From d06d3703b02707d1a2b98ed958c5872c59c0574e Mon Sep 17 00:00:00 2001 From: Daneyon Hansen Date: Wed, 13 Jan 2021 08:55:50 -0800 Subject: [PATCH] Fixes TLS Mode Defaulting --- apis/v1alpha1/gateway_types.go | 28 +++++++++++++------ .../bases/networking.x-k8s.io_gateways.yaml | 7 +++-- docs-src/spec.md | 24 +++++++++------- docs/spec/index.html | 24 +++++++++------- 4 files changed, 51 insertions(+), 32 deletions(-) diff --git a/apis/v1alpha1/gateway_types.go b/apis/v1alpha1/gateway_types.go index 7a9dcba888..d27ef1c515 100644 --- a/apis/v1alpha1/gateway_types.go +++ b/apis/v1alpha1/gateway_types.go @@ -310,21 +310,30 @@ type GatewayTLSConfig struct { // Mode defines the TLS behavior for the TLS session initiated by the client. // There are two possible modes: // - Terminate: The TLS session between the downstream client - // and the Gateway is terminated at the Gateway. + // and the Gateway is terminated at the Gateway. This mode requires + // certificateRef to be set. // - Passthrough: The TLS session is NOT terminated by the Gateway. This // implies that the Gateway can't decipher the TLS stream except for // the ClientHello message of the TLS protocol. // CertificateRef field is ignored in this mode. + // + // Support: Core + // + // +kubebuilder:default=Terminate Mode TLSModeType `json:"mode,omitempty"` - // CertificateRef is the reference to Kubernetes object that - // contain a TLS certificate and private key. - // This certificate MUST be used for TLS handshakes for the domain - // this GatewayTLSConfig is associated with. - // If an entry in this list omits or specifies the empty - // string for both the group and the resource, the resource defaults to "secrets". - // An implementation may support other resources (for example, resource + // CertificateRef is the reference to Kubernetes object that contain a + // TLS certificate and private key. This certificate MUST be used for + // TLS handshakes for the domain this GatewayTLSConfig is associated with. + // + // This field is required when mode is set to "Terminate" (default) and + // optional otherwise. + // + // If an entry in this list omits or specifies the empty string for both + // the group and the resource, the resource defaults to "secrets". An + // implementation may support other resources (for example, resource // "mycertificates" in group "networking.acme.io"). + // // Support: Core (Kubernetes Secrets) // Support: Implementation-specific (Other resource types) // @@ -338,6 +347,8 @@ type GatewayTLSConfig struct { // set to 'Allow' as it will be used as the default certificate for the // listener. // + // Support: Core + // // +kubebuilder:default={certificate:Deny} RouteOverride TLSOverridePolicy `json:"routeOverride,omitempty"` @@ -357,7 +368,6 @@ type GatewayTLSConfig struct { // TLSModeType type defines behavior of gateway with TLS protocol. // +kubebuilder:validation:Enum=Terminate;Passthrough -// +kubebuilder:default=Terminate type TLSModeType string const ( diff --git a/config/crd/bases/networking.x-k8s.io_gateways.yaml b/config/crd/bases/networking.x-k8s.io_gateways.yaml index 98719911e7..e2714c41aa 100644 --- a/config/crd/bases/networking.x-k8s.io_gateways.yaml +++ b/config/crd/bases/networking.x-k8s.io_gateways.yaml @@ -176,7 +176,7 @@ spec: description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\" and ignored otherwise. \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" properties: certificateRef: - description: 'CertificateRef is the reference to Kubernetes object that contain a TLS certificate and private key. This certificate MUST be used for TLS handshakes for the domain this GatewayTLSConfig is associated with. If an entry in this list omits or specifies the empty string for both the group and the resource, the resource defaults to "secrets". An implementation may support other resources (for example, resource "mycertificates" in group "networking.acme.io"). Support: Core (Kubernetes Secrets) Support: Implementation-specific (Other resource types)' + description: "CertificateRef is the reference to Kubernetes object that contain a TLS certificate and private key. This certificate MUST be used for TLS handshakes for the domain this GatewayTLSConfig is associated with. \n This field is required when mode is set to \"Terminate\" (default) and optional otherwise. \n If an entry in this list omits or specifies the empty string for both the group and the resource, the resource defaults to \"secrets\". An implementation may support other resources (for example, resource \"mycertificates\" in group \"networking.acme.io\"). \n Support: Core (Kubernetes Secrets) Support: Implementation-specific (Other resource types)" properties: group: description: Group is the group of the referent. @@ -199,7 +199,8 @@ spec: - name type: object mode: - description: 'Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can''t decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRef field is ignored in this mode.' + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRef to be set. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRef field is ignored in this mode. \n Support: Core" enum: - Terminate - Passthrough @@ -212,7 +213,7 @@ spec: routeOverride: default: certificate: Deny - description: "RouteOverride dictates if TLS settings can be configured via Routes or not. \n CertificateRef must be defined even if `routeOverride.certificate` is set to 'Allow' as it will be used as the default certificate for the listener." + description: "RouteOverride dictates if TLS settings can be configured via Routes or not. \n CertificateRef must be defined even if `routeOverride.certificate` is set to 'Allow' as it will be used as the default certificate for the listener. \n Support: Core" properties: certificate: default: Deny diff --git a/docs-src/spec.md b/docs-src/spec.md index afa64d3bbd..98a2cdbb37 100644 --- a/docs-src/spec.md +++ b/docs-src/spec.md @@ -1702,11 +1702,13 @@ TLSModeType

Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - Terminate: The TLS session between the downstream client -and the Gateway is terminated at the Gateway. +and the Gateway is terminated at the Gateway. This mode requires +certificateRef to be set. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can’t decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRef field is ignored in this mode.

+

Support: Core

@@ -1720,15 +1722,16 @@ LocalObjectReference (Optional) -

CertificateRef is the reference to Kubernetes object that -contain a TLS certificate and private key. -This certificate MUST be used for TLS handshakes for the domain -this GatewayTLSConfig is associated with. -If an entry in this list omits or specifies the empty -string for both the group and the resource, the resource defaults to “secrets”. -An implementation may support other resources (for example, resource -“mycertificates” in group “networking.acme.io”). -Support: Core (Kubernetes Secrets) +

CertificateRef is the reference to Kubernetes object that contain a +TLS certificate and private key. This certificate MUST be used for +TLS handshakes for the domain this GatewayTLSConfig is associated with.

+

This field is required when mode is set to “Terminate” (default) and +optional otherwise.

+

If an entry in this list omits or specifies the empty string for both +the group and the resource, the resource defaults to “secrets”. An +implementation may support other resources (for example, resource +“mycertificates” in group “networking.acme.io”).

+

Support: Core (Kubernetes Secrets) Support: Implementation-specific (Other resource types)

@@ -1747,6 +1750,7 @@ via Routes or not.

CertificateRef must be defined even if routeOverride.certificate is set to ‘Allow’ as it will be used as the default certificate for the listener.

+

Support: Core

diff --git a/docs/spec/index.html b/docs/spec/index.html index 8f946177bf..ce1cbfa7cc 100644 --- a/docs/spec/index.html +++ b/docs/spec/index.html @@ -2257,11 +2257,13 @@

GatewayTLSConfig

Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - Terminate: The TLS session between the downstream client -and the Gateway is terminated at the Gateway. +and the Gateway is terminated at the Gateway. This mode requires +certificateRef to be set. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can’t decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRef field is ignored in this mode.

+

Support: Core

@@ -2275,15 +2277,16 @@

GatewayTLSConfig (Optional) -

CertificateRef is the reference to Kubernetes object that -contain a TLS certificate and private key. -This certificate MUST be used for TLS handshakes for the domain -this GatewayTLSConfig is associated with. -If an entry in this list omits or specifies the empty -string for both the group and the resource, the resource defaults to “secrets”. -An implementation may support other resources (for example, resource -“mycertificates” in group “networking.acme.io”). -Support: Core (Kubernetes Secrets) +

CertificateRef is the reference to Kubernetes object that contain a +TLS certificate and private key. This certificate MUST be used for +TLS handshakes for the domain this GatewayTLSConfig is associated with.

+

This field is required when mode is set to “Terminate” (default) and +optional otherwise.

+

If an entry in this list omits or specifies the empty string for both +the group and the resource, the resource defaults to “secrets”. An +implementation may support other resources (for example, resource +“mycertificates” in group “networking.acme.io”).

+

Support: Core (Kubernetes Secrets) Support: Implementation-specific (Other resource types)

@@ -2302,6 +2305,7 @@

GatewayTLSConfig

CertificateRef must be defined even if routeOverride.certificate is set to ‘Allow’ as it will be used as the default certificate for the listener.

+

Support: Core