validation mode

Author: kl52752

apis/v1/gateway_types.go

@@ -717,10 +717,14 @@ type FrontendValidationModeType string
 const (
 	// AllowValidOnly indicates that a client certificate is required
 	// during the TLS handshake and MUST pass validation.
+	//
+	// Support: Core
 	AllowValidOnly FrontendValidationModeType = "AllowValidOnly"
 
 	// AllowInsecureFallback indicates that a client certificate may not be
 	// presented during the handshake or the validation against CA certificates may fail.
+	//
+	// Support: Extended
 	AllowInsecureFallback FrontendValidationModeType = "AllowInsecureFallback"
 )
 
@@ -1061,6 +1065,13 @@ const (
 	// information on which address is causing the problem and how to resolve it
 	// in the condition message.
 	GatewayReasonAddressNotUsable GatewayConditionReason = "AddressNotUsable"
+	// This condition indicates `FrontendValidationModeType` changed from
+	// `AllowValidOnly` to `AllowInsecureFallback`.
+	GatewayConditionInsecureFrontendValidationMode GatewayConditionReason = "InsecureFrontendValidationMode"
+	// This reason MUST be set for GatewayConditionInsecureFrontendValidationMode
+	// when client change FrontendValidationModeType for a Gateway or per port override
+	// to `AllowInsecureFallback`.
+	GatewayReasonConfigurationChanged GatewayConditionReason = "ConfigurationChanged"
 )
 
 const (

geps/gep-91/index.md

@@ -32,8 +32,13 @@ This proposal adds the ability to validate the TLS certificate presented by the
 These two validation mechanisms operate independently and can be used simultaneously.
 * Introduce a `caCertificateRefs` field within `FrontendTLSValidation` that can be used to specify a list of CA Certificates that can be used as a trust anchor to validate the certificates presented by the client.
 * Add a new `FrontendValidationModeType` enum within `FrontendTLSValidation` indicating how gateway should validate client certificates. As for now we support following values but it might change in the future:
-  1) `AllowValidOnly`
-  2) `AllowInsecureFallback`
+  1) `AllowValidOnly` (Core Support)
+  2) `AllowInsecureFallback` (Extended Support)
+
+    AllowInsecureFallback mode indicates the gateway will accept connections even if the client certificate is not presented or fails verification.
+	This approach delegates client authorization to the backend and introduce a significant security risk. It should be used in testing environments or
+	on a temporary basis in non-testing environments.
+    When `FrontendValidationModeType` is changed from `AllowValidOnly` to `AllowInsecureFallback` the `InsecureFrontendValidationMode` condition MUST be set to True with Reason `ConfigurationChanged` on gateway.
 * Introduce a `ObjectReference` structure that can be used to specify `caCertificateRefs` references.
 * Introduce a `tls` field within the Gateway Spec to allow for a common TLS configuration to apply across all listeners.