You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: geps/gep-1897/index.md
+13-2Lines changed: 13 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -214,6 +214,13 @@ configuration. CACertificateRefs is an implementation-specific slice of
214
214
named object references, each containing a single cert. We originally proposed to follow the convention established by the
215
215
[CertificateRefs field on Gateway](https://github.com/kubernetes-sigs/gateway-api/blob/18e79909f7310aafc625ba7c862dfcc67b385250/apis/v1beta1/gateway_types.go#L340)
216
216
, but the CertificateRef requires both a tls.key and tls.crt and a certificate reference only requires the tls.crt.
217
+
If any of the CACertificateRefs cannot be resolved (e.g., the referenced resource does not exist) or is misconfigured (e.g., ConfigMap does not contain a key named `ca.crt`), the `ResolvedRefs` status condition MUST be set to `False` with `Reason: InvalidCACertificateRef`. Connections using that CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error response.
218
+
References to objects with an unsupported Group and Kind are not valid, and MUST be rejected by the implementation with the `ResolvedRefs` status condition set to `False` and `Reason: UnsupportedFeature`.
219
+
Implementations MAY perform further validation of the certificate content (i.e., checking expiry or enforcing specific formats). If they do, they MUST ensure that the `ResolvedRefs` Condition is `False` and use an implementation-specific `Reason`, like `ExpiredCertificate` or similar.
220
+
If `ResolvedRefs` Condition is `False` implementations SHOULD include a message specifying which references are invalid and explaining why.
221
+
222
+
If all CertificateRefs cannot be resolved, the BackendTLSPolicy is considered invalid and the implementation MUST set the `Accepted` Condition to `False`, with a reason of `NoCACertificates` and a message explaining this.
223
+
217
224
WellKnownCACertificates is an optional enum that allows users to specify whether to use the set of CA certificates trusted by the
218
225
Gateway (WellKnownCACertificates specified as "System"), or to use the existing CACertificateRefs (WellKnownCACertificates
219
226
specified as ""). The use and definition of system certificates is implementation-dependent, and the intent is that
@@ -222,8 +229,12 @@ references to Kubernetes objects that contain PEM-encoded TLS certificates, whic
222
229
between the gateway and backend pod. References to a resource in a different namespace are invalid.
223
230
If ClientCertificateRefs is unspecified, then WellKnownCACertificates must be set to "System" for a valid configuration.
224
231
If WellKnownCACertificates is unspecified, then CACertificateRefs must be specified with at least one entry for a valid configuration.
225
-
If WellKnownCACertificates is set to "System" and there are no system trusted certificates or the implementation doesn't define system
226
-
trusted certificates, then the associated TLS connection must fail.
232
+
If an implementation does not support the WellKnownCACertificates, or the provided value is unsupported,the BackendTLSPolicy is considered invalid, and the implementation MUST set the `Accepted` Condition to `False`, with a reason of `UnsupportedFeature` and a message explaining this.
233
+
234
+
For an invalid BackendTLSPolicy, implementations MUST NOT fall back to unencrypted (plaintext) connections.
235
+
Instead, the corresponding TLS connection MUST fail, and the client MUST receive an HTTP 5xx error response.
236
+
237
+
Implementations MUST NOT modify any status other than their own. Ownership of a status is determined by the `controllerName`, which identifies the responsible controller.
227
238
228
239
The `Hostname` field is required and is to be used to configure the SNI the Gateway should use to connect to the backend.
229
240
Implementations must validate that at least one name in the certificate served by the backend matches this field.
0 commit comments