYMHExc1RMNmZPCnBzUTlzWG9XRmU2UGRhT090T0c5WG9mbHFRY0QyUVB3Nkh5UWhDUjhwSmxIOENZc29JcEt5VFRGeTk4OEppQnAKcU1MVHRHUi9zYWQrUmhKYXdBS25INk95aHNBYzdjTzVnUVVkZmtiakFvR0JBS1BlSFU3MDFmYjR4QkM2aUdsVgo4NVBLZzRVeGpDbEljQkw0amM5MWdMY1pBWEtIVWxzT0U1a00xYVJodlQyQUpzRmpKRnp5MHZmNkMrRE9BZUJ3ClRhN3hDMHVBbjc1R3lBVy9jZitYSnNHVEt4R0JoVVZCSXkzZkVOVTQ1UTNyZkRFSE1jTzVvRGQrS1p6Mk1SWWgKbW9qYnp5eVJ0VklHVy9kZUpEQ1FiRFlrCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURXakNDQWtLZ0F3SUJBZ0lVSk9taGNTTHR6LzVRU2tvcitaOFpvOWVocnlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0x6RVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJZd0ZBWURWUVFEREEwcUxtVjRZVzF3YkdVdQpZMjl0TUI0WERUSTFNVEl3TlRBNE1EWXdNMW9YRFRNMU1USXdNekE0TURZd00xb3dMekVWTUJNR0ExVUVDZ3dNClpYaGhiWEJzWlNCSmJtTXVNUll3RkFZRFZRUUREQTBxTG1WNFlXMXdiR1V1WTI5dE1JSUJJakFOQmdrcWhraUcKOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTU3SmJNZ3BsQVpYOWZEaDV1Z2lSUmw4WEMyUUx5NGEyUm1QZwpoUzJhVEp4NGx3ak9GLzlNVmhHeW9NQzIwc01QQkF4eUwza3lFWTk2QUpwSXJjSkwwQlcwUlVVY2dpVW5QYkM2CkV0M0lUcVNjalZOYlJmczcvb2Fmd1U4L3hCZEtZOVJTTGRGN0IrMFZSMDJZZElFdTNtNThEcld1VGJsd0oyMmcKWXg2cmtYd0ZUa0lQbmR3U0RuWHNiSHdhT0VzaXh2RTdaVy92SnJqWEp6V016MUpnSnVlZ1BDWEpaMUtySHU0dQpRbU1HTW9rSDZ3ZWpUQ2plN0ZkQm84ODZ1QTZjbDdOWG85WDR4UVl5VXFsVDl6WnhLU2RvbXBaZjYzUFUrYmVBCmlJemR6aXhFeDdFTGdDc3hsQVBkUVErdnZKMEJyY1lVd3g3QlYxYjdTSExVWHBuVml3SURBUUFCbzI0d2JEQkwKQmdOVkhSRUVSREJDZ2cwcUxtVjRZVzF3YkdVdVkyOXRnZzltYjI4dVpYaGhiWEJzWlM1amIyMkNEMkpoY2k1bAplR0Z0Y0d4bExtTnZiWUlQWW1GNkxtVjRZVzF3YkdVdVkyOXRNQjBHQTFVZERnUVdCQlFLbWNMbHFOVjlJei9DCnZZYWFhLzVaTkxESFJUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFEZExaRHFQdllYc0d6YjFyektjY1pQV1IKNFMxYS9rNEl4Nk1yaExaRFc4YmdiL3hNalpqeHVMRVJGNk9YYlViazhuOFdaeWhpalY5SXZ2alZ2K1pGRVc4VQpnNjJnaWlyREFnVXp6SUc2RkdLejRvU2l5dmpGMnhUdURNY1J1Y0U5OFE4dnNUV0c1TU51L0lsdTlnbzg4Q3dwCkdNMlc0clRoVG05U3dBWi9XNE9NNlRpNHdBUldzUHJ5am5QZlIralQzUUVBcXJHMWNoZ3BKU29qSmhlK3p0RW4KaURkNmdMSFhKUUN5WnNJRklsRFdWVzdmVUEvNHNpUFB1dGxmc3JjY3gweW43WlVkU0k1ZkVzWm9jUkJBSFN3WgpIUFVwTlBoMno1ajZEOUNDVG5jQTVNbXRHNCtjdjNtMyt3eHFseUozWFhrSGd3SUtwWkNjbFNyVXRkL2t2dz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURXakNDQWtLZ0F3SUJBZ0lVSk9taGNTTHR6LzVRU2tvcitaOFpvOWVocnlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0x6RVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJZd0ZBWURWUVFEREEwcUxtVjRZVzF3YkdVdQpZMjl0TUI0WERUSTFNVEl3TlRBNE1EWXdNMW9YRFRNMU1USXdNekE0TURZd00xb3dMekVWTUJNR0ExVUVDZ3dNClpYaGhiWEJzWlNCSmJtTXVNUll3RkFZRFZRUUREQTBxTG1WNFlXMXdiR1V1WTI5dE1JSUJJakFOQmdrcWhraUcKOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTU3SmJNZ3BsQVpYOWZEaDV1Z2lSUmw4WEMyUUx5NGEyUm1QZwpoUzJhVEp4NGx3ak9GLzlNVmhHeW9NQzIwc01QQkF4eUwza3lFWTk2QUpwSXJjSkwwQlcwUlVVY2dpVW5QYkM2CkV0M0lUcVNjalZOYlJmczcvb2Fmd1U4L3hCZEtZOVJTTGRGN0IrMFZSMDJZZElFdTNtNThEcld1VGJsd0oyMmcKWXg2cmtYd0ZUa0lQbmR3U0RuWHNiSHdhT0VzaXh2RTdaVy92SnJqWEp6V016MUpnSnVlZ1BDWEpaMUtySHU0dQpRbU1HTW9rSDZ3ZWpUQ2plN0ZkQm84ODZ1QTZjbDdOWG85WDR4UVl5VXFsVDl6WnhLU2RvbXBaZjYzUFUrYmVBCmlJemR6aXhFeDdFTGdDc3hsQVBkUVErdnZKMEJyY1lVd3g3QlYxYjdTSExVWHBuVml3SURBUUFCbzI0d2JEQkwKQmdOVkhSRUVSREJDZ2cwcUxtVjRZVzF3YkdVdVkyOXRnZzltYjI4dVpYaGhiWEJzWlM1amIyMkNEMkpoY2k1bAplR0Z0Y0d4bExtTnZiWUlQWW1GNkxtVjRZVzF3YkdVdVkyOXRNQjBHQTFVZERnUVdCQlFLbWNMbHFOVjlJei9DCnZZYWFhLzVaTkxESFJUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFEZExaRHFQdllYc0d6YjFyektjY1pQV1IKNFMxYS9rNEl4Nk1yaExaRFc4YmdiL3hNalpqeHVMRVJGNk9YYlViazhuOFdaeWhpalY5SXZ2alZ2K1pGRVc4VQpnNjJnaWlyREFnVXp6SUc2RkdLejRvU2l5dmpGMnhUdURNY1J1Y0U5OFE4dnNUV0c1TU51L0lsdTlnbzg4Q3dwCkdNMlc0clRoVG05U3dBWi9XNE9NNlRpNHdBUldzUHJ5am5QZlIralQzUUVBcXJHMWNoZ3BKU29qSmhlK3p0RW4KaURkNmdMSFhKUUN5WnNJRklsRFdWVzdmVUEvNHNpUFB1dGxmc3JjY3gweW43WlVkU0k1ZkVzWm9jUkJBSFN3WgpIUFVwTlBoMno1ajZEOUNDVG5jQTVNbXRHNCtjdjNtMyt3eHFseUozWFhrSGd3SUtwWkNjbFNyVXRkL2t2dz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K