feat: support GWAPI frontend validation (#16739)

kinolaev · web-flow · commit 9baf3739f5e7 · 2025-09-01T15:50:26.000-04:00
Signed-off-by: Sergei Nikolaev &lt;kinolaev@gmail.com&gt;
diff --git a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
@@ -543,10 +543,7 @@ EOF
 
 {{< tab name="Gateway API" category-value="gateway-api" >}}
 
-Because the Kubernetes Gateway API does not currently support mutual TLS termination in a
-[Gateway](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.Gateway),
-we use an Istio-specific option, `gateway.istio.io/tls-terminate-mode: MUTUAL`,
-to configure it:
+Add a reference to a ConfigMap or a Secret with `ca.crt` or `cacert` key that holds CA certificates.
 
 {{< text bash >}}
 $ cat <<EOF | kubectl apply -f -
@@ -566,8 +563,11 @@ spec:
       mode: Terminate
       certificateRefs:
       - name: httpbin-credential
-      options:
-        gateway.istio.io/tls-terminate-mode: MUTUAL
+      frontendValidation:
+        caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: httpbin-credential
     allowedRoutes:
       namespaces:
         from: Selector
diff --git a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
@@ -441,8 +441,11 @@ spec:
       mode: Terminate
       certificateRefs:
       - name: httpbin-credential
-      options:
-        gateway.istio.io/tls-terminate-mode: MUTUAL
+      frontendValidation:
+        caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: httpbin-credential
     allowedRoutes:
       namespaces:
         from: Selector
