nginx · salonichf5 · Sep 10, 2025 · Sep 12, 2025 · Sep 16, 2025 · Sep 18, 2025
@@ -139,9 +139,10 @@ func StartManager(cfg config.Config) error {
 			GenericValidator:    genericValidator,
 			PolicyValidator:     policyManager,
 		},
-		EventRecorder:  recorder,
-		MustExtractGVK: mustExtractGVK,
-		PlusSecrets:    plusSecrets,
+		EventRecorder:        recorder,
+		MustExtractGVK:       mustExtractGVK,
+		PlusSecrets:          plusSecrets,
+		ExperimentalFeatures: cfg.ExperimentalFeatures,
 	})
 
 	var handlerCollector handlerMetricsCollector = collectors.NewControllerNoopCollector()

@@ -12,6 +12,7 @@ var baseHTTPTemplate = gotemplate.Must(gotemplate.New("baseHttp").Parse(baseHTTP
 
 type httpConfig struct {
 	DNSResolver             *dataplane.DNSResolverConfig
+	GatewaySecretID         dataplane.SSLKeyPairID
 	Includes                []shared.Include
 	NginxReadinessProbePort int32
 	IPFamily                shared.IPFamily
@@ -27,6 +28,7 @@ func executeBaseHTTPConfig(conf dataplane.Configuration) []executeResult {
 		NginxReadinessProbePort: conf.BaseHTTPConfig.NginxReadinessProbePort,
 		IPFamily:                getIPFamily(conf.BaseHTTPConfig),
 		DNSResolver:             conf.BaseHTTPConfig.DNSResolver,
+		GatewaySecretID:         conf.BaseHTTPConfig.GatewaySecretID,
 	}
 
 	results := make([]executeResult, 0, len(includes)+1)

@@ -48,6 +48,12 @@ server {
     }
 }
 
+{{- if $.GatewaySecretID }}
+# Gateway Certificate
+proxy_ssl_certificate /etc/nginx/secrets/{{ $.GatewaySecretID }}.pem;
+proxy_ssl_certificate_key /etc/nginx/secrets/{{ $.GatewaySecretID }}.pem;
+{{- end }}
+
 {{ range $i := .Includes -}}
 include {{ $i.Name }};
 {{ end -}}

@@ -284,3 +284,49 @@ func TestExecuteBaseHttp_DNSResolver(t *testing.T) {
 		})
 	}
 }
+
+func TestExecuteBaseHttp_GatewaySecretID(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name           string
+		expectedConfig string
+		conf           dataplane.Configuration
+	}{
+		{
+			name: "with GatewaySecretID",
+			conf: dataplane.Configuration{
+				BaseHTTPConfig: dataplane.BaseHTTPConfig{
+					GatewaySecretID: "client-secret",
+				},
+			},
+			expectedConfig: "proxy_ssl_certificate /etc/nginx/secrets/client-secret.pem;" +
+				"\nproxy_ssl_certificate_key /etc/nginx/secrets/client-secret.pem;",
+		},
+		{
+			name: "without GatewaySecretID",
+			conf: dataplane.Configuration{
+				BaseHTTPConfig: dataplane.BaseHTTPConfig{
+					GatewaySecretID: "",
+				},
+			},
+			expectedConfig: "",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+
+			res := executeBaseHTTPConfig(test.conf)
+			g.Expect(res).To(HaveLen(1))
+
+			httpConfig := string(res[0].data)
+
+			if test.expectedConfig != "" {
+				g.Expect(httpConfig).To(ContainSubstring(test.expectedConfig))
+			}
+		})
+	}
+}
@@ -63,6 +63,8 @@ type ChangeProcessorConfig struct {
 	GatewayCtlrName string
 	// GatewayClassName is the name of the GatewayClass resource.
 	GatewayClassName string
+	// ExperimentalFeatures indicates whether experimental features are enabled.
+	ExperimentalFeatures bool
 }
 