kind: Secret metadata: name: tls-termination-certificate diff --git a/test/e2e/tests/tlsroute_tls_termination.go b/test/e2e/tests/tlsroute_tls_termination.go index 742eb8cf1c2..77a96b8d18a 100644 --- a/test/e2e/tests/tlsroute_tls_termination.go +++ b/test/e2e/tests/tlsroute_tls_termination.go @@ -38,7 +38,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} - cPem, _, caCertPem, err := GetTLSSecret(suite.Client, certNN) + cPem, keyPem, caCertPem, err := GetTLSSecret(suite.Client, certNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } @@ -65,6 +65,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, cPem, + keyPem, caCertPem, "foo.example.com") }) @@ -74,7 +75,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} - cPem, _, caCertPem, err := GetTLSSecret(suite.Client, certNN) + cPem, keyPem, caCertPem, err := GetTLSSecret(suite.Client, certNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } @@ -100,6 +101,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, cPem, + keyPem, caCertPem, "bar.example.com") }) @@ -109,7 +111,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} - cPem, _, caCertPem, err := GetTLSSecret(suite.Client, certNN) + cPem, keyPem, caCertPem, err := GetTLSSecret(suite.Client, certNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } @@ -135,6 +137,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, cPem, + keyPem, caCertPem, "baz.example.com") }) @@ -142,7 +145,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ } // WaitForConsistentResponseWithCA makes requests with TLS using a CA certificate to verify the server -func WaitForConsistentResponseWithCA(t *testing.T, r roundtripper.RoundTripper, req *roundtripper.Request, expected *http.ExpectedResponse, threshold int, maxTimeToConsistency time.Duration, certPem, caCertPem []byte, serverName string) { +func WaitForConsistentResponseWithCA(t *testing.T, r roundtripper.RoundTripper, req *roundtripper.Request, expected *http.ExpectedResponse, threshold int, maxTimeToConsistency time.Duration, certPem, keyPem, caCertPem []byte, serverName string) { if req == nil { t.Fatalf("request cannot be nil") } @@ -153,8 +156,9 @@ func WaitForConsistentResponseWithCA(t *testing.T, r roundtripper.RoundTripper, http.AwaitConvergence(t, threshold, maxTimeToConsistency, func(elapsed time.Duration) bool { updatedReq := *req updatedReq.Server = serverName - // Use the certificate as CA for validation (self-signed cert) + // Use the certificate and key for TLS setup, CA cert for validation (self-signed cert) updatedReq.CertPem = caCertPem + updatedReq.KeyPem = keyPem cReq, cRes, err := r.CaptureRoundTrip(updatedReq) if err != nil { From 5133d3dd48a6c7202e44177306291c454982fc91 Mon Sep 17 00:00:00 2001 From: Lahiru Udayanga Date: Fri, 5 Dec 2025 14:27:43 +0530 Subject: [PATCH 3/3] fix unit test invalid cert format Signed-off-by: Lahiru Udayanga --- ...ith-tls-terminate-invalid-hostname.in.yaml | 4 +- ...th-tls-terminate-invalid-hostname.out.yaml | 51 ++++-- ...with-tls-terminate-multiple-routes.in.yaml | 4 +- ...ith-tls-terminate-multiple-routes.out.yaml | 167 ++++++++++++++++-- 4 files changed, 193 insertions(+), 33 deletions(-) diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.in.yaml index fc0281373a5..ffd5eae0cd9 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.in.