You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: geps/gep-1897/index.md
+7-1Lines changed: 7 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -214,6 +214,8 @@ configuration. CACertificateRefs is an implementation-specific slice of
214
214
named object references, each containing a single cert. We originally proposed to follow the convention established by the
215
215
[CertificateRefs field on Gateway](https://github.com/kubernetes-sigs/gateway-api/blob/18e79909f7310aafc625ba7c862dfcc67b385250/apis/v1beta1/gateway_types.go#L340)
216
216
, but the CertificateRef requires both a tls.key and tls.crt and a certificate reference only requires the tls.crt.
217
+
If the CertificateRef cannot be resolved or does not include a certificate (tls.crt), the BackendTLSPolicy is considered invalid.
218
+
217
219
WellKnownCACertificates is an optional enum that allows users to specify whether to use the set of CA certificates trusted by the
218
220
Gateway (WellKnownCACertificates specified as "System"), or to use the existing CACertificateRefs (WellKnownCACertificates
219
221
specified as ""). The use and definition of system certificates is implementation-dependent, and the intent is that
@@ -223,7 +225,11 @@ between the gateway and backend pod. References to a resource in a different nam
223
225
If ClientCertificateRefs is unspecified, then WellKnownCACertificates must be set to "System" for a valid configuration.
224
226
If WellKnownCACertificates is unspecified, then CACertificateRefs must be specified with at least one entry for a valid configuration.
225
227
If WellKnownCACertificates is set to "System" and there are no system trusted certificates or the implementation doesn't define system
226
-
trusted certificates, then the associated TLS connection must fail.
228
+
trusted certificates, the BackendTLSPolicy is considered invalid.
229
+
230
+
For an invalid BackendTLSPolicy, implementations MUST NOT fall back to unencrypted (plaintext) connections.
231
+
Instead, the corresponding TLS connection MUST fail, and the client MUST receive an HTTP error response.
232
+
Additionally, the `Accepted` status condition of the BackendTLSPolicy MUST be set to `False` with the reason `Invalid`.
227
233
228
234
The `Hostname` field is required and is to be used to configure the SNI the Gateway should use to connect to the backend.
229
235
Implementations must validate that at least one name in the certificate served by the backend matches this field.
0 commit comments