From 3747c2f1944fa989bf5c8d351a4069fb89acf145 Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Sun, 14 Sep 2025 15:50:21 +0530 Subject: [PATCH] api: support crls in client traffic policies Signed-off-by: Rudrakh Panigrahi --- api/v1alpha1/tls_types.go | 26 +++++++ api/v1alpha1/zz_generated.deepcopy.go | 32 ++++++++ ...y.envoyproxy.io_clienttrafficpolicies.yaml | 75 +++++++++++++++++++ ...y.envoyproxy.io_clienttrafficpolicies.yaml | 75 +++++++++++++++++++ site/content/en/latest/api/extension_types.md | 15 ++++ test/helm/gateway-crds-helm/all.out.yaml | 75 +++++++++++++++++++ .../envoy-gateway-crds.out.yaml | 75 +++++++++++++++++++ 7 files changed, 373 insertions(+) diff --git a/api/v1alpha1/tls_types.go b/api/v1alpha1/tls_types.go index fec6ca14cd9..76dd220f4bc 100644 --- a/api/v1alpha1/tls_types.go +++ b/api/v1alpha1/tls_types.go @@ -161,6 +161,32 @@ type ClientValidationContext struct { // matches one of the specified matchers // +optional SubjectAltNames *SubjectAltNames `json:"subjectAltNames,omitempty"` + + // Crl specifies the crl configuration that can be used to validate the client initiating the TLS connection + // +optional + // +notImplementedHide + Crl *CrlContext `json:"crl,omitempty"` +} + +// CrlContext holds certificate revocation list configuration that can be used to validate the client initiating the TLS connection +type CrlContext struct { + // Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret, + // containing the certificate revocation list in PEM format + // Expects the content in a key named `ca.crl`. + // + // References to a resource in different namespace are invalid UNLESS there + // is a ReferenceGrant in the target namespace that allows the crl + // to be attached. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=8 + Refs []gwapiv1.SecretObjectReference `json:"refs"` + + // If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL. + // Defaults to false, which will verify the entire certificate chain against the CRL. + // +optional + OnlyVerifyLeafCertificate *bool `json:"onlyVerifyLeafCertificate,omitempty"` } type SubjectAltNames struct { diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index e00a54f44ef..f3040d553d7 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1182,6 +1182,11 @@ func (in *ClientValidationContext) DeepCopyInto(out *ClientValidationContext) { *out = new(SubjectAltNames) (*in).DeepCopyInto(*out) } + if in.Crl != nil { + in, out := &in.Crl, &out.Crl + *out = new(CrlContext) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientValidationContext. @@ -1416,6 +1421,33 @@ func (in *Cookie) DeepCopy() *Cookie { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CrlContext) DeepCopyInto(out *CrlContext) { + *out = *in + if in.Refs != nil { + in, out := &in.Refs, &out.Refs + *out = make([]v1.SecretObjectReference, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.OnlyVerifyLeafCertificate != nil { + in, out := &in.OnlyVerifyLeafCertificate, &out.OnlyVerifyLeafCertificate + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrlContext. +func (in *CrlContext) DeepCopy() *CrlContext { + if in == nil { + return nil + } + out := new(CrlContext) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomHeaderExtensionSettings) DeepCopyInto(out *CustomHeaderExtensionSettings) { *out = *in diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 3153ef4f89c..15aaa58e3fb 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -1043,6 +1043,81 @@ spec: items: type: string type: array + crl: + description: Crl specifies the crl configuration that can + be used to validate the client initiating the TLS connection + properties: + onlyVerifyLeafCertificate: + description: |- + If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL. + Defaults to false, which will verify the entire certificate chain against the CRL. + type: boolean + refs: + description: |- + Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret, + containing the certificate revocation list in PEM format + Expects the content in a key named `ca.crl`. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the crl + to be attached. + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 8 + minItems: 1 + type: array + required: + - refs + type: object optional: description: |- Optional set to true accepts connections even when a client doesn't present a certificate. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index b6b74f5945a..d065d7d3eda 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -1042,6 +1042,81 @@ spec: items: type: string type: array + crl: + description: Crl specifies the crl configuration that can + be used to validate the client initiating the TLS connection + properties: + onlyVerifyLeafCertificate: + description: |- + If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL. + Defaults to false, which will verify the entire certificate chain against the CRL. + type: boolean + refs: + description: |- + Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret, + containing the certificate revocation list in PEM format + Expects the content in a key named `ca.crl`. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the crl + to be attached. + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 8 + minItems: 1 + type: array + required: + - refs + type: object optional: description: |- Optional set to true accepts connections even when a client doesn't present a certificate. diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index e8d4a8fb948..e0d1bad27c8 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -968,6 +968,21 @@ _Appears in:_ | `attributes` | _object (keys:string, values:string)_ | false | | Additional Attributes to set for the generated cookie. | +#### CrlContext + + + +CrlContext holds certificate revocation list configuration that can be used to validate the client initiating the TLS connection + +_Appears in:_ +- [ClientValidationContext](#clientvalidationcontext) + +| Field | Type | Required | Default | Description | +| --- | --- | --- | --- | --- | +| `refs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | true | | Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
containing the certificate revocation list in PEM format
Expects the content in a key named `ca.crl`.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the crl
to be attached. | +| `onlyVerifyLeafCertificate` | _boolean_ | false | | If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.
Defaults to false, which will verify the entire certificate chain against the CRL. | + + #### CustomHeaderExtensionSettings diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index d1c42e6fa0d..739e0c0fea0 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -21182,6 +21182,81 @@ spec: items: type: string type: array + crl: + description: Crl specifies the crl configuration that can + be used to validate the client initiating the TLS connection + properties: + onlyVerifyLeafCertificate: + description: |- + If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL. + Defaults to false, which will verify the entire certificate chain against the CRL. + type: boolean + refs: + description: |- + Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret, + containing the certificate revocation list in PEM format + Expects the content in a key named `ca.crl`. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the crl + to be attached. + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 8 + minItems: 1 + type: array + required: + - refs + type: object optional: description: |- Optional set to true accepts connections even when a client doesn't present a certificate. diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml index 2fb57f82d2d..15171a82fe3 100644 --- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml +++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml @@ -3870,6 +3870,81 @@ spec: items: type: string type: array + crl: + description: Crl specifies the crl configuration that can + be used to validate the client initiating the TLS connection + properties: + onlyVerifyLeafCertificate: + description: |- + If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL. + Defaults to false, which will verify the entire certificate chain against the CRL. + type: boolean + refs: + description: |- + Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret, + containing the certificate revocation list in PEM format + Expects the content in a key named `ca.crl`. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the crl + to be attached. + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 8 + minItems: 1 + type: array + required: + - refs + type: object optional: description: |- Optional set to true accepts connections even when a client doesn't present a certificate.