@@ -295,6 +295,14 @@ type GatewaySpec struct {
295295 //
296296 // +optional
297297 AllowedListeners * AllowedListeners `json:"allowedListeners,omitempty"`
298+ //
299+ // GatewayTLSConfig specifies frontend tls configuration for gateway.
300+ //
301+ // Support: Extended
302+ //
303+ // +optional
304+ // <gateway:experimental>
305+ TLS * GatewayTLSConfig `json:"tls,omitempty"`
298306}
299307
300308// AllowedListeners defines which ListenerSets can be attached to this Gateway.
@@ -414,7 +422,7 @@ type Listener struct {
414422 // the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
415423 // if the Protocol field is "HTTP", "TCP", or "UDP".
416424 //
417- // The association of SNIs to Certificate defined in GatewayTLSConfig is
425+ // The association of SNIs to Certificate defined in ListenerTLSConfig is
418426 // defined based on the Hostname field for this listener.
419427 //
420428 // The GatewayClass MUST use the longest matching SNI out of all
@@ -423,7 +431,7 @@ type Listener struct {
423431 // Support: Core
424432 //
425433 // +optional
426- TLS * GatewayTLSConfig `json:"tls,omitempty"`
434+ TLS * ListenerTLSConfig `json:"tls,omitempty"`
427435
428436 // AllowedRoutes defines the types of routes that MAY be attached to a
429437 // Listener and the trusted namespaces where those Route resources MAY be
@@ -526,10 +534,10 @@ type GatewayBackendTLS struct {
526534 ClientCertificateRef * SecretObjectReference `json:"clientCertificateRef,omitempty"`
527535}
528536
529- // GatewayTLSConfig describes a TLS configuration.
537+ // ListenerTLSConfig describes a TLS configuration for a listener .
530538//
531539// +kubebuilder:validation:XValidation:message="certificateRefs or options must be specified when mode is Terminate",rule="self.mode == 'Terminate' ? size(self.certificateRefs) > 0 || size(self.options) > 0 : true"
532- type GatewayTLSConfig struct {
540+ type ListenerTLSConfig struct {
533541 // Mode defines the TLS behavior for the TLS session initiated by the client.
534542 // There are two possible modes:
535543 //
@@ -578,18 +586,6 @@ type GatewayTLSConfig struct {
578586 // +kubebuilder:validation:MaxItems=64
579587 CertificateRefs []SecretObjectReference `json:"certificateRefs,omitempty"`
580588
581- // FrontendValidation holds configuration information for validating the frontend (client).
582- // Setting this field will require clients to send a client certificate
583- // required for validation during the TLS handshake. In browsers this may result in a dialog appearing
584- // that requests a user to specify the client certificate.
585- // The maximum depth of a certificate chain accepted in verification is Implementation specific.
586- //
587- // Support: Extended
588- //
589- // +optional
590- // <gateway:experimental>
591- FrontendValidation * FrontendTLSValidation `json:"frontendValidation,omitempty"`
592-
593589 // Options are a list of key/value pairs to enable extended TLS
594590 // configuration for each implementation. For example, configuring the
595591 // minimum TLS version or supported cipher suites.
@@ -606,6 +602,35 @@ type GatewayTLSConfig struct {
606602 Options map [AnnotationKey ]AnnotationValue `json:"options,omitempty"`
607603}
608604
605+ // GatewayTLSConfig specifies frontend tls configuration for gateway.
606+ type GatewayTLSConfig struct {
607+ // Default specifies the default client certificate validation configuration
608+ // for all Listeners handling HTTPS traffic, unless a per-port configuration
609+ // is defined.
610+ //
611+ // support: Core
612+ //
613+ // +required
614+ // <gateway:experimental>
615+ Default TLSConfig `json:"default"`
616+
617+ // PerPort specifies tls configuration assigned per port.
618+ // Per port configuration is optional. Once set this configuration overrides
619+ // the default configuration for all Listeners handling HTTPS traffic
620+ // that match this port.
621+ // Each override port requires a unique TLS configuration.
622+ //
623+ // support: Core
624+ //
625+ // +optional
626+ // +listType=map
627+ // +listMapKey=port
628+ // +kubebuilder:validation:MaxItems=64
629+ // +kubebuilder:validation:XValidation:message="Port for TLS configuration must be unique within the Gateway",rule="self.all(t1, self.exists_one(t2, t1.port == t2.port))"
630+ // <gateway:experimental>
631+ PerPort []TLSPortConfig `json:"perPort,omitempty"`
632+ }
633+
609634// TLSModeType type defines how a Gateway handles TLS sessions.
610635//
611636// +kubebuilder:validation:Enum=Terminate;Passthrough
@@ -624,6 +649,46 @@ const (
624649 TLSModePassthrough TLSModeType = "Passthrough"
625650)
626651
652+ // TLSConfig describes TLS configuration that can apply to multiple Listeners
653+ // within this Gateway. Currently, it stores only the client certificate validation
654+ // configuration, but this may be extended in the future.
655+ type TLSConfig struct {
656+ // FrontendValidation holds configuration information for validating the frontend (client).
