1 /* 2 Copyright 2023 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha2 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 22 "sigs.k8s.io/gateway-api/apis/v1beta1" 23 ) 24 25 // +genclient 26 // +kubebuilder:object:root=true 27 // +kubebuilder:subresource:status 28 // +kubebuilder:storageversion 29 // +kubebuilder:resource:categories=gateway-api,shortName=btlspolicy 30 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` 31 // 32 // BackendTLSPolicy is a Direct Attached Policy. 33 // +kubebuilder:metadata:labels="gateway.networking.k8s.io/policy=Direct" 34 35 // BackendTLSPolicy provides a way to configure how a Gateway 36 // connects to a Backend via TLS. 37 type BackendTLSPolicy struct { 38 metav1.TypeMeta `json:",inline"` 39 metav1.ObjectMeta `json:"metadata,omitempty"` 40 41 // Spec defines the desired state of BackendTLSPolicy. 42 Spec BackendTLSPolicySpec `json:"spec"` 43 44 // Status defines the current state of BackendTLSPolicy. 45 Status PolicyStatus `json:"status,omitempty"` 46 } 47 48 // +kubebuilder:object:root=true 49 // BackendTLSPolicyList contains a list of BackendTLSPolicies 50 type BackendTLSPolicyList struct { 51 metav1.TypeMeta `json:",inline"` 52 metav1.ListMeta `json:"metadata,omitempty"` 53 Items []BackendTLSPolicy `json:"items"` 54 } 55 56 // BackendTLSPolicySpec defines the desired state of BackendTLSPolicy. 57 // 58 // Support: Extended 59 type BackendTLSPolicySpec struct { 60 // TargetRef identifies an API object to apply the policy to. 61 // Only Services have Extended support. Implementations MAY support 62 // additional objects, with Implementation Specific support. 63 // Note that this config applies to the entire referenced resource 64 // by default, but this default may change in the future to provide 65 // a more granular application of the policy. 66 // 67 // Support: Extended for Kubernetes Service 68 // 69 // Support: Implementation-specific for any other resource 70 // 71 TargetRef PolicyTargetReferenceWithSectionName `json:"targetRef"` 72 73 // TLS contains backend TLS policy configuration. 74 TLS BackendTLSPolicyConfig `json:"tls"` 75 } 76 77 // BackendTLSPolicyConfig contains backend TLS policy configuration. 78 // +kubebuilder:validation:XValidation:message="must not contain both CACertRefs and WellKnownCACerts",rule="!(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts) && self.wellKnownCACerts != \"\")" 79 // +kubebuilder:validation:XValidation:message="must specify either CACertRefs or WellKnownCACerts",rule="(has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts) && self.wellKnownCACerts != \"\")" 80 type BackendTLSPolicyConfig struct { 81 // CACertRefs contains one or more references to Kubernetes objects that 82 // contain a PEM-encoded TLS CA certificate bundle, which is used to 83 // validate a TLS handshake between the Gateway and backend Pod. 84 // 85 // If CACertRefs is empty or unspecified, then WellKnownCACerts must be 86 // specified. Only one of CACertRefs or WellKnownCACerts may be specified, 87 // not both. If CACertRefs is empty or unspecified, the configuration for 88 // WellKnownCACerts MUST be honored instead. 89 // 90 // References to a resource in a different namespace are invalid for the 91 // moment, although we will revisit this in the future. 92 // 93 // A single CACertRef to a Kubernetes ConfigMap kind has "Core" support. 94 // Implementations MAY choose to support attaching multiple certificates to 95 // a backend, but this behavior is implementation-specific. 96 // 97 // Support: Core - An optional single reference to a Kubernetes ConfigMap, 98 // with the CA certificate in a key named `ca.crt`. 99 // 100 // Support: Implementation-specific (More than one reference, or other kinds 101 // of resources). 102 // 103 // +kubebuilder:validation:MaxItems=8 104 // +optional 105 CACertRefs []v1beta1.LocalObjectReference `json:"caCertRefs,omitempty"` 106 107 // WellKnownCACerts specifies whether system CA certificates may be used in 108 // the TLS handshake between the gateway and backend pod. 109 // 110 // If WellKnownCACerts is unspecified or empty (""), then CACertRefs must be 111 // specified with at least one entry for a valid configuration. Only one of 112 // CACertRefs or WellKnownCACerts may be specified, not both. 113 // 114 // Support: Core for "System" 115 // 116 // +optional 117 WellKnownCACerts *WellKnownCACertType `json:"wellKnownCACerts,omitempty"` 118 119 // Hostname is used for two purposes in the connection between Gateways and 120 // backends: 121 // 122 // 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). 123 // 2. Hostname MUST be used for authentication and MUST match the certificate 124 // served by the matching backend. 125 // 126 // Support: Core 127 Hostname v1beta1.PreciseHostname `json:"hostname"` 128 } 129 130 // WellKnownCACertType is the type of CA certificate that will be used when 131 // the TLS.caCertRefs is unspecified. 132 // +kubebuilder:validation:Enum=System 133 type WellKnownCACertType string 134 135 const ( 136 // Indicates that well known system CA certificates should be used. 137 WellKnownCACertSystem WellKnownCACertType = "System" 138 ) 139