Skip to content

Commit a006786

Browse files
kl52752kl52752
committed
gateway tls config
1 parent a1d2106 commit a006786

File tree

9 files changed

+676
-379
lines changed

9 files changed

+676
-379
lines changed

apis/v1/gateway_types.go

Lines changed: 36 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -295,24 +295,13 @@ type GatewaySpec struct {
295295
//
296296
// +optional
297297
AllowedListeners *AllowedListeners `json:"allowedListeners,omitempty"`
298-
299-
// TLSConfigs stores TLS configurations for a Gateway.
300-
//
301-
// - If the `port` field in `TLSConfig` is not set, the TLS configuration applies
302-
// to all listeners in the gateway. We call this `default` configuration.
303-
// - If the `port` field in `TLSConfig` is set, the TLS configuration applies
304-
// only to listeners with a matching port. Each port requires a unique TLS configuration.
305-
// - Per-port configurations can override the `default` configuration.
306-
// - The `default` configuration is optional. Clients can apply TLS configuration
307-
// to a subset of listeners by creating only per-port configurations.
308-
// Listeners with a port that does not match any TLS configuration will
309-
// not have `frontendValidation` set.
298+
// GatewayTLSConfig specifies frontend tls configuration for gateway.
310299
//
311300
// Support: Core
312-
// +optional
313301
//
302+
// +optional
314303
// <gateway:experimental>
315-
TLSConfigs []TLSConfig `json:"tlsConfigs,omitempty"`
304+
TLS *GatewayTLSConfig `json:"tls,omitempty"`
316305
}
317306

318307
// AllowedListeners defines which ListenerSets can be attached to this Gateway.
@@ -612,6 +601,31 @@ type ListenerTLSConfig struct {
612601
Options map[AnnotationKey]AnnotationValue `json:"options,omitempty"`
613602
}
614603

604+
// GatewayTLSConfig specifies frontend tls configuration for gateway.
605+
type GatewayTLSConfig struct {
606+
// defaultTLS specifies the default client certificate validation configuration
607+
// for all Listeners handling HTTPS traffic, unless a per-port configuration
608+
// is defined.
609+
//
610+
// support: Core
611+
//
612+
// +required
613+
// <gateway:experimental>
614+
DefaultTLS FrontendTLSValidation `json:"defaultTLS"`
615+
616+
// tlsPerPort specifies tls configuration assigned per port.
617+
// Per port configuration is optional. Once set this configuration overrides
618+
// the default configuration for all Listeners handling HTTPS traffic
619+
// that match this port.
620+
// Each override port requires a unique TLS configuration.
621+
//
622+
// support: Core
623+
//
624+
// +optional
625+
// <gateway:experimental>
626+
TLSPerPort []TLSConfig `json:"tlsPerPort,omitempty"`
627+
}
628+
615629
// TLSModeType type defines how a Gateway handles TLS sessions.
616630
//
617631
// +kubebuilder:validation:Enum=Terminate;Passthrough
@@ -630,18 +644,17 @@ const (
630644
TLSModePassthrough TLSModeType = "Passthrough"
631645
)
632646

633-
// TLSConfig describes a TLS configuration that can be applied to all Gateway
634-
// Listeners or to all Listeners matching the Port if set.
647+
// TLSConfig describes a TLS configuration defined per port.
635648
type TLSConfig struct {
636649
// The Port indicates the Port Number to which the TLS configuration will be
637-
// applied. If the field is not set the TLS Configuration will be applied to
638-
// all Listeners.
650+
// applied. This configuration will be applied to all Listeners handling HTTPS
651+
// traffic that match this port.
639652
//
640653
// Support: Extended
641654
//
642-
// +optional
655+
// +required
643656
// <gateway:experimental>
644-
Port *PortNumber `json:"port,omitempty"`
657+
Port PortNumber `json:"port"`
645658
//
646659
// FrontendValidation holds configuration information for validating the frontend (client).
647660
// Setting this field will result in mutual authentication when connecting to the gateway.
@@ -651,9 +664,9 @@ type TLSConfig struct {
651664
//
652665
// Support: Extended
653666
//
654-
// +optional
667+
// +required
655668
// <gateway:experimental>
656-
FrontendValidation *FrontendTLSValidation `json:"frontendValidation,omitempty"`
669+
FrontendValidation FrontendTLSValidation `json:"frontendValidation"`
657670
}
658671

659672
// FrontendTLSValidation holds configuration information that can be used to validate
@@ -685,7 +698,7 @@ type FrontendTLSValidation struct {
685698
// +listType=atomic
686699
// +kubebuilder:validation:MaxItems=8
687700
// +kubebuilder:validation:MinItems=1
688-
CACertificateRefs []ObjectReference `json:"caCertificateRefs,omitempty"`
701+
CACertificateRefs []ObjectReference `json:"caCertificateRefs"`
689702

690703
// FrontendValidationMode defines the mode for validating the client certificate.
691704
// There are two possible modes:

apis/v1/zz_generated.deepcopy.go

Lines changed: 28 additions & 16 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

applyconfiguration/apis/v1/gatewayspec.go

Lines changed: 6 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

applyconfiguration/apis/v1/gatewaytlsconfig.go

Lines changed: 11 additions & 39 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

applyconfiguration/internal/internal.go

Lines changed: 17 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

applyconfiguration/utils.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)