kubernetes-sigs
diff --git a/‎apis/v1/gateway_types.go
Lines changed: 11 additions & 9 deletions b/‎apis/v1/gateway_types.go
Lines changed: 11 additions & 9 deletions
diff --git a/‎config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
Lines changed: 18 additions & 22 deletions b/‎config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
Lines changed: 18 additions & 22 deletions
diff --git a/‎config/crd/standard/gateway.networking.k8s.io_gateways.yaml
Lines changed: 18 additions & 22 deletions b/‎config/crd/standard/gateway.networking.k8s.io_gateways.yaml
Lines changed: 18 additions & 22 deletions
diff --git a/‎pkg/test/cel/gateway_test.go
Lines changed: 62 additions & 7 deletions b/‎pkg/test/cel/gateway_test.go
Lines changed: 62 additions & 7 deletions
@@ -186,7 +186,6 @@ type GatewaySpec struct {
 	// +listMapKey=name
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=64
-	// +kubebuilder:validation:XValidation:message="tls must be specified for protocols ['HTTPS', 'TLS']",rule="self.all(l, l.protocol in ['HTTPS', 'TLS'] ? has(l.tls) : true)"
 	// +kubebuilder:validation:XValidation:message="tls must not be specified for protocols ['HTTP', 'TCP', 'UDP']",rule="self.all(l, l.protocol in ['HTTP', 'TCP', 'UDP'] ? !has(l.tls) : true)"
 	// +kubebuilder:validation:XValidation:message="tls mode must be Terminate for protocol HTTPS",rule="self.all(l, (l.protocol == 'HTTPS' && has(l.tls)) ? (l.tls.mode == '' || l.tls.mode == 'Terminate') : true)"
 	// +kubebuilder:validation:XValidation:message="hostname must not be specified for protocols ['TCP', 'UDP']",rule="self.all(l, l.protocol in ['TCP', 'UDP']  ? (!has(l.hostname) || l.hostname == '') : true)"
@@ -376,18 +375,19 @@ const (
 
 // GatewayTLSConfig describes a TLS configuration.
 //
-// +kubebuilder:validation:XValidation:message="certificateRefs must be specified when TLSModeType is Terminate",rule="self.mode == 'Terminate' ? size(self.certificateRefs) > 0 : true"
+// +kubebuilder:validation:XValidation:message="certificateRefs or options must be specified when mode is Terminate",rule="self.mode == 'Terminate' ? size(self.certificateRefs) > 0 || size(self.options) > 0 : true"
 type GatewayTLSConfig struct {
 	// Mode defines the TLS behavior for the TLS session initiated by the client.
 	// There are two possible modes:
 	//
-	// - Terminate: The TLS session between the downstream client
-	//   and the Gateway is terminated at the Gateway. This mode requires
-	//   certificateRefs to be set and contain at least one element.
+	// - Terminate: The TLS session between the downstream client and the
+	//   Gateway is terminated at the Gateway. This mode requires certificates
+	//   to be specified in some way, such as populating the certificateRefs
+	//   field.
 	// - Passthrough: The TLS session is NOT terminated by the Gateway. This
 	//   implies that the Gateway can't decipher the TLS stream except for
-	//   the ClientHello message of the TLS protocol.
-	//   CertificateRefs field is ignored in this mode.
+	//   the ClientHello message of the TLS protocol. The certificateRefs field
+	//   is ignored in this mode.
 	//
 	// Support: Core
 	//
@@ -701,8 +701,10 @@ const (
 	// true.
 	GatewayReasonProgrammed GatewayConditionReason = "Programmed"
 
-	// This reason is used with the "Programmed" and "Accepted" conditions when the Gateway is
-	// syntactically or semantically invalid.
+	// This reason is used with the "Programmed" and "Accepted" conditions when
+	// the Gateway is syntactically or semantically invalid. For example, this
+	// could include unspecified TLS configuration, or some unrecognized or
+	// invalid values in the TLS configuration.
 	GatewayReasonInvalid GatewayConditionReason = "Invalid"
 
