@@ -295,6 +295,15 @@ type GatewaySpec struct {
295295 //
296296 // +optional
297297 AllowedListeners * AllowedListeners `json:"allowedListeners,omitempty"`
298+
299+ // TLSConfigs stores TLS configurations for a Gateway.
300+ //
301+ // GatewayTLSConfigs will impact all existing and newly added Listeners.
302+ //
303+ // Support: Core
304+ //
305+ // +optional
306+ TLSConfigs GatewayTLSConfigs `json:"tlsConfigs,omitempty"`
298307}
299308
300309// AllowedListeners defines which ListenerSets can be attached to this Gateway.
@@ -579,8 +588,7 @@ type GatewayTLSConfig struct {
579588 CertificateRefs []SecretObjectReference `json:"certificateRefs,omitempty"`
580589
581590 // FrontendValidation holds configuration information for validating the frontend (client).
582- // Setting this field will require clients to send a client certificate
583- // required for validation during the TLS handshake. In browsers this may result in a dialog appearing
591+ // Setting this field will result in mutual authentication when connecting to the gateway. In browsers this may result in a dialog appearing
584592 // that requests a user to specify the client certificate.
585593 // The maximum depth of a certificate chain accepted in verification is Implementation specific.
586594 //
@@ -624,6 +632,31 @@ const (
624632 TLSModePassthrough TLSModeType = "Passthrough"
625633)
626634
635+ // TLSConfig describes a TLS configuration that can be applied to all Gateway
636+ // Listeners or to all Listeners matching the Port if set.
637+ type TLSConfig struct {
638+ // The Port indicates the Port Number to which the TLS configuration will be
639+ // applied. If the field is not set the TLS Configuration will be applied to
640+ // all Listeners.
641+ //
642+ // Support: Extended
643+ //
644+ // +optional
645+ // <gateway:experimental>
646+ Port * PortNumber `json:"port,omitempty"`
647+ // FrontendValidation holds configuration information for validating the frontend (client).
648+ // Setting this field will result in mutual authentication when connecting to the gateway.
649+ // In browsers this may result in a dialog appearing
650+ // that requests a user to specify the client certificate.
651+ // The maximum depth of a certificate chain accepted in verification is Implementation specific.
652+ //
653+ // Support: Extended
654+ //
655+ // +optional
656+ // <gateway:experimental>
657+ FrontendValidation * FrontendTLSValidation `json:"frontendValidation,omitempty"`
658+ }
659+
627660// FrontendTLSValidation holds configuration information that can be used to validate
628661// the frontend initiating the TLS connection
629662type FrontendTLSValidation struct {
@@ -640,8 +673,8 @@ type FrontendTLSValidation struct {
640673 // Support: Core - A single reference to a Kubernetes ConfigMap
641674 // with the CA certificate in a key named `ca.crt`.
642675 //
643- // Support: Implementation-specific (More than one reference, or other kinds
644- // of resources).
676+ // Support: Implementation-specific (More than one certificate in a ConfigMap
677+ // with different keys or more than one reference, or other kinds of resources).
645678 //
646679 // References to a resource in a different namespace are invalid UNLESS there
647680 // is a ReferenceGrant in the target namespace that allows the certificate
@@ -654,8 +687,53 @@ type FrontendTLSValidation struct {
654687 // +kubebuilder:validation:MaxItems=8
655688 // +kubebuilder:validation:MinItems=1
656689 CACertificateRefs []ObjectReference `json:"caCertificateRefs,omitempty"`
690+
691+ // FrontendValidationMode defines the mode for validating the client certificate.
692+ // There are two possible modes:
693+ //
694+ // - AllowValidOnly: In this mode, the gateway will accept connections only if
695+ // the client presents a valid certificate. This certificate must successfully
696+ // pass validation against the CA certificates specified in `CACertificateRefs`.
697+ // - AllowInvalidOrMissingCert: In this mode, the gateway will accept
698+ // connections even if the client certificate is not presented or fails verification.
699+ //
700+ // Defaults to AllowValidOnly.
701+ //
702+ // Support: Core
703+ //
704+ // +optional
705+ // +kubebuilder:default=AllowValidOnly
706+ Mode FrontendValidationModeType `json:"mode,omitempty"`
657707}
658708
709+ // GatewayTLSConfigs stores TLS configurations for a Gateway.
710+ //
711+ // - If the `port` field in `TLSConfig` is not set, the TLS configuration applies
712+ // to all listeners in the gateway. We call this `default` configuration.
713+ // - If the `port` field in `TLSConfig` is set, the TLS configuration applies
714+ // only to listeners with a matching port. Each port requires a unique TLS configuration.
715+ // - Per-port configurations can override the `default` configuration.
716+ // - The `default` configuration is optional. Clients can apply TLS configuration
717+ // to a subset of listeners by creating only per-port configurations.
718+ // Listeners with a port that does not match any TLS configuration will
719+ // not have `frontendValidation` set.
720+ type GatewayTLSConfigs = []TLSConfig
721+
722+ // FrontendValidationModeType type defines how a Gateway validates client certificates.
723+ //
724+ // +kubebuilder:validation:Enum=AllowValidOnly;AllowInvalidOrMissingCert
725+ type FrontendValidationModeType string
726+
727+ const (
728+ // AllowValidOnly indicates that a client certificate is required
729+ // during the TLS handshake and MUST pass validation.
730+ AllowValidOnly FrontendValidationModeType = "AllowValidOnly"
731+
732+ // AllowInvalidOrMissingCert indicates that a client certificate may not be
733+ // presented during the handshake or the validation against CA certificates may fail.
734+ AllowInvalidOrMissingCert FrontendValidationModeType = "AllowInvalidOrMissingCert"
735+ )
736+
659737// AllowedRoutes defines which Routes may be attached to this Listener.
660738type AllowedRoutes struct {
661739 // Namespaces indicates namespaces from which Routes may be attached to this
0 commit comments