 // ChangeProcessorImpl is an implementation of ChangeProcessor.
@@ -269,6 +271,7 @@ func (c *ChangeProcessorImpl) Process() *graph.Graph {
 		c.cfg.PlusSecrets,
 		c.cfg.Validators,
 		c.cfg.Logger,
+		c.cfg.ExperimentalFeatures,
 	)
 
 	return c.latestGraph

@@ -135,6 +135,14 @@ const (
 	// parametersRef resource is invalid.
 	GatewayReasonParamsRefInvalid v1.GatewayConditionReason = "ParametersRefInvalid"
 
+	// GatewayReasonSecretRefInvalid is used with the "GatewayResolvedRefs" condition when the
+	// secretRef resource is invalid.
+	GatewayReasonSecretRefInvalid v1.GatewayConditionReason = "SecretRefInvalid"
+
+	// GatewayReasonSecretRefNotPermitted is used with the "GatewayResolvedRefs" condition when the
+	// secretRef resource is not permitted by any ReferenceGrant.
+	GatewayReasonSecretRefNotPermitted v1.GatewayConditionReason = "SecretRefNotPermitted"
+
 	// PolicyReasonAncestorLimitReached is used with the "PolicyAccepted" condition when a policy
 	// cannot be applied because the ancestor status list has reached the maximum size of 16.
 	PolicyReasonAncestorLimitReached v1alpha2.PolicyConditionReason = "AncestorLimitReached"
@@ -293,6 +301,27 @@ func NewGatewayClassUnsupportedVersion(recommendedVersion string) []Condition {
 	}
 }
 
+// NewGatewaySecretRefNotPermitted returns Condition that indicates that the Gateway references a TLS secret that is not
+// permitted by any ReferenceGrant.
+func NewGatewaySecretRefNotPermitted(msg string) Condition {
+	return Condition{
+		Type:    string(GatewayReasonResolvedRefs),
+		Status:  metav1.ConditionFalse,
+		Reason:  string(GatewayReasonSecretRefNotPermitted),
+		Message: msg,
+	}
+}
+
+// NewGatewaySecretRefInvalid returns Condition that indicates that the Gateway references a TLS secret that is invalid.
+func NewGatewaySecretRefInvalid(msg string) Condition {
+	return Condition{
+		Type:    string(GatewayReasonResolvedRefs),
+		Status:  metav1.ConditionFalse,
+		Reason:  string(GatewayReasonSecretRefInvalid),
+		Message: msg,
+	}
+}
+
 // NewGatewayClassConflict returns a Condition that indicates that the GatewayClass is not accepted
 // due to a conflict with another GatewayClass.
 func NewGatewayClassConflict() Condition {
@@ -825,6 +854,25 @@ func NewGatewayInvalid(msg string) []Condition {
 	}
 }
 
+// NewGatewayUnsupportedValue returns Conditions that indicate that a field of the Gateway has an unsupported value.
+// Unsupported means that the value is not supported by the implementation or invalid.
+func NewGatewayUnsupportedValue(msg string) []Condition {
+	return []Condition{
+		{
+			Type:    string(v1.GatewayConditionAccepted),
+			Status:  metav1.ConditionFalse,
+			Reason:  string(GatewayReasonUnsupportedValue),
+			Message: msg,
+		},
+		{
+			Type:    string(v1.GatewayConditionProgrammed),
+			Status:  metav1.ConditionFalse,
+			Reason:  string(GatewayReasonUnsupportedValue),
+			Message: msg,
+		},
+	}
+}
+
 // NewGatewayUnsupportedAddress returns a Condition that indicates the Gateway is not accepted because it
 // contains an address type that is not supported.
 func NewGatewayUnsupportedAddress(msg string) Condition {