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.in.yaml @@ -46,5 +46,5 @@ secrets: name: tls-secret-1 type: kubernetes.io/tls data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOTE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGVENDQWYyZ0F3SUJBZ0lVRVZNTVA5ZUo5WEFCV2NRNVptbTZSWk5uQ2Nvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF3d1BabTl2TG1WNFlXMXdiR1V1WTI5dE1CNFhEVEkxTVRJd05UQTRNemswTUZvWApEVE0xTVRJd016QTRNemswTUZvd0dqRVlNQllHQTFVRUF3d1BabTl2TG1WNFlXMXdiR1V1WTI5dE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXVERTg4L1hQQzV4M2pGV3NjSjZRamxQSEplRHUKRVFRbXZnbU0vRnlKMzVSSjYra2J4ZDNYRVdrSFdBcWlYVWNZTHI5QTJOcE1RZnFCVDk2VU1yQmJJckRWdExJLwphNStnWnNRdlZSbU9FRzRZUTdhdkFDREJidENzcVh4QVVhNTB6WVIzU1NSUXFpSlJpcmFlZzVseFRTYWtMOERRCmZhT3lkSTFvQlJRWElHaWlOVHMweHJDNCtSSzBlVWc1aXhKVUNpNWt4TExPTEc1a1FSTzZrdXYvdlVVWmpBQ0EKU2FWVzZlbGJKQU1PeUZnb08yOW5IVldlcy9UUlIybE1LVFhSMng1SWszM21hekdHaFRocE5tUWpyaG1kUE4rZwo2Y1JlOS9lc0FuZFVDS0R6clpzRGE5MWkzUFozNTJRUFU2NHJ6THN5Zzg0c2I2RUhheVZ5YU1lcjJ3SURBUUFCCm8xTXdVVEFkQmdOVkhRNEVGZ1FVSWtsc1FMWkZrcFlrZGQxVTQ3N1FTazFMdjdzd0h3WURWUjBqQkJnd0ZvQVUKSWtsc1FMWkZrcFlrZGQxVTQ3N1FTazFMdjdzd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQgpBUXNGQUFPQ0FRRUFYRzAvUE1mUGdmYVZRRFo2K0ppS2UyQk40bzRTYTk0Si84V0IydFAwQXZtMEUrSXFDVExtCjhjazR2S2RXYTZLUE9YelRSazJiZWpBT2o4MFpLdTIvaDNDOWdObldwb1o3aCtZMXdIQXR0SWo1WEp0a0RBUFQKUHEyN2RCcnZMVUV2c24ydzR2NGsreVgyOHFGQndxSWgybUh4OG05VTJSYWFVV2xYWHNDbis2dGpnQ1NDNXhTOQplM3A5MVh3QllacmJJNVgvQVlsYm1YL2laZG81Snp1Y3Ryb3QzeFRaZGJOWU5CdEw0d2V0WGxGTHljS2c1NHd2CjVjYXNEcFB6V0MwQkhXV2RzK213TU1KalgxNDlXWE9tdXFibWo5QzV0cTBZei9DaE1mOFdjblhpODVDbUdBcUUKaUl0bGcvOVMvNC96bG1tMDJoVEp4S0o5OHNPOVJZVzI0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQzRNVHp6OWM4TG5IZU0KVmF4d25wQ09VOGNsNE80UkJDYStDWXo4WEluZmxFbnI2UnZGM2RjUmFRZFlDcUpkUnhndXYwRFkya3hCK29GUAozcFF5c0ZzaXNOVzBzajlybjZCbXhDOVZHWTRRYmhoRHRxOEFJTUZ1MEt5cGZFQlJyblROaEhkSkpGQ3FJbEdLCnRwNkRtWEZOSnFRdndOQjlvN0owaldnRkZCY2dhS0kxT3pUR3NMajVFclI1U0RtTEVsUUtMbVRFc3M0c2JtUkIKRTdxUzYvKzlSUm1NQUlCSnBWYnA2VnNrQXc3SVdDZzdiMmNkVlo2ejlORkhhVXdwTmRIYkhraVRmZVpyTVlhRgpPR2syWkNPdUdaMDgzNkRweEY3Mzk2d0NkMVFJb1BPdG13TnIzV0xjOW5mblpBOVRyaXZNdXpLRHppeHZvUWRyCkpYSm94NnZiQWdNQkFBRUNnZ0VBVHNiMFVFengyLy8wRzJlckJGRzA5c0o3R3NhOFd6ZkEwQ2RxanFhUGF6blQKY2R2MXZtYzJiQ0pVKzBFMUZ4cm9pMW5PQk5FOHF6MVdJQkJNcHU5SlV5bDVoVHAxS0hVUmw5SlJnaDZYWll5SQp3VEU1WUo4aHkrRGc3KzROM2tGMGdFK202dmZtcmhWV2RiTE1VZkdIQlYzQS9CR0Z1aTZRalF2TGtOeDZWYWZnCnBoS25wcFplQUkzakRJeW53VU1ZNHNPT005Q3g1bHVUYXF6eCtzMHNyaXpsVVkrd1JiK0ZSUXNWbncyaEN0ZUwKSWRvVnF1N2RwSUFqTzgrVHhmbUY4L3VwNDZ3S3FoYXJ1Z1FJdFBUY0doeTZIS0hPSm9DSVNmcCtuU2FrREMxaQoxV3hLNm4zek5SM3pXUUs1aFVNaE5oWWd1Z3RnVGRXZVAwSFlUQzl2Y1FLQmdRRG1DWHBWeDVlcmcvRS9ueldDCjB2NUJMOEJuTUdIcXZkSEtHNDFxQ1pSZjlTOHkyb1haditSdXdmcE8wVVduQ0xrbWVGV0o1NGZNMXR5Q1VpNVEKaEZjajZXQ215bEY3b3lMQUJ1UWd4dy9qbzQrSitwZ2o5RlNlUDdjU2laUUF1d0RPcXo4a0ZwbWhUbzdUcHJHego5b3N3Y2RDOVE2aUFYNS9tR01LTVRTNnlFUUtCZ1FETSt5aEIyMkhXek9nYWRmZG5FSFpLaFlYbi9uLzVDNThUCklkcTN6SldWakpZZVBNaWdoa0hsTnVuaTZFUlRPZlhEZ3MwVGhWSjZ0TmVjYkFPd2lueGNZVUI5VTlTUTV3UXQKalJxN2Z0WXpyTTU0MDRvZklvQzRQblp2Ty9lTWxGT1lJWDBFdENNcXVHUzVUMHVuUkFPcUMyZEQ3eUUrYnpOcApsY25yMXJDVEt3S0JnUURobkdJVFIxSUZzYjRtZSt0cmg2dytHcXRGaVRvL2xEUHhXTngxSnpnU2ROSDV1a0NVCnM1TkMzWlMxUUtKamxEYWkrRnBNaW51eDl2a0dCN3ZNMUQ3eXhhMDVhQ3hLYWxGbXJGdUptaktIUEo5RzREUGUKNzM4ZVJiY3p3eU1aSkU5Q1lzbm1oeFBlRk1JWDZ1RldjM05IN0JpaHgzMjNpaEcxQm91b052cVpRUUtCZ0R2NApoMUN0UkxTNWduYXJhTlNvaGxOTE9XQWtuNEJYbkJUVzVNeTllRTRtc1l6ckw2OTNXRFFkbXRRZUxFOUZOOWdaCm5ySkZZVm94S3B2REpsa3lTeXdqNytBNjlJZm9idHA4M0FOYkdvUkgzS2lSQzJvTWlDaGZiZnNoU2szQTM2dzAKc0FUK1J3T3FxeDFrUzdnR09DUTU3ZDU4U2ZlZ1JTUnhCSUNSY1Z1OUFvR0JBT0RMd2RlM0ZJWWFwcGFvZjVsYQoxRjVzek9DdEdGNlRXbUVmQ0RQV3hnT3dVdUlkeDc4ZDFES21pZVZuejJUTENhWjBzZHlmbE9MNjRWS0Nxckx6Ck04RmFjclR1VS8vL01BL3hRV3EwWGZJK1pUMnJHYnFVeit6NjFtclNJTFdlalBaNWQ0djBVTzJFTDlsL1lNWmMKQWIvUlY3Nk95M0NTeDlSUUlsL2JCWU0rCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml