kubernetes-sigs
diff --git a/‎apis/v1alpha1/gateway_types.go
+11-1 b/‎apis/v1alpha1/gateway_types.go
+11-1
diff --git a/‎config/crd/bases/networking.x-k8s.io_gateways.yaml
+4-3 b/‎config/crd/bases/networking.x-k8s.io_gateways.yaml
+4-3
diff --git a/‎docs-src/spec.md
+8-4 b/‎docs-src/spec.md
+8-4
diff --git a/‎docs/spec/index.html
+8-4 b/‎docs/spec/index.html
+8-4
@@ -315,16 +315,25 @@ type GatewayTLSConfig struct {
 	//   implies that the Gateway can't decipher the TLS stream except for
 	//   the ClientHello message of the TLS protocol.
 	//   CertificateRef field is ignored in this mode.
+	//
+	// Support: Core
+	//
+	// +kubebuilder:default=Terminate
 	Mode TLSModeType `json:"mode,omitempty"`
 
 	// CertificateRef is the reference to Kubernetes object that
 	// contain a TLS certificate and private key.
 	// This certificate MUST be used for TLS handshakes for the domain
 	// this GatewayTLSConfig is associated with.
+	//
+	// This field is required when mode is set to "Terminate" and optional
+	// otherwise.
+	//
 	// If an entry in this list omits or specifies the empty
 	// string for both the group and the resource, the resource defaults to "secrets".
 	// An implementation may support other resources (for example, resource
 	// "mycertificates" in group "networking.acme.io").
+	//
 	// Support: Core (Kubernetes Secrets)
 	// Support: Implementation-specific (Other resource types)
 	//
@@ -338,6 +347,8 @@ type GatewayTLSConfig struct {
 	// set to 'Allow' as it will be used as the default certificate for the
 	// listener.
 	//
+	// Support: Core
+	//
 	// +kubebuilder:default={certificate:Deny}
 	RouteOverride TLSOverridePolicy `json:"routeOverride,omitempty"`
 
@@ -357,7 +368,6 @@ type GatewayTLSConfig struct {
 
 // TLSModeType type defines behavior of gateway with TLS protocol.
 // +kubebuilder:validation:Enum=Terminate;Passthrough
-// +kubebuilder:default=Terminate
 type TLSModeType string
 
 const (