657+ // Setting this field will result in mutual authentication when connecting to the gateway.
658+ // In browsers this may result in a dialog appearing
659+ // that requests a user to specify the client certificate.
660+ // The maximum depth of a certificate chain accepted in verification is Implementation specific.
661+ //
662+ // Support: Core
663+ //
664+ // +required
665+ // <gateway:experimental>
666+ FrontendValidation FrontendTLSValidation `json:"frontendValidation"`
667+ }
668+
669+ type TLSPortConfig struct {
670+ // The Port indicates the Port Number to which the TLS configuration will be
671+ // applied. This configuration will be applied to all Listeners handling HTTPS
672+ // traffic that match this port.
673+ //
674+ // Support: Core
675+ //
676+ // +required
677+ // +kubebuilder:validation:Minimum=1
678+ // +kubebuilder:validation:Maximum=65535
679+ // <gateway:experimental>
680+ Port PortNumber `json:"port"`
681+
682+ // TLS store the configuration that will be applied to all Listeners handling
683+ // HTTPS traffic and matching given port.
684+ //
685+ // Support: Core
686+ //
687+ // +required
688+ // <gateway:experimental>
689+ TLS TLSConfig `json:"tls"`
690+ }
691+
627692// FrontendTLSValidation holds configuration information that can be used to validate
628693// the frontend initiating the TLS connection
629694type FrontendTLSValidation struct {
@@ -640,8 +705,8 @@ type FrontendTLSValidation struct {
640705 // Support: Core - A single reference to a Kubernetes ConfigMap
641706 // with the CA certificate in a key named `ca.crt`.
642707 //
643- // Support: Implementation-specific (More than one reference, or other kinds
644- // of resources).
708+ // Support: Implementation-specific (More than one certificate in a ConfigMap
709+ // with different keys or more than one reference, or other kinds of resources).
645710 //
646711 // References to a resource in a different namespace are invalid UNLESS there
647712 // is a ReferenceGrant in the target namespace that allows the certificate
@@ -653,9 +718,49 @@ type FrontendTLSValidation struct {
653718 // +listType=atomic
654719 // +kubebuilder:validation:MaxItems=8
655720 // +kubebuilder:validation:MinItems=1
656- CACertificateRefs []ObjectReference `json:"caCertificateRefs,omitempty"`
721+ CACertificateRefs []ObjectReference `json:"caCertificateRefs"`
722+
723+ // FrontendValidationMode defines the mode for validating the client certificate.
724+ // There are two possible modes:
725+ //
726+ // - AllowValidOnly: In this mode, the gateway will accept connections only if
727+ // the client presents a valid certificate. This certificate must successfully
728+ // pass validation against the CA certificates specified in `CACertificateRefs`.
729+ // - AllowInsecureFallback: In this mode, the gateway will accept connections
730+ // even if the client certificate is not presented or fails verification.
731+ //
732+ // This approach delegates client authorization to the backend and introduce
733+ // a significant security risk. It should be used in testing environments or
734+ // on a temporary basis in non-testing environments.
735+ //
736+ // Defaults to AllowValidOnly.
737+ //
738+ // Support: Core
739+ //
740+ // +optional
741+ // +kubebuilder:default=AllowValidOnly
742+ Mode FrontendValidationModeType `json:"mode,omitempty"`
657743}
658744
745+ // FrontendValidationModeType type defines how a Gateway validates client certificates.
746+ //
747+ // +kubebuilder:validation:Enum=AllowValidOnly;AllowInsecureFallback
748+ type FrontendValidationModeType string
749+
750+ const (
751+ // AllowValidOnly indicates that a client certificate is required
752+ // during the TLS handshake and MUST pass validation.
753+ //
754+ // Support: Core
755+ AllowValidOnly FrontendValidationModeType = "AllowValidOnly"
756+
757+ // AllowInsecureFallback indicates that a client certificate may not be
758+ // presented during the handshake or the validation against CA certificates may fail.
759+ //
760+ // Support: Extended
761+ AllowInsecureFallback FrontendValidationModeType = "AllowInsecureFallback"
762+ )
763+
659764// AllowedRoutes defines which Routes may be attached to this Listener.
660765type AllowedRoutes struct {
661766 // Namespaces indicates namespaces from which Routes may be attached to this
@@ -993,6 +1098,13 @@ const (
9931098 // information on which address is causing the problem and how to resolve it
9941099 // in the condition message.
9951100 GatewayReasonAddressNotUsable GatewayConditionReason = "AddressNotUsable"
1101+ // This condition indicates `FrontendValidationModeType` changed from
1102+ // `AllowValidOnly` to `AllowInsecureFallback`.
1103+ GatewayConditionInsecureFrontendValidationMode GatewayConditionReason = "InsecureFrontendValidationMode"
1104+ // This reason MUST be set for GatewayConditionInsecureFrontendValidationMode
1105+ // when client change FrontendValidationModeType for a Gateway or per port override
1106+ // to `AllowInsecureFallback`.
1107+ GatewayReasonConfigurationChanged GatewayConditionReason = "ConfigurationChanged"
9961108)
9971109
9981110const (
0 commit comments