index 96223a51146..ecff539dd60 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml @@ -25,16 +25,20 @@ gateways: - attachedRoutes: 1 conditions: - lastTransitionTime: null - message: 'Secret envoy-gateway/tls-secret-1 must contain valid tls.crt and - tls.key, unable to validate certificate in tls.crt: x509: malformed extensions.' - reason: InvalidCertificateRef - status: "False" - type: ResolvedRefs - - lastTransitionTime: null - message: Listener is invalid, see other Conditions for details. - reason: Invalid - status: "False" + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs name: tls supportedKinds: - group: gateway.networking.k8s.io @@ -44,6 +48,14 @@ gateways: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10090 + name: tls-90 + protocol: TLS + servicePort: 90 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -74,8 +86,9 @@ tlsRoutes: parents: - conditions: - lastTransitionTime: null - message: There are no ready listeners for this parent ref - reason: NoReadyListeners + message: There were no hostname intersections between the TLSRoute and this + parent ref's Listener(s). + reason: NoMatchingListenerHostname status: "False" type: Accepted - lastTransitionTime: null @@ -119,3 +132,19 @@ xdsIR: ipFamily: IPv4 path: /ready port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 90 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + port: 10090 + tls: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGVENDQWYyZ0F3SUJBZ0lVRVZNTVA5ZUo5WEFCV2NRNVptbTZSWk5uQ2Nvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF3d1BabTl2TG1WNFlXMXdiR1V1WTI5dE1CNFhEVEkxTVRJd05UQTRNemswTUZvWApEVE0xTVRJd016QTRNemswTUZvd0dqRVlNQllHQTFVRUF3d1BabTl2TG1WNFlXMXdiR1V1WTI5dE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXVERTg4L1hQQzV4M2pGV3NjSjZRamxQSEplRHUKRVFRbXZnbU0vRnlKMzVSSjYra2J4ZDNYRVdrSFdBcWlYVWNZTHI5QTJOcE1RZnFCVDk2VU1yQmJJckRWdExJLwphNStnWnNRdlZSbU9FRzRZUTdhdkFDREJidENzcVh4QVVhNTB6WVIzU1NSUXFpSlJpcmFlZzVseFRTYWtMOERRCmZhT3lkSTFvQlJRWElHaWlOVHMweHJDNCtSSzBlVWc1aXhKVUNpNWt4TExPTEc1a1FSTzZrdXYvdlVVWmpBQ0EKU2FWVzZlbGJKQU1PeUZnb08yOW5IVldlcy9UUlIybE1LVFhSMng1SWszM21hekdHaFRocE5tUWpyaG1kUE4rZwo2Y1JlOS9lc0FuZFVDS0R6clpzRGE5MWkzUFozNTJRUFU2NHJ6THN5Zzg0c2I2RUhheVZ5YU1lcjJ3SURBUUFCCm8xTXdVVEFkQmdOVkhRNEVGZ1FVSWtsc1FMWkZrcFlrZGQxVTQ3N1FTazFMdjdzd0h3WURWUjBqQkJnd0ZvQVUKSWtsc1FMWkZrcFlrZGQxVTQ3N1FTazFMdjdzd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQgpBUXNGQUFPQ0FRRUFYRzAvUE1mUGdmYVZRRFo2K0ppS2UyQk40bzRTYTk0Si84V0IydFAwQXZtMEUrSXFDVExtCjhjazR2S2RXYTZLUE9YelRSazJiZWpBT2o4MFpLdTIvaDNDOWdObldwb1o3aCtZMXdIQXR0SWo1WEp0a0RBUFQKUHEyN2RCcnZMVUV2c24ydzR2NGsreVgyOHFGQndxSWgybUh4OG05VTJSYWFVV2xYWHNDbis2dGpnQ1NDNXhTOQplM3A5MVh3QllacmJJNVgvQVlsYm1YL2laZG81Snp1Y3Ryb3QzeFRaZGJOWU5CdEw0d2V0WGxGTHljS2c1NHd2CjVjYXNEcFB6V0MwQkhXV2RzK213TU1KalgxNDlXWE9tdXFibWo5QzV0cTBZei9DaE1mOFdjblhpODVDbUdBcUUKaUl0bGcvOVMvNC96bG1tMDJoVEp4S0o5OHNPOVJZVzI0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.in.yaml index 708f8750aa9..45f2605228b 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.in.