Implementing and Documenting GEP 746 (TLS Updates)

apis/v1alpha2/gateway_types.go

@@ -269,35 +269,6 @@ const (
 	UDPProtocolType ProtocolType = "UDP"
 )
 
-// TLSRouteOverrideType type defines the level of allowance for Routes
-// to override a specific TLS setting.
-// +kubebuilder:validation:Enum=Allow;Deny
-// +kubebuilder:default=Deny
-type TLSRouteOverrideType string
-
-const (
-	// Allows the parameter to be configured from all routes.
-	TLSROuteOVerrideAllow TLSRouteOverrideType = "Allow"
-
-	// Prohibits the parameter from being configured from any route.
-	TLSRouteOverrideDeny TLSRouteOverrideType = "Deny"
-)
-
-// TLSOverridePolicy defines a schema for overriding TLS settings at the Route
-// level.
-type TLSOverridePolicy struct {
-	// Certificate dictates if TLS certificates can be configured
-	// via Routes. If set to 'Allow', a TLS certificate for a hostname
-	// defined in a Route takes precedence over the certificate defined in
-	// Gateway.
-	//
-	// Support: Core
-	//
-	// +optional
-	// +kubebuilder:default=Deny
-	Certificate *TLSRouteOverrideType `json:"certificate,omitempty"`
-}
-
 // GatewayTLSConfig describes a TLS configuration.
 type GatewayTLSConfig struct {
 	// Mode defines the TLS behavior for the TLS session initiated by the client.
@@ -318,8 +289,14 @@ type GatewayTLSConfig struct {
 
 	// CertificateRef is a reference to a Kubernetes object that contains a TLS
 	// certificate and private key. This certificate is used to establish a TLS
-	// handshake for requests that match the hostname of the associated listener.
-	// The referenced object MUST reside in the same namespace as Gateway.
+	// handshake for requests that match the hostname of the associated
+	// listener.
+	//
+	// References to a resource in different namespace are invalid UNLESS there
+	// is a ReferencePolicy in the target namespace that allows the certificate
+	// to be attached. If a ReferencePolicy does not allow this reference, the
+	// "ResolvedRefs" condition MUST be set to false for this listener with the
+	// "InvalidCertificateRef" reason.
 	//
 	// This field is required when mode is set to "Terminate" (default) and
 	// optional otherwise.
@@ -332,20 +309,7 @@ type GatewayTLSConfig struct {
 	// Support: Implementation-specific (Other resource types)
 	//
 	// +optional
-	CertificateRef *LocalObjectReference `json:"certificateRef,omitempty"`
-
-	// RouteOverride dictates if TLS settings can be configured
-	// via Routes or not.
-	//
-	// CertificateRef must be defined even if `routeOverride.certificate` is
-	// set to 'Allow' as it will be used as the default certificate for the
-	// listener.
-	//
-	// Support: Core
-	//
-	// +optional
-	// +kubebuilder:default={certificate:Deny}
-	RouteOverride *TLSOverridePolicy `json:"routeOverride,omitempty"`
+	CertificateRef *ObjectReference `json:"certificateRef,omitempty"`
 
 	// Options are a list of key/value pairs to give extended options
 	// to the provider.

apis/v1alpha2/httproute_types.go

@@ -107,27 +107,6 @@ type HTTPRouteSpec struct {
 	// +kubebuilder:validation:MaxItems=16
 	Hostnames []Hostname `json:"hostnames,omitempty"`
 
-	// TLS defines the TLS certificate to use for Hostnames defined in this
-	// Route. This configuration only takes effect if the AllowRouteOverride
-	// field is set to true in the associated Gateway resource.
-	//
-	// Collisions can happen if multiple HTTPRoutes define a TLS certificate
-	// for the same hostname. In such a case, conflict resolution guiding
-	// principles apply, specifically, if hostnames are same and two different
-	// certificates are specified then the certificate in the
-	// oldest resource wins.
-	//
-	// Please note that HTTP Route-selection takes place after the
-	// TLS Handshake (ClientHello). Due to this, TLS certificate defined
-	// here will take precedence even if the request has the potential to
-	// match multiple routes (in case multiple HTTPRoutes share the same
-	// hostname).
-	//
-	// Support: Core
-	//
-	// +optional
-	TLS *RouteTLSConfig `json:"tls,omitempty"`
-
 	// Rules are a list of HTTP matchers, filters and actions.
 	//
 	// +optional
@@ -136,23 +115,6 @@ type HTTPRouteSpec struct {
 	Rules []HTTPRouteRule `json:"rules,omitempty"`
 }
 
-// RouteTLSConfig describes a TLS configuration defined at the Route level.
-type RouteTLSConfig struct {
-	// CertificateRef is a reference to a Kubernetes object that contains a TLS
-	// certificate and private key. This certificate is used to establish a TLS
-	// handshake for requests that match the hostname of the associated HTTPRoute.
-	// The referenced object MUST reside in the same namespace as HTTPRoute.
-	//
-	// CertificateRef can reference a standard Kubernetes resource, i.e. Secret,
-	// or an implementation-specific custom resource.
-	//
-	// Support: Core (Kubernetes Secrets)
-	//
-	// Support: Implementation-specific (Other resource types)
-	//
-	CertificateRef LocalObjectReference `json:"certificateRef"`
-}
-
 // HTTPRouteRule defines semantics for matching an HTTP request based on
 // conditions, optionally executing additional processing steps, and forwarding
 // the request to an API object.

examples/v1alpha2/0-namespaces.yaml

@@ -0,0 +1,11 @@
+# These namespaces can be used for examples without recreating them each time.
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: gateway-api-example-ns1
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: gateway-api-example-ns2

examples/v1alpha2/tls-basic.yaml

@@ -0,0 +1,25 @@
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1alpha2
+metadata:
+  name: tls-basic
+spec:
+  gatewayClassName: acme-lb
+  listeners:
+  - name: foo-https
+    protocol: HTTPS
+    port: 443
+    hostname: foo.example.com
+    tls:
+      certificateRef:
+        kind: Secret
+        group: ""
+        name: foo-example-com-cert
+  - name: bar-https
+    protocol: HTTPS
+    port: 443
+    hostname: bar.example.com
+    tls:
+      certificateRef:
+        kind: Secret
+        group: ""
+        name: bar-example-com-cert