@@ -289,6 +289,15 @@ type GatewaySpec struct {
289289 //
290290 // +optional
291291 AllowedListeners * AllowedListeners `json:"allowedListeners,omitempty"`
292+
293+ // TLSConfigs stores TLS configurations for a Gateway.
294+ //
295+ // GatewayTLSConfigs will impact all existing and newly added Listeners.
296+ //
297+ // Support: Core
298+ //
299+ // +optional
300+ TLSConfigs GatewayTLSConfigs `json:"tls,omitempty"`
292301}
293302
294303// AllowedListeners defines which ListenerSets can be attached to this Gateway.
@@ -565,8 +574,7 @@ type GatewayTLSConfig struct {
565574 CertificateRefs []SecretObjectReference `json:"certificateRefs,omitempty"`
566575
567576 // FrontendValidation holds configuration information for validating the frontend (client).
568- // Setting this field will require clients to send a client certificate
569- // required for validation during the TLS handshake. In browsers this may result in a dialog appearing
577+ // Setting this field will result in mutual authentication when connecting to the gateway. In browsers this may result in a dialog appearing
570578 // that requests a user to specify the client certificate.
571579 // The maximum depth of a certificate chain accepted in verification is Implementation specific.
572580 //
@@ -610,6 +618,31 @@ const (
610618 TLSModePassthrough TLSModeType = "Passthrough"
611619)
612620
621+ // TLSConfig describes a TLS configuration that can be applied to all Gateway
622+ // Listeners or to all Listeners matching the Port if set.
623+ type TLSConfig struct {
624+ // The Port indicates the Port Number to which the TLS configuration will be
625+ // applied. If the field is not set the TLS Configuration will be applied to
626+ // all Listeners.
627+ //
628+ // Support: Extended
629+ //
630+ // +optional
631+ // <gateway:experimental>
632+ Port * PortNumber `json:"port,omitempty"`
633+ // FrontendValidation holds configuration information for validating the frontend (client).
634+ // Setting this field will result in mutual authentication when connecting to the gateway.
635+ // In browsers this may result in a dialog appearing
636+ // that requests a user to specify the client certificate.
637+ // The maximum depth of a certificate chain accepted in verification is Implementation specific.
638+ //
639+ // Support: Extended
640+ //
641+ // +optional
642+ // <gateway:experimental>
643+ FrontendValidation * FrontendTLSValidation `json:"frontendValidation,omitempty"`
644+ }
645+
613646// FrontendTLSValidation holds configuration information that can be used to validate
614647// the frontend initiating the TLS connection
615648type FrontendTLSValidation struct {
@@ -626,8 +659,8 @@ type FrontendTLSValidation struct {
626659 // Support: Core - A single reference to a Kubernetes ConfigMap
627660 // with the CA certificate in a key named `ca.crt`.
628661 //
629- // Support: Implementation-specific (More than one reference, or other kinds
630- // of resources).
662+ // Support: Implementation-specific (More than one certificate in a ConfigMap
663+ // with different keys or more than one reference, or other kinds of resources).
631664 //
632665 // References to a resource in a different namespace are invalid UNLESS there
633666 // is a ReferenceGrant in the target namespace that allows the certificate
@@ -638,8 +671,53 @@ type FrontendTLSValidation struct {
638671 // +kubebuilder:validation:MaxItems=8
639672 // +kubebuilder:validation:MinItems=1
640673 CACertificateRefs []ObjectReference `json:"caCertificateRefs,omitempty"`
674+
675+ // FrontendValidationMode defines the mode for validating the client certificate.
676+ // There are two possible modes:
677+ //
678+ // - AllowValidOnly: In this mode, the gateway will accept connections only if
679+ // the client presents a valid certificate. This certificate must successfully
680+ // pass validation against the CA certificates specified in `CACertificateRefs`.
681+ // - AllowInvalidOrMissingCert: In this mode, the gateway will accept
682+ // connections even if the client certificate is not presented or fails verification.
683+ //
684+ // Defaults to AllowValidOnly.
685+ //
686+ // Support: Core
687+ //
688+ // +optional
689+ // +kubebuilder:default=AllowValidOnly
690+ Mode FrontendValidationModeType `json:"mode,omitempty"`
641691}
642692
693+ // GatewayTLSConfigs stores TLS configurations for a Gateway.
694+ //
695+ // - If the `port` field in `TLSConfig` is not set, the TLS configuration applies
696+ // to all listeners in the gateway. We call this `default` configuration.
697+ // - If the `port` field in `TLSConfig` is set, the TLS configuration applies
698+ // only to listeners with a matching port. Each port requires a unique TLS configuration.
699+ // - Per-port configurations can override the `default` configuration.
700+ // - The `default` configuration is optional. Clients can apply TLS configuration
701+ // to a subset of listeners by creating only per-port configurations.
702+ // Listeners with a port that does not match any TLS configuration will
703+ // not have `frontendValidation` set.
704+ type GatewayTLSConfigs = []TLSConfig
705+
706+ // FrontendValidationModeType type defines how a Gateway validates client certificates.
707+ //
708+ // +kubebuilder:validation:Enum=AllowValidOnly;AllowInvalidOrMissingCert
709+ type FrontendValidationModeType string
710+
711+ const (
712+ // AllowValidOnly indicates that a client certificate is required
713+ // during the TLS handshake and MUST pass validation.
714+ AllowValidOnly FrontendValidationModeType = "AllowValidOnly"
715+
716+ // AllowInvalidOrMissingCert indicates that a client certificate may not be
717+ // presented during the handshake or the validation against CA certificates may fail.
718+ AllowInvalidOrMissingCert FrontendValidationModeType = "AllowInvalidOrMissingCert"
719+ )
720+
643721// AllowedRoutes defines which Routes may be attached to this Listener.
644722type AllowedRoutes struct {
645723 // Namespaces indicates namespaces from which Routes may be attached to this
0 commit comments