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.in.yaml @@ -78,5 +78,5 @@ secrets: name: tls-secret-1 type: kubernetes.io/tls data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOTE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVRVZNTVA5ZUo5WEFCV2NRNVptbTZSWk5uQ2Nvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05LaTVsZUdGdGNHeGxMbU52YlRBZUZ3MHlOVEV5TURVd09EUXlNemhhRncwegpOVEV5TURNd09EUXlNemhhTUJneEZqQVVCZ05WQkFNTURTb3VaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM2YlBGT2pTWFB1dGxnUGQ5VlpwNkNxZitqVkpiTzlLUVoKTXBicmdPcmFraGt3NVp1NEJwZ2NjcUgxWENweEczVFRkTURreHJXOC9PLzFTY3dIeGtuTkp3aFdsZ3dIMDJWNQpZc3ptZmZnVkRrMVR0NXpTWXFOdWU0UUVEeVpncmhJNmRpbXBTVTFWbnRSbG5HY2ZFS05Zb0VMME9Kc2NjdlJXCkFGbjQ3dksxL3ZSWi82TFB1b0k4aGYwS0psU0Y3ZWJ3TEJnSmNEYmNtYURDR2NCc1ZyWnZkMnNHc0hWQ2pDOFAKZll5bEI5NkxaS0c3bjVkVlNDZm9tNEFucmtXbXZ4WHBjeXhveVhOTXR5cWZMNnppRnQyMTNYRDkyUnREQytvawp1Y29LL295N281V2JpN21mWGJoVXYrRVhjU3BXNXBDa2hFSTk0TFBmZ2p6TmFVeitjeER0QWdNQkFBR2pnYUV3CmdaNHdIUVlEVlIwT0JCWUVGR3gyVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUI4R0ExVWRJd1FZTUJhQUZHeDIKVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3U3dZRFZSMFJCRVF3UW9JTgpLaTVsZUdGdGNHeGxMbU52YllJUFptOXZMbVY0WVcxd2JHVXVZMjl0Z2c5aVlYSXVaWGhoYlhCc1pTNWpiMjJDCkQySmhlaTVsZUdGdGNHeGxMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWdyNjZSVDJFaXZWenllZU8Kbk1pbytwN3VIUUM4dU1ldTNmTDAxcEU3V0ppZFR6OTFtUzdyekIrY3RFNytsZ2FVaGlFVzNyajVqOVZ2RjNVWQo2T0VVUEFCL1YrWUVrcUE3S0RpcHBNTDZMbW00MElaNXJ0N0tBZkhud0NmZnJMNk1WVmNQSlVaZytJTUJTVTNoCnU0M2p6Y3B5V1ZBenFGczM0TVBYMmZjN1VvZHh6UzFaVStPYnJsTTkvTGR2L2VJT2xqZ0tyVGt3MlAvd2Z6cm4KQmpYRFFTNGo5dm9hYmZhcjhuSWkvTHRGSTZCVG5SWUhBNkRkWWE0WXdqWTFrM3d1SDk4L2dYT3FQK0ZPVWlsSgpKYnI4cWNjZlY4bGZTL21JTG1jUitmenRDcVBTVWplK3Y3UW1yVmJuWS8wK1B4SUFxZklFcXZyTTZ3TXN5OXBuClIwS0ViUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzZiUEZPalNYUHV0bGcKUGQ5VlpwNkNxZitqVkpiTzlLUVpNcGJyZ09yYWtoa3c1WnU0QnBnY2NxSDFYQ3B4RzNUVGRNRGt4clc4L08vMQpTY3dIeGtuTkp3aFdsZ3dIMDJWNVlzem1mZmdWRGsxVHQ1elNZcU51ZTRRRUR5WmdyaEk2ZGltcFNVMVZudFJsCm5HY2ZFS05Zb0VMME9Kc2NjdlJXQUZuNDd2SzEvdlJaLzZMUHVvSThoZjBLSmxTRjdlYndMQmdKY0RiY21hREMKR2NCc1ZyWnZkMnNHc0hWQ2pDOFBmWXlsQjk2TFpLRzduNWRWU0Nmb200QW5ya1dtdnhYcGN5eG95WE5NdHlxZgpMNnppRnQyMTNYRDkyUnREQytva3Vjb0svb3k3bzVXYmk3bWZYYmhVditFWGNTcFc1cENraEVJOTRMUGZnanpOCmFVeitjeER0QWdNQkFBRUNnZ0VBVTBzd3A3R2Q1c25yckxvSVNvNXVuUi9hZGIzcUlhNmhrUmFPNHNzM1k0L3EKVEhRU1ZxOHZrR3BSWGFDZjMraHVFcnAwSXVON3VPUmtURHA4UEM4R3MzQlFvK3NubGVtSVNhdHd0RDB0Tmk4dApNbzN6dGZaWFlob3l1bU9RZUpyZHp4d1RjaTBycmVrb3FmdXZBV3k4SnZGMzZNbFAyRzZ1SjZ6QmhsMHd1VXBjCk14VmYyZnRxbEhSenpGZjBxNVhlcWVQVXQyNmUwWWZjUjhrczd5QkhXcmxmVGJvR1hoWmorOXZIV3FVeDdsNEMKU1RtL3o0Sy9rSW4wS2ZldEtsR3I3NzEveTdZSTBTakNmNDF4MDM4NXNSRk1iekZuc1lCK09XU1BPQnhOeXRsWgp0Q1lxZG8rUmd0bGxrbVhXRmRWNHY2RlZyalpCczlqZzBNS0ZTTEpzMndLQmdRRHQ0U01pT09yRHJ6d2pQN2FGCmhmVThQMmFGRWJaZER2WFltQmJxaHNBWkppL1ZOYWUxOUkrZHV2bzdKK2NEbGdJaUZ2ajZ0SVRPRFVLUk1yZHMKQStrSllQOFFubFN6bWpBR3hEK0ZsWWFHekI2K3gyUnpKWEQ0TzlKeFBCUHhVZTU3SFlhQjhpK0FXUGh3bmFpOAp0VVhZdmF5Q3N2OEZqajdPYnN0VXFyOFkyd0tCZ1FESW9HaU1VOVRIbEhQdWZzMGVtaDBxV3BUcVlTV3JFRGtICjBZNldCUllsQjdQdSs1R3FqWVNIamJmNmJlN2RIeThxRkpuZmxQTi9HMmU0VDZyQnQwM2tWdEU3T1RTNXdtWk8KTGkyVXVCZ3Z4ekI3anNOUTRzM3dkSUpsNllDNnJQRXNuSTlTSnQ3RjM4MmJxR1pnOTA1VW9zK0FTTDB5dzY3ZApXVGNyR1RIajF3S0JnQkt2aUs3N2daVjFnbWZTYldmM3FkZmRzeFBvM0VaYkVueTlGYSsrZmdCN3UyNG9GTkI2Ck1YM1dYaW1mYk1vZlVuT1RFbU8vSWw5OU15bHNyblBScXRDTnlmdG9OSWNYS1lhZWk4N1dmQWJDcWZlYWVnMkIKZDJwSWFMTjBZS3lvSHUrVTFpZ0craXcrME9VbnZVVjFoOU1Lc3k1aEdSODZtVHhsLzVyYS9yL1pBb0dBTXdRZgpNYmZMZnFpd1JqQTJScGJYM2NKRTVjaW9SSFNPbS85Y3E2ZEZkMHNiSlNVUmFIWXVBaTQyWDFiL0MzbDNpOUxMClFnQmxYcWdBV3V6Zk5mMC9zRlduUk5FS0tFWlhyMytzbFltdWxNK284M0pkRmo5bU1NUGZ1THlFd0hOanJIMXYKTUd1ejhFczF4R1F4REcwMm5PejlxTmhXVEFkWWV1N0p5WXJSbGVjQ2dZRUF6R0ZPbEdBQU81TmFla0JKdW1zcwpnYi9zd2dUUTI4ZHBOSzFXV2JGNXZJWE1TTEp5L2tHU3BBeHhhQ0xaSlBLZ1ZreFpIUkljUUlodFFPbDROQ3hZClZabnZkTDVueVVyZlczbVJVMzBwdngxSHByNXBmYW8vSjdwcVY2enJkbkJmQnROMzdIVzZjUDJpMmN6aVNpVFQKQU1LSHBDM0MvaWplNnRZY29VdkY2OFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.out.yaml