docs: add provisional GEP for flexible TLS Validation in BackendTLSPolicy

Signed-off-by: Norwin Schnyder <[email protected]>

Author: snorwin

geps/gep-4152/index.md

@@ -0,0 +1,39 @@
+# GEP-4152: Allow flexible TLS Validation in BackendTLSPolicy
+
+* Issue: [#4152](https://github.com/kubernetes-sigs/gateway-api/issues/4152)
+* Status: Provisional
+
+## TLDR
+
+The ability for the `BackendTLSPolicy` to skip TLS verification or to validate certifcates based on their fingerprint or public key hash.
+
+## Motivation
+
+The current `BackendTLSPolicy` follows a secure-by-default approach that requires users to provide a trusted CA certificate bundle or rely on the system’s default certificate store (which typically includes root CAs) to validate backend server certificates. However, real-world deployments include cases where strict certificate validation may not be possible or practical, e.g., Development and testing environments that use self-signed certificates generated dynamically at runtime.
+
+In such scenarios, users may need the flexibility to disable certificate verification, or to use certificate pinning. Certificate pinning offers a safer and more controlled alternative, instead of bypassing TLS validation, the gateway verifies that the backend’s certificate matches a known fingerprint or public key hash. This preserves the confidentiality and integrity guarantees of TLS while removing the operational overhead of managing full certificate chains or trusted CA bundles.
+
+### User Stories
+
+* As an application developer, I want the option to disable backend TLS certificate verification on a per-backend basis, so I can connect to services using dynamically generated or self-signed certificates during development or testing.
+* As an application developer, I want secure-by-default behavior, ensuring that certificate verification is always enabled unless I explicitly opt out, to prevent accidentally deploying insecure configurations to production.
+* As an application developer, I want an alternative to disabling verification, such as certificate or SPKI pinning, so I can securely communicate with backends using self-signed certifcates without managing CA bundles.
+* As a gateway operator, I want to control whether skipping TLS verification is permitted for specific Gateways.
+* As a security officer, I want transperency and auditability into where TLS verification has been disabled.
+
+## Goals
+
+* Enable connecting to backends over TLS without requiring certificate validation.
+* Support certificate and SPKI pinning as alternatives to disabling verification or relying on CA trust chains.
+* Maintain secure-by-default approach, with certificate verification enabled unless explicitly opted out.
+* Provide operator-level controls so Gateway constraints can restrict or permit the use of skip-verify.
+
+## API
+
+**TODO**: First PR will not include any implementation details, in favor of
+building consensus on the motivation, goals and non-goals first. _"How?"_ we
+implement shall be left open-ended until _"What?"_ and _"Why?"_ are solid.
+
+## References
+
+* [GEP-1897: BackendTLSPolicy - Explicit Backend TLS Connection Configuration](https://gateway-api.sigs.k8s.io/geps/gep-1897/)

geps/gep-4152/metadata.yaml

@@ -0,0 +1,7 @@
+apiVersion: internal.gateway.networking.k8s.io/v1alpha1
+kind: GEPDetails
+number: 4152
+name: Allow flexible TLS Validation in BackendTLSPolicy
+status: Provisional
+authors:
+  - snorwin