kubernetes-sigs
diff --git a/‎apis/v1/gateway_types.go
Lines changed: 2 additions & 0 deletions b/‎apis/v1/gateway_types.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
Lines changed: 10 additions & 0 deletions b/‎config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎config/crd/standard/gateway.networking.k8s.io_gateways.yaml
Lines changed: 10 additions & 0 deletions b/‎config/crd/standard/gateway.networking.k8s.io_gateways.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎pkg/test/cel/gateway_test.go
Lines changed: 62 additions & 3 deletions b/‎pkg/test/cel/gateway_test.go
Lines changed: 62 additions & 3 deletions
diff --git a/‎site-src/guides/implementers.md
Lines changed: 1 addition & 1 deletion b/‎site-src/guides/implementers.md
Lines changed: 1 addition & 1 deletion
@@ -374,6 +374,8 @@ const (
 )
 
 // GatewayTLSConfig describes a TLS configuration.
+//
+// +kubebuilder:validation:XValidation:message="certificateRefs or options must be specified when mode is Terminate",rule="self.mode == 'Terminate' ? size(self.certificateRefs) > 0 || size(self.options) > 0 : true"
 type GatewayTLSConfig struct {
 	// Mode defines the TLS behavior for the TLS session initiated by the client.
 	// There are two possible modes:
 
@@ -205,7 +205,7 @@ func TestValidateGateway(t *testing.T) {
 			wantErrors: []string{"hostname must not be specified for protocols ['TCP', 'UDP']"},
 		},
 		{
-			desc: "certificateRefs not set with https protocol and TLS terminate mode",
+			desc: "certificateRefs not set with HTTPS protocol and TLS terminate mode",
 			mutate: func(gw *gatewayv1.Gateway) {
 				tlsMode := gatewayv1.TLSModeType("Terminate")
 				gw.Spec.Listeners = []gatewayv1.Listener{
@@ -219,9 +219,10 @@ func TestValidateGateway(t *testing.T) {
 					},
 				}
 			},
+			wantErrors: []string{"certificateRefs or options must be specified when mode is Terminate"},
 		},
 		{
-			desc: "certificateRefs not set with tls protocol and TLS terminate mode",
+			desc: "certificateRefs not set with TLS protocol and TLS terminate mode",
 			mutate: func(gw *gatewayv1.Gateway) {
 				tlsMode := gatewayv1.TLSModeType("Terminate")
 				gw.Spec.Listeners = []gatewayv1.Listener{
@@ -235,9 +236,29 @@ func TestValidateGateway(t *testing.T) {
 					},
 				}
 			},
+			wantErrors: []string{"certificateRefs or options must be specified when mode is Terminate"},
 		},
 		{
-			desc: "certificateRefs set with tls protocol and TLS terminate mode",
+			desc: "certificateRefs set with HTTPS protocol and TLS terminate mode",
+			mutate: func(gw *gatewayv1.Gateway) {
+				tlsMode := gatewayv1.TLSModeType("Terminate")
+				gw.Spec.Listeners = []gatewayv1.Listener{
+					{
+						Name:     gatewayv1.SectionName("https"),
+						Protocol: gatewayv1.HTTPSProtocolType,
+						Port:     gatewayv1.PortNumber(8443),
+						TLS: &gatewayv1.GatewayTLSConfig{
+							Mode: &tlsMode,
+							CertificateRefs: []gatewayv1.SecretObjectReference{
+								{Name: gatewayv1.ObjectName("foo")},
+							},
+						},
+					},
+				}
+			},
+		},
+		{
+			desc: "certificateRefs set with TLS protocol and TLS terminate mode",
 			mutate: func(gw *gatewayv1.Gateway) {
 				tlsMode := gatewayv1.TLSModeType("Terminate")
 				gw.Spec.Listeners = []gatewayv1.Listener{
@@ -255,6 +276,44 @@ func TestValidateGateway(t *testing.T) {
 				}
 			},
 		},
+		{
+			desc: "options set with HTTPS protocol and TLS terminate mode",
+			mutate: func(gw *gatewayv1.Gateway) {
+				tlsMode := gatewayv1.TLSModeType("Terminate")
+				gw.Spec.Listeners = []gatewayv1.Listener{
+					{
+						Name:     gatewayv1.SectionName("https"),
+						Protocol: gatewayv1.HTTPSProtocolType,
+						Port:     gatewayv1.PortNumber(8443),
+						TLS: &gatewayv1.GatewayTLSConfig{
+							Mode: &tlsMode,
+							Options: map[gatewayv1.AnnotationKey]gatewayv1.AnnotationValue{
+								"networking.example.com/tls-version": "1.2",
+							},
+						},
+					},
+				}
+			},
+		},
+		{
+			desc: "options set with tls protocol and TLS terminate mode",
+			mutate: func(gw *gatewayv1.Gateway) {
+				tlsMode := gatewayv1.TLSModeType("Terminate")
+				gw.Spec.Listeners = []gatewayv1.Listener{
+					{
+						Name:     gatewayv1.SectionName("tls"),
+						Protocol: gatewayv1.TLSProtocolType,
+						Port:     gatewayv1.PortNumber(8443),
+						TLS: &gatewayv1.GatewayTLSConfig{
+							Mode: &tlsMode,
+							Options: map[gatewayv1.AnnotationKey]gatewayv1.AnnotationValue{
+								"networking.example.com/tls-version": "1.2",
+							},
+						},
+					},
+				}
+			},
+		},
 		{
 			desc: "names are not unique within the Gateway",
 			mutate: func(gw *gatewayv1.Gateway) {
 
@@ -211,7 +211,7 @@ certificate stored by the external `vendor.example.com` TLS Certificate
 provider.
 
 #### 2. Automatically generated TLS certs that are populated later
-Many users would prefer that TLS certs were automatically generated on their
+Many users would prefer that TLS certs will be automatically generated on their
 behalf. One potential implementation of that would involve a controller that
 watches Gateways and HTTPRoutes, generates TLS certs, and attaches them to the
 Gateway. Depending on the implementation details, Gateway owners may need to
Original file line number	Diff line number	Diff line change
`@@ -374,6 +374,8 @@ const (`
`374`	`374`	`)`
`375`	`375`
`376`	`376`	`// GatewayTLSConfig describes a TLS configuration.`
	`377`	`+//`
	`378`	`+// +kubebuilder:validation:XValidation:message="certificateRefs or options must be specified when mode is Terminate",rule="self.mode == 'Terminate' ? size(self.certificateRefs) > 0 \|\| size(self.options) > 0 : true"`
`377`	`379`	`type GatewayTLSConfig struct {`
`378`	`380`	`// Mode defines the TLS behavior for the TLS session initiated by the client.`
`379`	`381`	`// There are two possible modes:`