index 0fc32fa4752..b71caf8c59c 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-multiple-routes.out.yaml @@ -25,16 +25,20 @@ gateways: - attachedRoutes: 3 conditions: - lastTransitionTime: null - message: 'Secret envoy-gateway/tls-secret-1 must contain valid tls.crt and - tls.key, unable to validate certificate in tls.crt: x509: malformed extensions.' - reason: InvalidCertificateRef - status: "False" - type: ResolvedRefs - - lastTransitionTime: null - message: Listener is invalid, see other Conditions for details. - reason: Invalid - status: "False" + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs name: tls supportedKinds: - group: gateway.networking.k8s.io @@ -44,6 +48,14 @@ gateways: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10090 + name: tls-90 + protocol: TLS + servicePort: 90 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -74,9 +86,9 @@ tlsRoutes: parents: - conditions: - lastTransitionTime: null - message: There are no ready listeners for this parent ref - reason: NoReadyListeners - status: "False" + message: Route is accepted + reason: Accepted + status: "True" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -108,9 +120,9 @@ tlsRoutes: parents: - conditions: - lastTransitionTime: null - message: There are no ready listeners for this parent ref - reason: NoReadyListeners - status: "False" + message: Route is accepted + reason: Accepted + status: "True" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -142,9 +154,9 @@ tlsRoutes: parents: - conditions: - lastTransitionTime: null - message: There are no ready listeners for this parent ref - reason: NoReadyListeners - status: "False" + message: Route is accepted + reason: Accepted + status: "True" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -187,3 +199,122 @@ xdsIR: ipFamily: IPv4 path: /ready port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 90 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + port: 10090 + routes: + - destination: + metadata: + kind: TLSRoute + name: tlsroute-1 + namespace: default + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + kind: Service + name: service-1 + namespace: default + sectionName: "8080" + name: tlsroute/default/tlsroute-1/rule/-1/backend/0 + protocol: HTTPS + weight: 1 + metadata: + kind: TLSRoute + name: tlsroute-1 + namespace: default + name: tlsroute/default/tlsroute-1 + tls: + inspector: + snis: + - foo.example.com + terminate: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVRVZNTVA5ZUo5WEFCV2NRNVptbTZSWk5uQ2Nvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05LaTVsZUdGdGNHeGxMbU52YlRBZUZ3MHlOVEV5TURVd09EUXlNemhhRncwegpOVEV5TURNd09EUXlNemhhTUJneEZqQVVCZ05WQkFNTURTb3VaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM2YlBGT2pTWFB1dGxnUGQ5VlpwNkNxZitqVkpiTzlLUVoKTXBicmdPcmFraGt3NVp1NEJwZ2NjcUgxWENweEczVFRkTURreHJXOC9PLzFTY3dIeGtuTkp3aFdsZ3dIMDJWNQpZc3ptZmZnVkRrMVR0NXpTWXFOdWU0UUVEeVpncmhJNmRpbXBTVTFWbnRSbG5HY2ZFS05Zb0VMME9Kc2NjdlJXCkFGbjQ3dksxL3ZSWi82TFB1b0k4aGYwS0psU0Y3ZWJ3TEJnSmNEYmNtYURDR2NCc1ZyWnZkMnNHc0hWQ2pDOFAKZll5bEI