gateway tls config

Author: kl52752

apis/v1/gateway_types.go

@@ -295,24 +295,12 @@ type GatewaySpec struct {
 	//
 	// +optional
 	AllowedListeners *AllowedListeners `json:"allowedListeners,omitempty"`
-
-	// TLSConfigs stores TLS configurations for a Gateway.
+	// GatewayTLSConfig specifies frontend tls configuration for gateway.
 	//
-	//   - If the `port` field in `TLSConfig` is not set, the TLS configuration applies
-	//     to all listeners in the gateway. We call this `default` configuration.
-	//   - If the `port` field in `TLSConfig` is set, the TLS configuration applies
-	//     only to listeners with a matching port. Each port requires a unique TLS configuration.
-	//   - Per-port configurations can override the `default` configuration.
-	//   - The `default` configuration is optional. Clients can apply TLS configuration
-	//     to a subset of listeners by creating only per-port configurations.
-	//     Listeners with a port that does not match any TLS configuration will
-	//     not have `frontendValidation` set.
+	// <gateway:experimental>
 	//
-	// Support: Core
 	// +optional
-	//
-	// <gateway:experimental>
-	TLSConfigs []TLSConfig `json:"tlsConfigs,omitempty"`
+	TLS *GatewayTLSConfig `json:"tls,omitempty"`
 }
 
 // AllowedListeners defines which ListenerSets can be attached to this Gateway.
@@ -612,6 +600,31 @@ type ListenerTLSConfig struct {
 	Options map[AnnotationKey]AnnotationValue `json:"options,omitempty"`
 }
 
+// GatewayTLSConfig specifies frontend tls configuration for gateway.
+type GatewayTLSConfig struct {
+	// defaultTLS specifies the default client certificate validation configuration
+	// for all Listeners handling HTTPS traffic, unless a per-port configuration
+	// is defined.
+	//
+	// support: Core
+	//
+	// +required
+	// <gateway:experimental>
+	defaultTLS FrontendTLSValidation
+
+	// tlsPerPort specifies tls configuration assigned per port.
+	// Per port configuration is optional. Once set this configuration overrides
+	// the default configuration for all Listeners handling HTTPS traffic
+	// that match this port.
+	// Each override port requires a unique TLS configuration.
+	//
+	// support: Core
+	//
+	// +optional
+	// <gateway:experimental>
+	tlsPerPort []TLSConfig
+}
+
 // TLSModeType type defines how a Gateway handles TLS sessions.
 //
 // +kubebuilder:validation:Enum=Terminate;Passthrough
@@ -630,18 +643,17 @@ const (
 	TLSModePassthrough TLSModeType = "Passthrough"
 )
 
-// TLSConfig describes a TLS configuration that can be applied to all Gateway
-// Listeners or to all Listeners matching the Port if set.
+// TLSConfig describes a TLS configuration defined per port.
 type TLSConfig struct {
 	// The Port indicates the Port Number to which the TLS configuration will be
-	// applied. If the field is not set the TLS Configuration will be applied to
-	// all Listeners.
+	// applied. This configuration will be applied to all Listeners handling HTTPS
+	// traffic that match this port.
 	//
 	// Support: Extended
 	//
-	// +optional
+	// +required
 	// <gateway:experimental>
-	Port *PortNumber `json:"port,omitempty"`
+	Port PortNumber `json:"port,omitempty"`
 	//
 	// FrontendValidation holds configuration information for validating the frontend (client).
 	// Setting this field will result in mutual authentication when connecting to the gateway.
@@ -651,9 +663,8 @@ type TLSConfig struct {
 	//
 	// Support: Extended
 	//
-	// +optional
 	// <gateway:experimental>
-	FrontendValidation *FrontendTLSValidation `json:"frontendValidation,omitempty"`
+	FrontendValidation FrontendTLSValidation `json:"frontendValidation,omitempty"`
 }
 
 // FrontendTLSValidation holds configuration information that can be used to validate