From 7e6903bf01022f9215bc2b27bf355c9d3e2cfe47 Mon Sep 17 00:00:00 2001 From: Norwin Schnyder Date: Wed, 10 Sep 2025 08:49:01 +0000 Subject: [PATCH 1/2] gep: provisional GEP for CRL Signed-off-by: Norwin Schnyder --- geps/gep-1897/metadata.yaml | 3 +++ geps/gep-4080/index.md | 29 +++++++++++++++++++++++++++++ geps/gep-4080/metadata.yaml | 37 +++++++++++++++++++++++++++++++++++++ geps/gep-91/metadata.yaml | 4 ++++ 4 files changed, 73 insertions(+) create mode 100644 geps/gep-4080/index.md create mode 100644 geps/gep-4080/metadata.yaml diff --git a/geps/gep-1897/metadata.yaml b/geps/gep-1897/metadata.yaml index 716cf3d042..e9c31180cf 100644 --- a/geps/gep-1897/metadata.yaml +++ b/geps/gep-1897/metadata.yaml @@ -9,6 +9,9 @@ authors: - robscott - youngnick relationships: + extendedBy: + - number: 4080 + name: Certificate Revocation Lists for Certificate Validiation obsoletes: - number: 1282 name: Describing Backend Properties diff --git a/geps/gep-4080/index.md b/geps/gep-4080/index.md new file mode 100644 index 0000000000..10c8dbb57d --- /dev/null +++ b/geps/gep-4080/index.md @@ -0,0 +1,29 @@ +# GEP-4080: Certificate Revocation Lists for Certificate Validiation + +* Issue: [#4080](https://github.com/kubernetes-sigs/gateway-api/issues/4080) +* Status: Provisional + +(See [status definitions](../overview.md#gep-states).) + +The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", +"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this +document are to be interpreted as described in BCP 14 ([RFC8174]) when, and +only when, they appear in all capitals, as shown here. + +[RFC8174]: https://www.rfc-editor.org/rfc/rfc8174 + +## What +Extend the TLS certificate validation mechanisms defined in [GEP-91](../gep-91/index.md) (Frontend TLS Validation) and [GEP-1897](../gep-1897/index.md) (Backend TLS Validation) by introducing support for Certificate Revocation Lists (CRLs). + +With this enhancement, operators and application developpers can configure CRLs that Gateways use during TLS authentication, both when verifying clients connecting to the Gateway and when verifying backends that the Gateway connects to. In both cases, the Gateway will check the presented certificate against the configured CRLs to ensure it has not been revoked by the issuing Certificate Authority (CA). + +## Why +While [GEP-91](../gep-91/index.md) and [GEP-1897](../gep-1897/index.md) define how certificates are validated against trusted CAs, neither addresses the issue of revocation. In practice, certificates may need to be revoked long before expiration (e.g., if private keys are compromised, a device is decommissioned, or access rights are withdrawn). Without revocation checks, Gateways may continue to trust certificates that should no longer be valid, exposing clusters to unauthorized access. + +This limitation is critical in two directions: +* On the client side, a revoked certificate could still authenticate and gain access if CRLs are not enforced. +* On the backend side, the Gateway could continue to route requests to services or workloads using revoked credentials, undermining the security of service-to-service communication. + +## Who: Beneficiaries +* **Application Developers**: Gain stronger guarantees that their applications are protected from unauthorized clients and backends using revoked certificates. +* **Platform Operators/Administrators**: Without CRL support, the only way to remain secure in the face of a compromised certificate is to rotate the entire CA and reissue all certificates, which is an expensive, disruptive, and often impractical operation. CRL support eliminates this burden by allowing platform operators to revoke only the compromised certificates while leaving the rest of the trust hierarchy intact. diff --git a/geps/gep-4080/metadata.yaml b/geps/gep-4080/metadata.yaml new file mode 100644 index 0000000000..533f594f55 --- /dev/null +++ b/geps/gep-4080/metadata.yaml @@ -0,0 +1,37 @@ +apiVersion: internal.gateway.networking.k8s.io/v1alpha1 +kind: GEPDetails +number: 4080 +name: Certificate Revocation Lists for Certificate Validiation +status: Provisional +# Any authors who contribute to the GEP in any way should be listed here using +# their GitHub handle. +authors: + - snorwin +relationships: + # obsoletes indicates that a GEP makes the linked GEP obsolete, and completely + # replaces that GEP. The obsoleted GEP MUST have its obsoletedBy field + # set back to this GEP, and MUST be moved to Declined. + obsoletes: {} + obsoletedBy: {} + # extends indicates that a GEP extends the linked GEP, adding more detail + # or additional implementation. The extended GEP MUST have its extendedBy + # field set back to this GEP. + extends: + - number: 91 + name: Client Certificate Validation for TLS terminating at the Gateway Listener + - number: 1897 + name: TLS from Gateway to Backend for ingress (backend TLS termination) + extendedBy: {} + # seeAlso indicates other GEPs that are relevant in some way without being + # covered