You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: geps/gep-1897/index.md
+2-3Lines changed: 2 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -214,7 +214,7 @@ configuration. CACertificateRefs is an implementation-specific slice of
214
214
named object references, each containing a single cert. We originally proposed to follow the convention established by the
215
215
[CertificateRefs field on Gateway](https://github.com/kubernetes-sigs/gateway-api/blob/18e79909f7310aafc625ba7c862dfcc67b385250/apis/v1beta1/gateway_types.go#L340)
216
216
, but the CertificateRef requires both a tls.key and tls.crt and a certificate reference only requires the tls.crt.
217
-
If the CertificateRef cannot be resolved or does not include a certificate (tls.crt), the BackendTLSPolicy is considered invalid.
217
+
If any of the CACertificateRefs cannot be resolved or is misconfigured, the BackendTLSPolicy is considered invalid.
218
218
219
219
WellKnownCACertificates is an optional enum that allows users to specify whether to use the set of CA certificates trusted by the
220
220
Gateway (WellKnownCACertificates specified as "System"), or to use the existing CACertificateRefs (WellKnownCACertificates
@@ -224,8 +224,7 @@ references to Kubernetes objects that contain PEM-encoded TLS certificates, whic
224
224
between the gateway and backend pod. References to a resource in a different namespace are invalid.
225
225
If ClientCertificateRefs is unspecified, then WellKnownCACertificates must be set to "System" for a valid configuration.
226
226
If WellKnownCACertificates is unspecified, then CACertificateRefs must be specified with at least one entry for a valid configuration.
227
-
If WellKnownCACertificates is set to "System" and there are no system trusted certificates or the implementation doesn't define system
228
-
trusted certificates, the BackendTLSPolicy is considered invalid.
227
+
If an implementation does not support the WellKnownCACertificates, or the provided value is unsupported,the BackendTLSPolicy is considered invalid.
229
228
230
229
For an invalid BackendTLSPolicy, implementations MUST NOT fall back to unencrypted (plaintext) connections.
231
230
Instead, the corresponding TLS connection MUST fail, and the client MUST receive an HTTP error response.
0 commit comments