 	// This reason is used with the "Programmed" condition when the
 
@@ -125,7 +125,6 @@ func TestValidateGateway(t *testing.T) {
 					},
 				}
 			},
-			wantErrors: []string{"tls must be specified for protocols ['HTTPS', 'TLS']"},
 		},
 		{
 			desc: "tls config not set with tls protocol",
@@ -138,7 +137,6 @@ func TestValidateGateway(t *testing.T) {
 					},
 				}
 			},
-			wantErrors: []string{"tls must be specified for protocols ['HTTPS', 'TLS']"},
 		},
 		{
 			desc: "tls config not set with http protocol",
@@ -207,7 +205,7 @@ func TestValidateGateway(t *testing.T) {
 			wantErrors: []string{"hostname must not be specified for protocols ['TCP', 'UDP']"},
 		},
 		{
-			desc: "certificateRefs not set with https protocol and TLS terminate mode",
+			desc: "certificateRefs not set with HTTPS protocol and TLS terminate mode",
 			mutate: func(gw *gatewayv1.Gateway) {
 				tlsMode := gatewayv1.TLSModeType("Terminate")
 				gw.Spec.Listeners = []gatewayv1.Listener{
@@ -221,10 +219,10 @@ func TestValidateGateway(t *testing.T) {
 					},
 				}
 			},
-			wantErrors: []string{"certificateRefs must be specified when TLSModeType is Terminate"},
+			wantErrors: []string{"certificateRefs or options must be specified when mode is Terminate"},
 		},
 		{
-			desc: "certificateRefs not set with tls protocol and TLS terminate mode",
+			desc: "certificateRefs not set with TLS protocol and TLS terminate mode",
 			mutate: func(gw *gatewayv1.Gateway) {
 				tlsMode := gatewayv1.TLSModeType("Terminate")
 				gw.Spec.Listeners = []gatewayv1.Listener{
@@ -238,10 +236,29 @@ func TestValidateGateway(t *testing.T) {
 					},
 				}
 			},
-			wantErrors: []string{"certificateRefs must be specified when TLSModeType is Terminate"},
+			wantErrors: []string{"certificateRefs or options must be specified when mode is Terminate"},
 		},
 		{
-			desc: "certificateRefs set with tls protocol and TLS terminate mode",
+			desc: "certificateRefs set with HTTPS protocol and TLS terminate mode",
+			mutate: func(gw *gatewayv1.Gateway) {
+				tlsMode := gatewayv1.TLSModeType("Terminate")
+				gw.Spec.Listeners = []gatewayv1.Listener{
+					{
+						Name:     gatewayv1.SectionName("https"),
+						Protocol: gatewayv1.HTTPSProtocolType,
+						Port:     gatewayv1.PortNumber(8443),
+						TLS: &gatewayv1.GatewayTLSConfig{
+							Mode: &tlsMode,
+							CertificateRefs: []gatewayv1.SecretObjectReference{
+								{Name: gatewayv1.ObjectName("foo")},
+							},
+						},
+					},
+				}
+			},
+		},
+		{
+			desc: "certificateRefs set with TLS protocol and TLS terminate mode",
 			mutate: func(gw *gatewayv1.Gateway) {
 				tlsMode := gatewayv1.TLSModeType("Terminate")
 				gw.Spec.Listeners = []gatewayv1.Listener{
@@ -259,6 +276,44 @@ func TestValidateGateway(t *testing.T) {
 				}
 			},
 		},
+		{
+			desc: "options set with HTTPS protocol and TLS terminate mode",
+			mutate: func(gw *gatewayv1.Gateway) {
+				tlsMode := gatewayv1.TLSModeType("Terminate")
+				gw.Spec.Listeners = []gatewayv1.Listener{
+					{
+						Name:     gatewayv1.SectionName("https"),
+						Protocol: gatewayv1.HTTPSProtocolType,
+						Port:     gatewayv1.PortNumber(8443),
+						TLS: &gatewayv1.GatewayTLSConfig{
+							Mode: &tlsMode,
+							Options: map[gatewayv1.AnnotationKey]gatewayv1.AnnotationValue{
+								"networking.example.com/tls-version": "1.2",
+							},
+						},
+					},
+				}
+			},
+		},
+		{
+			desc: "options set with tls protocol and TLS terminate mode",
+			mutate: func(gw *gatewayv1.Gateway) {
+				tlsMode := gatewayv1.TLSModeType("Terminate")
+				gw.Spec.Listeners = []gatewayv1.Listener{
+					{
+						Name:     gatewayv1.SectionName("tls"),
+						Protocol: gatewayv1.TLSProtocolType,
+						Port:     gatewayv1.PortNumber(8443),
+						TLS: &gatewayv1.GatewayTLSConfig{
+							Mode: &tlsMode,
+							Options: map[gatewayv1.AnnotationKey]gatewayv1.AnnotationValue{
+								"networking.example.com/tls-version": "1.2",
+							},
+						},
+					},
+				}
+			},
+		},
 		{
 			desc: "names are not unique within the Gateway",
 			mutate: func(gw *gatewayv1.Gateway) {