5NkxaS0c3bjVkVlNDZm9tNEFucmtXbXZ4WHBjeXhveVhOTXR5cWZMNnppRnQyMTNYRDkyUnREQytvawp1Y29LL295N281V2JpN21mWGJoVXYrRVhjU3BXNXBDa2hFSTk0TFBmZ2p6TmFVeitjeER0QWdNQkFBR2pnYUV3CmdaNHdIUVlEVlIwT0JCWUVGR3gyVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUI4R0ExVWRJd1FZTUJhQUZHeDIKVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3U3dZRFZSMFJCRVF3UW9JTgpLaTVsZUdGdGNHeGxMbU52YllJUFptOXZMbVY0WVcxd2JHVXVZMjl0Z2c5aVlYSXVaWGhoYlhCc1pTNWpiMjJDCkQySmhlaTVsZUdGdGNHeGxMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWdyNjZSVDJFaXZWenllZU8Kbk1pbytwN3VIUUM4dU1ldTNmTDAxcEU3V0ppZFR6OTFtUzdyekIrY3RFNytsZ2FVaGlFVzNyajVqOVZ2RjNVWQo2T0VVUEFCL1YrWUVrcUE3S0RpcHBNTDZMbW00MElaNXJ0N0tBZkhud0NmZnJMNk1WVmNQSlVaZytJTUJTVTNoCnU0M2p6Y3B5V1ZBenFGczM0TVBYMmZjN1VvZHh6UzFaVStPYnJsTTkvTGR2L2VJT2xqZ0tyVGt3MlAvd2Z6cm4KQmpYRFFTNGo5dm9hYmZhcjhuSWkvTHRGSTZCVG5SWUhBNkRkWWE0WXdqWTFrM3d1SDk4L2dYT3FQK0ZPVWlsSgpKYnI4cWNjZlY4bGZTL21JTG1jUitmenRDcVBTVWplK3Y3UW1yVmJuWS8wK1B4SUFxZklFcXZyTTZ3TXN5OXBuClIwS0ViUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + - destination: + metadata: + kind: TLSRoute + name: tlsroute-2 + namespace: default + name: tlsroute/default/tlsroute-2/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + kind: Service + name: service-2 + namespace: default + sectionName: "8080" + name: tlsroute/default/tlsroute-2/rule/-1/backend/0 + protocol: HTTPS + weight: 1 + metadata: + kind: TLSRoute + name: tlsroute-2 + namespace: default + name: tlsroute/default/tlsroute-2 + tls: + inspector: + snis: + - bar.example.com + terminate: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVRVZNTVA5ZUo5WEFCV2NRNVptbTZSWk5uQ2Nvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05LaTVsZUdGdGNHeGxMbU52YlRBZUZ3MHlOVEV5TURVd09EUXlNemhhRncwegpOVEV5TURNd09EUXlNemhhTUJneEZqQVVCZ05WQkFNTURTb3VaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM2YlBGT2pTWFB1dGxnUGQ5VlpwNkNxZitqVkpiTzlLUVoKTXBicmdPcmFraGt3NVp1NEJwZ2NjcUgxWENweEczVFRkTURreHJXOC9PLzFTY3dIeGtuTkp3aFdsZ3dIMDJWNQpZc3ptZmZnVkRrMVR0NXpTWXFOdWU0UUVEeVpncmhJNmRpbXBTVTFWbnRSbG5HY2ZFS05Zb0VMME9Kc2NjdlJXCkFGbjQ3dksxL3ZSWi82TFB1b0k4aGYwS0psU0Y3ZWJ3TEJnSmNEYmNtYURDR2NCc1ZyWnZkMnNHc0hWQ2pDOFAKZll5bEI5NkxaS0c3bjVkVlNDZm9tNEFucmtXbXZ4WHBjeXhveVhOTXR5cWZMNnppRnQyMTNYRDkyUnREQytvawp1Y29LL295N281V2JpN21mWGJoVXYrRVhjU3BXNXBDa2hFSTk0TFBmZ2p6TmFVeitjeER0QWdNQkFBR2pnYUV3CmdaNHdIUVlEVlIwT0JCWUVGR3gyVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUI4R0ExVWRJd1FZTUJhQUZHeDIKVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3U3dZRFZSMFJCRVF3UW9JTgpLaTVsZUdGdGNHeGxMbU52YllJUFptOXZMbVY0WVcxd2JHVXVZMjl0Z2c5aVlYSXVaWGhoYlhCc1pTNWpiMjJDCkQySmhlaTVsZUdGdGNHeGxMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWdyNjZSVDJFaXZWenllZU8Kbk1pbytwN3VIUUM4dU1ldTNmTDAxcEU3V0ppZFR6OTFtUzdyekIrY3RFNytsZ2FVaGlFVzNyajVqOVZ2RjNVWQo2T0VVUEFCL1YrWUVrcUE3S0RpcHBNTDZMbW00MElaNXJ0N0tBZkhud0NmZnJMNk1WVmNQSlVaZytJTUJTVTNoCnU0M2p6Y3B5V1ZBenFGczM0TVBYMmZjN1VvZHh6UzFaVStPYnJsTTkvTGR2L2VJT2xqZ0tyVGt3MlAvd2Z6cm4KQmpYRFFTNGo5dm9hYmZhcjhuSWkvTHRGSTZCVG5SWUhBNkRkWWE0WXdqWTFrM3d1SDk4L2dYT3FQK0ZPVWlsSgpKYnI4cWNjZlY4bGZTL21JTG1jUitmenRDcVBTVWplK3Y3UW1yVmJuWS8wK1B4SUFxZklFcXZyTTZ3TXN5OXBuClIwS0ViUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + - destination: + metadata: + kind: TLSRoute + name: tlsroute-3 + namespace: default + name: tlsroute/default/tlsroute-3/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + kind: Service + name: service-3 + namespace: default + sectionName: "8080" + name: tlsroute/default/tlsroute-3/rule/-1/backend/0 + protocol: HTTPS + weight: 1 + metadata: + kind: TLSRoute + name: tlsroute-3 + namespace: default + name: tlsroute/default/tlsroute-3 + tls: + inspector: + snis: + - baz.example.com + terminate: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVRVZNTVA5ZUo5WEFCV2NRNVptbTZSWk5uQ2Nvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05LaTVsZUdGdGNHeGxMbU52YlRBZUZ3MHlOVEV5TURVd09EUXlNemhhRncwegpOVEV5TURNd09EUXlNemhhTUJneEZqQVVCZ05WQkFNTURTb3VaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM2YlBGT2pTWFB1dGxnUGQ5VlpwNkNxZitqVkpiTzlLUVoKTXBicmdPcmFraGt3NVp1NEJwZ2NjcUgxWENweEczVFRkTURreHJXOC9PLzFTY3dIeGtuTkp3aFdsZ3dIMDJWNQpZc3ptZmZnVkRrMVR0NXpTWXFOdWU0UUVEeVpncmhJNmRpbXBTVTFWbnRSbG5HY2ZFS05Zb0VMME9Kc2NjdlJXCkFGbjQ3dksxL3ZSWi82TFB1b0k4aGYwS0psU0Y3ZWJ3TEJnSmNEYmNtYURDR2NCc1ZyWnZkMnNHc0hWQ2pDOFAKZll5bEI5NkxaS0c3bjVkVlNDZm9tNEFucmtXbXZ4WHBjeXhveVhOTXR5cWZMNnppRnQyMTNYRDkyUnREQytvawp1Y29LL295N281V2JpN21mWGJoVXYrRVhjU3BXNXBDa2hFSTk0TFBmZ2p6TmFVeitjeER0QWdNQkFBR2pnYUV3CmdaNHdIUVlEVlIwT0JCWUVGR3gyVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUI4R0ExVWRJd1FZTUJhQUZHeDIKVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3U3dZRFZSMFJCRVF3UW9JTgpLaTVsZUdGdGNHeGxMbU52YllJUFptOXZMbVY0WVcxd2JHVXVZMjl0Z2c5aVlYSXVaWGhoYlhCc1pTNWpiMjJDCkQySmhlaTVsZUdGdGNHeGxMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWdyNjZSVDJFaXZWenllZU8Kbk1pbytwN3VIUUM4dU1ldTNmTDAxcEU3V0ppZFR6OTFtUzdyekIrY3RFNytsZ2FVaGlFVzNyajVqOVZ2RjNVWQo2T0VVUEFCL1YrWUVrcUE3S0RpcHBNTDZMbW00MElaNXJ0N0tBZkhud0NmZnJMNk1WVmNQSlVaZytJTUJTVTNoCnU0M2p6Y3B5V1ZBenFGczM0TVBYMmZjN1VvZHh6UzFaVStPYnJsTTkvTGR2L2VJT2xqZ0tyVGt3MlAvd2Z6cm4KQmpYRFFTNGo5dm9hYmZhcjhuSWkvTHRGSTZCVG5SWUhBNkRkWWE0WXdqWTFrM3d1SDk4L2dYT3FQK0ZPVWlsSgpKYnI4cWNjZlY4bGZTL21JTG1jUitmenRDcVBTVWplK3Y3UW1yVmJuWS8wK1B4SUFxZklFcXZyTTZ3TXN5OXBuClIwS0ViUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + tls: + alpnProtocols: [] + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVRVZNTVA5ZUo5WEFCV2NRNVptbTZSWk5uQ2Nvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05LaTVsZUdGdGNHeGxMbU52YlRBZUZ3MHlOVEV5TURVd09EUXlNemhhRncwegpOVEV5TURNd09EUXlNemhhTUJneEZqQVVCZ05WQkFNTURTb3VaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM2YlBGT2pTWFB1dGxnUGQ5VlpwNkNxZitqVkpiTzlLUVoKTXBicmdPcmFraGt3NVp1NEJwZ2NjcUgxWENweEczVFRkTURreHJXOC9PLzFTY3dIeGtuTkp3aFdsZ3dIMDJWNQpZc3ptZmZnVkRrMVR0NXpTWXFOdWU0UUVEeVpncmhJNmRpbXBTVTFWbnRSbG5HY2ZFS05Zb0VMME9Kc2NjdlJXCkFGbjQ3dksxL3ZSWi82TFB1b0k4aGYwS0psU0Y3ZWJ3TEJnSmNEYmNtYURDR2NCc1ZyWnZkMnNHc0hWQ2pDOFAKZll5bEI5NkxaS0c3bjVkVlNDZm9tNEFucmtXbXZ4WHBjeXhveVhOTXR5cWZMNnppRnQyMTNYRDkyUnREQytvawp1Y29LL295N281V2JpN21mWGJoVXYrRVhjU3BXNXBDa2hFSTk0TFBmZ2p6TmFVeitjeER0QWdNQkFBR2pnYUV3CmdaNHdIUVlEVlIwT0JCWUVGR3gyVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUI4R0ExVWRJd1FZTUJhQUZHeDIKVXZVMStpSFR3TzRoMU9zODJwb1o2SjJoTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3U3dZRFZSMFJCRVF3UW9JTgpLaTVsZUdGdGNHeGxMbU52YllJUFptOXZMbVY0WVcxd2JHVXVZMjl0Z2c5aVlYSXVaWGhoYlhCc1pTNWpiMjJDCkQySmhlaTVsZUdGdGNHeGxMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWdyNjZSVDJFaXZWenllZU8Kbk1pbytwN3VIUUM4dU1ldTNmTDAxcEU3V0ppZFR6OTFtUzdyekIrY3RFNytsZ2FVaGlFVzNyajVqOVZ2RjNVWQo2T0VVUEFCL1YrWUVrcUE3S0RpcHBNTDZMbW00MElaNXJ0N0tBZkhud0NmZnJMNk1WVmNQSlVaZytJTUJTVTNoCnU0M2p6Y3B5V1ZBenFGczM0TVBYMmZjN1VvZHh6UzFaVStPYnJsTTkvTGR2L2VJT2xqZ0tyVGt3MlAvd2Z6cm4KQmpYRFFTNGo5dm9hYmZhcjhuSWkvTHRGSTZCVG5SWUhBNkRkWWE0WXdqWTFrM3d1SDk4L2dYT3FQK0ZPVWlsSgpKYnI4cWNjZlY4bGZTL21JTG1jUitmenRDcVBTVWplK3Y3UW1yVmJuWS8wK1B4SUFxZklFcXZyTTZ3TXN5OXBuClIwS0ViUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]'