You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add new BackendTLSPolicy configuration options to documentation (#3563)
* Add new BackendTLSPolicy configuration options to documentation:
- Gateway backendTLS field
- subjectAltNames field
- options field
The documentation includes descriptions of each new field along with
their purpose, usage constraints and reference links.
* Update site-src/api-types/backendtlspolicy.md
---------
Co-authored-by: Shane Utt <[email protected]>
Copy file name to clipboardExpand all lines: site-src/api-types/backendtlspolicy.md
+34-2Lines changed: 34 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,19 +36,21 @@ The specification of a [BackendTLSPolicy][backendtlspolicy] consists of:
36
36
-[Validation][validation] - Defines the configuration for TLS, including hostname, CACertificateRefs, and
37
37
WellKnownCACertificates.
38
38
-[Hostname][hostname] - Defines the Server Name Indication (SNI) that the Gateway uses to connect to the backend.
39
+
-[SubjectAltNames][subjectAltNames] - Specifies one or more Subject Alternative Names that the backend certificate must match. When specified, the certificate must have at least one matching SAN. This field enables separation between SNI (hostname) and certificate identity validation. A maximum of 5 SANs are allowed.
39
40
-[CACertificateRefs][caCertificateRefs] - Defines one or more references to objects that contain PEM-encoded TLS certificates,
40
41
which are used to establish a TLS handshake between the Gateway and backend Pod. Either CACertificateRefs or
41
42
WellKnownCACertificates may be specified, but not both.
42
43
-[WellKnownCACertificates][wellKnownCACertificates] - Specifies whether system CA certificates may be used in the TLS
43
44
handshake between the Gateway and backend Pod. Either CACertificateRefs or WellKnownCACertificates may be specified, but not both.
45
+
-[Options][options] - A map of key/value pairs enabling extended TLS configuration for implementations that choose to provide support. Check your implementation's documentation for details.
44
46
45
47
The following chart outlines the object definitions and relationship:
This field was added to BackendTLSPolicy in `v1.2.0`
121
+
The subjectAltNames field enables basic mutual TLS configuration between Gateways and backends, as well as the optional use of SPIFFE. When subjectAltNames is specified, the certificate served by the backend must have at least one Subject Alternative Name matching one of the specified values. This is particularly useful for SPIFFE implementations where URI-based SANs may not be valid SNIs.
122
+
Subject Alternative Names may contain one of either a Hostname or URI field, and must contain a Type specifying whether Hostname or URI is chosen.
123
+
124
+
!!! info "Restrictions"
125
+
126
+
- IP addresses and wildcard hostnames are not allowed. (see the description for Hostname above for more details).
127
+
- Hostname: DNS name format
128
+
- URI: URI format (e.g., SPIFFE ID)
129
+
130
+
#### TLS Options
131
+
132
+
??? example "Experimental Channel since v1.2.0"
133
+
134
+
This field was added to BackendTLSPolicy in `v1.2.0`
135
+
The options field allows specification of implementation-specific TLS configurations. This can include:
0 commit comments