Allow using Secrets Store CSI Driver - Sync as Kubernetes Secret feature for gateway tls certificateRefs #4150
Description
Currently when we define the tls termination for gateway. it is expected the tls certificate to exists as kind secret.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway-istio-ingress
namespace: istio-ingress
spec:
gatewayClassName: istio
listeners:
- allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
shared-gateway-access: "true"
hostname: '*.hp742-dev.corp.xxxx.aws'
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: gateway-tls-secret
mode: Terminate
What is needed to be added
We need an option to use this secret using the Secrets Store CSI Driver - Sync as Kubernetes Secret feature
currently defining the CSI secret provider class under certificateRefs does not work.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: k8s-gateway
namespace: istio-ingress
spec:
gatewayClassName: istio
listeners:
- allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
shared-gateway-access: "true"
hostname: '*.hp742-dev.corp.xxxx.aws'
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: SecretProviderClass
name: kubesecretproviderclass
mode: Terminate
Error:
Message: Bad TLS configuration
Observed Generation: 1
Reason: Invalid
Status: False
Type: Programmed
Last Transition Time: 2025-10-07T06:36:32Z
Message: invalid certificate reference /SecretProviderClass/kubesecretproviderclass., only secret is allowed
Observed Generation: 1
Reason: InvalidCertificateRef
Status: False
Type: ResolvedRefs
Name: https
Why this is needed ?
Allow usage of secrets, keys, and certs stored in enterprise-grade external secrets stores