Add new BackendTLSPolicy configuration options to documentation #3563

08volt · 2025-01-22T13:38:36Z

/kind documentation

What this PR does / why we need it:
Updated documentation page regarding BackendTLSPolicy with the following fields:

Gateway backendTLS field
subjectAltNames field
options field

The documentation includes descriptions of each new field along with their purpose, usage constraints and reference links.

Fixes #
Does this PR introduce a user-facing change?:

NONE

k8s-ci-robot · 2025-01-22T13:38:46Z

Welcome @08volt!

It looks like this is your first PR to kubernetes-sigs/gateway-api 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/gateway-api has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

k8s-ci-robot · 2025-01-22T13:38:47Z

Hi @08volt. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

robscott

Thanks @08volt! This mostly LGTM. Added some suggestions for version indicators, not quite sure the formatting will be quite right, but should be close.

site-src/api-types/backendtlspolicy.md

k8s-ci-robot · 2025-01-22T18:25:54Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 08volt, robscott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~site-src/OWNERS~~ [robscott]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

robscott · 2025-01-22T18:25:55Z

/ok-to-test

kflynn

Looks good from here too, with @robscott's changes. 🙂 Thanks!

site-src/api-types/backendtlspolicy.md

k8s-triage-robot · 2025-06-15T16:40:18Z

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

Mark this PR as fresh with /remove-lifecycle stale
Close this PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

shaneutt · 2025-07-03T17:49:16Z

cc @candita

Could you take a look here please and let us know your thoughts?

site-src/api-types/backendtlspolicy.md

candita · 2025-07-21T19:29:49Z

@08volt @shaneutt I have a few suggestions here.

robscott · 2025-07-30T18:24:51Z

/remove-lifecycle stale

robscott · 2025-07-30T18:25:48Z

@08volt I know it's been a while since you created this PR, not sure if you still have time to spend on this. If not, one of us could open a new PR based on your initial commit to help get this across the line, just let us know what you prefer.

- Gateway backendTLS field - subjectAltNames field - options field The documentation includes descriptions of each new field along with their purpose, usage constraints and reference links.

08volt · 2025-08-04T12:42:15Z

Enrico Shane Utt I have a few suggestions here.

Thanks for the very insightful suggestions, I corrected the documentation.

08volt · 2025-08-04T12:43:22Z

Enrico I know it's been a while since you created this PR, not sure if you still have time to spend on this. If not, one of us could open a new PR based on your initial commit to help get this across the line, just let us know what you prefer.

No worries, I addressed the comments, let me know if there is anything else left to do. Thank you

shaneutt · 2025-08-05T17:13:43Z

@candita as a person leading the BackendTLSPolicy push to standard, I would like to get your final review/approval and then I'm happy to review and provide the final LGTM.

youngnick · 2025-08-06T04:19:54Z

site-src/api-types/backendtlspolicy.md

+    These fields were added to Gateway in `v1.1.0`
+The Gateway specification now includes a new backendTLS field that allows configuration of TLS settings when the Gateway connects to backends. This provides a default configuration for all backend Services. It is important to note that if a BackendTLSPolicy is attached to a specific Service, it will override the backendTLS configuration on the Gateway.
+This functionality enables the specification of client certificates that the Gateway should use when establishing TLS connections with backends. 
+The backendTLS configuration consists of a single field:
+
+- [ClientCertificateRef][clientCertificateRef] - References an object containing a Client Certificate and its associated private key


Note that this information is changing in #3960, so this should be updated with that design, and this PR should probably merge after that one does.

candita · 2025-08-08T02:19:58Z

@08volt @shaneutt

Some of this belongs under Gateway and not BackendTLSPolicy. https://github.com/kubernetes-sigs/gateway-api/pull/3563/files#r2219923354

I did not add the new fields to API, so I think it's best for @LiorLieberman to validate these changes to the docs. To me, this feels like it came out of nowhere, as there isn't even an issue linked to #3180.

Most frighteningly, there are NO conformance tests for these additions. I don't think they should be added to an API object on its way to Standard without them. Should I raise an issue?

k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/documentation Categorizes issue or PR as related to documentation. labels Jan 22, 2025

08volt changed the title ~~Add new BackendTLSPolicy configuration options to documentation:~~ Add new BackendTLSPolicy configuration options to documentation Jan 22, 2025

k8s-ci-robot requested review from mlavacca and robscott January 22, 2025 13:38

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jan 22, 2025

k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 22, 2025

robscott approved these changes Jan 22, 2025

View reviewed changes

site-src/api-types/backendtlspolicy.md Show resolved Hide resolved

site-src/api-types/backendtlspolicy.md Show resolved Hide resolved

site-src/api-types/backendtlspolicy.md Show resolved Hide resolved

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 22, 2025

k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 22, 2025

kflynn reviewed Jan 22, 2025

View reviewed changes

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 12, 2025

sjberman reviewed Feb 20, 2025

View reviewed changes

site-src/api-types/backendtlspolicy.md Outdated Show resolved Hide resolved

sjberman mentioned this pull request Feb 20, 2025

Support Gateway BackendTLS field nginx/nginx-gateway-fabric#3153

Open

08volt force-pushed the doc-combine branch 2 times, most recently from be9a8dc to f1b863d Compare March 17, 2025 15:52

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 17, 2025

shaneutt linked an issue Apr 22, 2025 that may be closed by this pull request

GEP: TLS from Gateway to Backend for ingress (backend TLS termination) #1897

Open

k8s-ci-robot added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jun 15, 2025

shaneutt self-assigned this Jul 3, 2025

shaneutt added this to Release v1.4.0 Jul 3, 2025

shaneutt added this to the v1.4.0 milestone Jul 3, 2025

shaneutt moved this to Review in Release v1.4.0 Jul 3, 2025

shaneutt added the v1.4-release/subtask This indicates a subtask of a feature, bug, or smaller issue for the v1.4 release. label Jul 3, 2025

shaneutt mentioned this pull request Jul 3, 2025

GEP: TLS from Gateway to Backend for ingress (backend TLS termination) #1897

Open

08volt force-pushed the doc-combine branch from f1b863d to 4f9f816 Compare July 10, 2025 08:24

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 10, 2025