From 04cb9e3f1816a719e862736ae9edca256a5789e5 Mon Sep 17 00:00:00 2001 From: Norwin Schnyder Date: Thu, 25 Sep 2025 09:00:27 +0000 Subject: [PATCH 1/2] gep: refine ClientCertificateRef description for backend TLS Signed-off-by: Norwin Schnyder --- geps/gep-3155/index.md | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/geps/gep-3155/index.md b/geps/gep-3155/index.md index 0ced93ae9b..0c40738483 100644 --- a/geps/gep-3155/index.md +++ b/geps/gep-3155/index.md @@ -63,19 +63,34 @@ type GatewayTLSConfig struct { ... } type GatewayBackendTLS struct { - // ClientCertificateRef is a reference to an object that contains a Client - // Certificate and the associated private key. + // ClientCertificateRef references an object that contains a client certificate + // and its associated private key. It can reference standard Kubernetes resources, + // i.e., Secret, or implementation-specific custom resources. // - // References to a resource in different namespace are invalid UNLESS there - // is a ReferenceGrant in the target namespace that allows the certificate - // to be attached. If a ReferenceGrant does not allow this reference, the - // "ResolvedRefs" condition MUST be set to False for this listener with the - // "RefNotPermitted" reason. + // This setting can be overridden on the service level by use of BackendTLSPolicy. // - // ClientCertificateRef can reference to standard Kubernetes resources, i.e. - // Secret, or implementation-specific custom resources. + // A ClientCertificateRef is considered invalid if: // - // This setting can be overridden on the service level by use of BackendTLSPolicy. + // * It refers to a resource that cannot be resolved (e.g., the referenced resource + // does not exist) or is misconfigured (e.g., a Secret does not contain the keys + // named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + // on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + // and the Message of the Condition MUST indicate why the reference is invalid. + // + // * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + // in the target namespace that allows the certificate to be attached. + // If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + // on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + // + // Implementations MAY choose to perform further validation of the certificate + // content (e.g., checking expiry or enforcing specific formats). In such cases, + // an implementation-specific Reason and Message MUST be set. + // + // Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + // Support: Implementation-specific - Other resource kinds or Secrets with a + // different type (e.g., `Opaque`). + // +optional + // ClientCertificateRef SecretObjectReference `json:"clientCertificateRef,omitempty"` } ``` From c0be05178fc547f42f341ae270ae57761a2ff508 Mon Sep 17 00:00:00 2001 From: Norwin Schnyder Date: Fri, 26 Sep 2025 11:46:07 +0000 Subject: [PATCH 2/2] remove outdated BackendTLSPolicy override note Signed-off-by: Norwin Schnyder --- geps/gep-3155/index.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/geps/gep-3155/index.md b/geps/gep-3155/index.md index 0c40738483..67b0760977 100644 --- a/geps/gep-3155/index.md +++ b/geps/gep-3155/index.md @@ -67,8 +67,6 @@ type GatewayBackendTLS struct { // and its associated private key. It can reference standard Kubernetes resources, // i.e., Secret, or implementation-specific custom resources. // - // This setting can be overridden on the service level by use of BackendTLSPolicy. - // // A ClientCertificateRef is considered invalid if: // // * It refers to a resource that cannot be resolved (e.g., the referenced resource