Fixes TLS Mode Defaulting

[danehans]

What type of PR is this?
/kind bug

What this PR does / why we need it:
Properly sets the "Terminate" default for gateway.spec.tls.mode.

Which issue(s) this PR fixes:
Fixes #517

Does this PR introduce a user-facing change?:
Yes, sets the default TLS mode to "Terminate".

[robscott]

Thanks! This LGTM other than all the boilerplate year changes. That should be resolved once #519 is in.

[hbagdi]

LGTM. This will need a rebase once #519 is merged.

[hbagdi]

/hold

Just to make sure this doesn't get merged before #519.

[hbagdi]

@danehans Can you rebase to resolve the conflicts?
/hold cancel

[robscott]

@danehans Thanks for making this PR! After a rebase this LGTM. One small nit - I think this is a user-facing change since we're adding a default value.

[danehans]

@robscott I updated the PR description to include user-facing changes.

[hbagdi]

I was about lgtm this when I recalled why this was not the case earlier:
We wanted the user to explicitly set the condition to Terminate and make them supply the Certificate in that case.
In this case, if this default kicks in, and a CertificateRef is absent, then how do we handle this case?
We could add validation in the webhook for this case.

Do we still want this to default though?

[robscott]

That's a very good point - thanks for catching this! I think that approach makes sense, maybe instead of setting a default here we should clarify that both a CertificateRef and mode must be set as part of TLS config?

[danehans]

@hbagdi @robscott if ^ is the case, why not default Mode to "Passthrough" so CertificateRef can continue to be optional?

[hbagdi]

Because Passthrough is the rare case. It only makes sense with TCPRoute and TLSRoute (sni sniffing).

[danehans]

If Mode is optional, then a user can supply a CertificateRef without setting Mode, resulting in an unusable TLS config. IMO, if "Terminate" is the common use-case, then it should be the default and the CertificateRef details documented (accomplished by this PR). @hbagdi @robscott @bowei thoughts?

[hbagdi]

The default of Terminate makes sense here. What should be the error condition that should be set when CertificateRef is not supplied?

[robscott]

Just to make sure I'm understanding this correctly, this default will not come into play unless someone specifies TLS config. It will essentially allow a shortcut where most users would only need to specify CertificateRef here. Does that sound right? If so, I think this is a very reasonable default.

@hbagdi That's a great question. I think our existing InvalidCertificateRef condition would mostly apply here, even if the initial intent was slightly different.

[hbagdi]

Just to make sure I'm understanding this correctly, this default will not come into play unless someone specifies TLS config. It will essentially allow a shortcut where most users would only need to specify CertificateRef here. Does that sound right?

That's correct. I pulled the patch down and tested it myself.
We actually missed specifying mode even in our example: https://github.com/kubernetes-sigs/service-apis/blob/27c4d2dcd3c70a65a1d512fc7a21d2ca4403d218/examples/tls-basic.yaml#L23-L29

@hbagdi That's a great question. I think our existing InvalidCertificateRef condition would mostly apply here, even if the initial intent was slightly different.

Sounds fair. If the overhead is not too much, I'd advocate for a new AbsentCertificateRef or a generic AbsentRef condition.

[hbagdi]

LGTM.
Leaving final approval to Rob.

[bowei]

/approve

[bowei]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bowei, danehans, hbagdi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [bowei,danehans,hbagdi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment