rename GatewayTLSConfig to ListenerTLSConfig

Author: kl52752

apis/v1/gateway_types.go

@@ -693,8 +693,12 @@ type FrontendTLSValidation struct {
 	// - AllowValidOnly: In this mode, the gateway will accept connections only if
 	//   the client presents a valid certificate. This certificate must successfully
 	//   pass validation against the CA certificates specified in `CACertificateRefs`.
-	// - AllowInvalidOrMissingCert: In this mode, the gateway will accept
-	//   connections even if the client certificate is not presented or fails verification.
+	// - AllowInsecureFallback: In this mode, the gateway will accept connections
+	//   even if the client certificate is not presented or fails verification.
+	//
+	//   This approach delegates client authorization to the backend and introduce
+	//   a significant security risk. It should be used in testing environments or
+	//   on a temporary basis in non-testing environments.
 	//
 	// Defaults to AllowValidOnly.
 	//
@@ -707,17 +711,17 @@ type FrontendTLSValidation struct {
 
 // FrontendValidationModeType type defines how a Gateway validates client certificates.
 //
-// +kubebuilder:validation:Enum=AllowValidOnly;AllowInvalidOrMissingCert
+// +kubebuilder:validation:Enum=AllowValidOnly;AllowInsecureFallback
 type FrontendValidationModeType string
 
 const (
 	// AllowValidOnly indicates that a client certificate is required
 	// during the TLS handshake and MUST pass validation.
 	AllowValidOnly FrontendValidationModeType = "AllowValidOnly"
 
-	// AllowInvalidOrMissingCert indicates that a client certificate may not be
+	// AllowInsecureFallback indicates that a client certificate may not be
 	// presented during the handshake or the validation against CA certificates may fail.
-	AllowInvalidOrMissingCert FrontendValidationModeType = "AllowInvalidOrMissingCert"
+	AllowInsecureFallback FrontendValidationModeType = "AllowInsecureFallback"
 )
 
 // AllowedRoutes defines which Routes may be attached to this Listener.

apis/v1/zz_generated.deepcopy.go

@@ -88,9 +88,9 @@ type Listener = v1.Listener
 // +k8s:deepcopy-gen=false
 type ProtocolType = v1.ProtocolType
 
-// GatewayTLSConfig describes a TLS configuration.
+// ListenerTLSConfig describes a TLS configuration.
 // +k8s:deepcopy-gen=false
-type GatewayTLSConfig = v1.GatewayTLSConfig
+type ListenerTLSConfig = v1.ListenerTLSConfig
 
 // TLSModeType type defines how a Gateway handles TLS sessions.
 //

apis/v1beta1/gateway_types.go

@@ -25,7 +25,7 @@ type (
 	// +k8s:deepcopy-gen=false
 	AllowedRoutes = v1.AllowedRoutes
 	// +k8s:deepcopy-gen=false
-	GatewayTLSConfig = v1.GatewayTLSConfig
+	ListenerTLSConfig = v1.ListenerTLSConfig
 	// +k8s:deepcopy-gen=false
 	Group = v1.Group
 	// +k8s:deepcopy-gen=false

apisx/v1alpha1/shared_types.go

@@ -179,14 +179,14 @@ type ListenerEntry struct {
 	// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
 	// if the Protocol field is "HTTP", "TCP", or "UDP".
 	//
-	// The association of SNIs to Certificate defined in GatewayTLSConfig is
+	// The association of SNIs to Certificate defined in ListenerTLSConfig is
 	// defined based on the Hostname field for this listener.
 	//
 	// The GatewayClass MUST use the longest matching SNI out of all
 	// available certificates for any TLS handshake.
 	//
 	// +optional
-	TLS *GatewayTLSConfig `json:"tls,omitempty"`
+	TLS *ListenerTLSConfig `json:"tls,omitempty"`
 
 	// AllowedRoutes defines the types of routes that MAY be attached to a
 	// Listener and the trusted namespaces where those Route resources MAY be