by an existing relationship. + seeAlso: {} +# references is a list of hyperlinks to relevant external references. +# It's intended to be used for storing GitHub discussions, Google docs, etc. +references: {} +# featureNames is a list of the feature names introduced by the GEP, if there +# are any. This will allow us to track which feature was introduced by which GEP. +# This is the value added to supportedFeatures and the conformance tests, in string form. +featureNames: {} +# changelog is a list of hyperlinks to PRs that make changes to the GEP, in +# ascending date order. +changelog: {} diff --git a/geps/gep-91/metadata.yaml b/geps/gep-91/metadata.yaml index 409fd393e1..7b4f393f8e 100644 --- a/geps/gep-91/metadata.yaml +++ b/geps/gep-91/metadata.yaml @@ -5,3 +5,7 @@ name: Client Certificate Validation for TLS terminating at the Gateway Listener status: Provisional authors: - arkodg +relationships: + extendedBy: + - number: 4080 + name: Certificate Revocation Lists for Certificate Validiation From d46ed0be923c7a9f6e0093730dd00cc271d3395e Mon Sep 17 00:00:00 2001 From: Norwin Schnyder Date: Wed, 10 Sep 2025 13:37:11 +0000 Subject: [PATCH 2/2] apply PR suggestions Signed-off-by: Norwin Schnyder --- geps/gep-4080/index.md | 4 ++-- geps/gep-4080/metadata.yaml | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/geps/gep-4080/index.md b/geps/gep-4080/index.md index 10c8dbb57d..ce2e416d19 100644 --- a/geps/gep-4080/index.md +++ b/geps/gep-4080/index.md @@ -1,4 +1,4 @@ -# GEP-4080: Certificate Revocation Lists for Certificate Validiation +# GEP-4080: Certificate Revocation Lists for Certificate Validation * Issue: [#4080](https://github.com/kubernetes-sigs/gateway-api/issues/4080) * Status: Provisional @@ -15,7 +15,7 @@ only when, they appear in all capitals, as shown here. ## What Extend the TLS certificate validation mechanisms defined in [GEP-91](../gep-91/index.md) (Frontend TLS Validation) and [GEP-1897](../gep-1897/index.md) (Backend TLS Validation) by introducing support for Certificate Revocation Lists (CRLs). -With this enhancement, operators and application developpers can configure CRLs that Gateways use during TLS authentication, both when verifying clients connecting to the Gateway and when verifying backends that the Gateway connects to. In both cases, the Gateway will check the presented certificate against the configured CRLs to ensure it has not been revoked by the issuing Certificate Authority (CA). +With this enhancement, operators and application developers can configure CRLs that Gateways use during TLS authentication, both when verifying clients connecting to the Gateway and when verifying backends that the Gateway connects to. In both cases, the Gateway will check the presented certificate against the configured CRLs to ensure it has not been revoked by the issuing Certificate Authority (CA). ## Why While [GEP-91](../gep-91/index.md) and [GEP-1897](../gep-1897/index.md) define how certificates are validated against trusted CAs, neither addresses the issue of revocation. In practice, certificates may need to be revoked long before expiration (e.g., if private keys are compromised, a device is decommissioned, or access rights are withdrawn). Without revocation checks, Gateways may continue to trust certificates that should no longer be valid, exposing clusters to unauthorized access. diff --git a/geps/gep-4080/metadata.yaml b/geps/gep-4080/metadata.yaml index 533f594f55..965241c374 100644 --- a/geps/gep-4080/metadata.yaml +++ b/geps/gep-4080/metadata.yaml @@ -11,8 +11,8 @@ relationships: # obsoletes indicates that a GEP makes the linked GEP obsolete, and completely # replaces that GEP. The obsoleted GEP MUST have its obsoletedBy field # set back to this GEP, and MUST be moved to Declined. - obsoletes: {} - obsoletedBy: {} + obsoletes: [] + obsoletedBy: [] # extends indicates that a GEP extends the linked GEP, adding more detail # or additional implementation. The extended GEP MUST have its extendedBy # field set back to this GEP. @@ -21,17 +21,17 @@ relationships: name: Client Certificate Validation for TLS terminating at the Gateway Listener - number: 1897 name: TLS from Gateway to Backend for ingress (backend TLS termination) - extendedBy: {} + extendedBy: [] # seeAlso indicates other GEPs that are relevant in some way without being # covered by an existing relationship. - seeAlso: {} + seeAlso: [] # references is a list of hyperlinks to relevant external references. # It's intended to be used for storing GitHub discussions, Google docs, etc. -references: {} +references: [] # featureNames is a list of the feature names introduced by the GEP, if there # are any. This will allow us to track which feature was introduced by which GEP. # This is the value added to supportedFeatures and the conformance tests, in string form. -featureNames: {} +featureNames: [] # changelog is a list of hyperlinks to PRs that make changes to the GEP, in # ascending date order. -changelog: {} +changelog: []