@@ -81,9 +81,10 @@ func BuildConfiguration(
 			gateway,
 			serviceResolver,
 			g.ReferencedServices,
-			baseHTTPConfig.IPFamily),
+			baseHTTPConfig.IPFamily,
+		),
 		BackendGroups: backendGroups,
-		SSLKeyPairs:   buildSSLKeyPairs(g.ReferencedSecrets, gateway.Listeners),
+		SSLKeyPairs:   buildSSLKeyPairs(g.ReferencedSecrets, gateway),
 		CertBundles: buildCertBundles(
 			buildRefCertificateBundles(g.ReferencedSecrets, g.ReferencedCaCertConfigMaps),
 			backendGroups,
@@ -248,14 +249,14 @@ func buildStreamUpstreams(
 }
 
 // buildSSLKeyPairs builds the SSLKeyPairs from the Secrets. It will only include Secrets that are referenced by
-// valid listeners, so that we don't include unused Secrets in the configuration of the data plane.
+// valid gateway and its listeners, so that we don't include unused Secrets in the configuration of the data plane.
 func buildSSLKeyPairs(
 	secrets map[types.NamespacedName]*graph.Secret,
-	listeners []*graph.Listener,
+	gateway *graph.Gateway,
 ) map[SSLKeyPairID]SSLKeyPair {
 	keyPairs := make(map[SSLKeyPairID]SSLKeyPair)
 
-	for _, l := range listeners {
+	for _, l := range gateway.Listeners {
 		if l.Valid && l.ResolvedSecret != nil {
 			id := generateSSLKeyPairID(*l.ResolvedSecret)
 			secret := secrets[*l.ResolvedSecret]
@@ -268,6 +269,15 @@ func buildSSLKeyPairs(
 		}
 	}
 
+	if gateway.Valid && gateway.SecretRef != nil {
+		id := generateSSLKeyPairID(*gateway.SecretRef)
+		secret := secrets[*gateway.SecretRef]
+		keyPairs[id] = SSLKeyPair{
+			Cert: secret.CertBundle.Cert.TLSCert,
+			Key:  secret.CertBundle.Cert.TLSPrivateKey,
+		}
+	}
+
 	return keyPairs
 }
 
@@ -1019,6 +1029,10 @@ func buildBaseHTTPConfig(
 		NginxReadinessProbePort: DefaultNginxReadinessProbePort,
 	}
 
+	if gateway.Valid && gateway.SecretRef != nil {
+		baseConfig.GatewaySecretID = generateSSLKeyPairID(*gateway.SecretRef)
+	}
+
 	// safe to access EffectiveNginxProxy since we only call this function when the Gateway is not nil.
 	np := gateway.EffectiveNginxProxy
 	if np == nil {
@@ -1042,8 +1056,20 @@ func buildBaseHTTPConfig(
 		}
 	}
 
+	if port := getNginxReadinessProbePort(np); port != 0 {
+		baseConfig.NginxReadinessProbePort = port
+	}
+
 	baseConfig.RewriteClientIPSettings = buildRewriteClientIPConfig(np.RewriteClientIP)
 
+	baseConfig.DNSResolver = buildDNSResolverConfig(np.DNSResolver)
+
+	return baseConfig
+}
+
+func getNginxReadinessProbePort(np *graph.EffectiveNginxProxy) int32 {
+	var port int32
+
 	if np.Kubernetes != nil {
 		var containerSpec *ngfAPIv1alpha2.ContainerSpec
 		if np.Kubernetes.Deployment != nil {
@@ -1052,13 +1078,10 @@ func buildBaseHTTPConfig(
 			containerSpec = &np.Kubernetes.DaemonSet.Container
 		}
 		if containerSpec != nil && containerSpec.ReadinessProbe != nil && containerSpec.ReadinessProbe.Port != nil {
-			baseConfig.NginxReadinessProbePort = *containerSpec.ReadinessProbe.Port
+			port = *containerSpec.ReadinessProbe.Port
 		}
 	}
-
-	baseConfig.DNSResolver = buildDNSResolverConfig(np.DNSResolver)
-
-	return baseConfig
+	return port
 }
 
 // buildBaseStreamConfig generates the base stream context config that should be applied to all stream servers.