Skip to content

api: support crls in client traffic policies #6955

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 8, 2025
Merged

api: support crls in client traffic policies #6955

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions api/v1alpha1/tls_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,32 @@ type ClientValidationContext struct {
// matches one of the specified matchers
// +optional
SubjectAltNames *SubjectAltNames `json:"subjectAltNames,omitempty"`

// Crl specifies the crl configuration that can be used to validate the client initiating the TLS connection
// +optional
// +notImplementedHide
Crl *CrlContext `json:"crl,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is CRL well known enough ? does most of the ecosystem use this acronym or should we use the long form here ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During the sync I mentioned a preference for a longer name but I think that's wrong. NGINX, HAProxy, and other load balancers all use the abbreviated crl so this should be fine.

}

// CrlContext holds certificate revocation list configuration that can be used to validate the client initiating the TLS connection
type CrlContext struct {
// Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
// containing the certificate revocation list in PEM format
// Expects the content in a key named `ca.crl`.
//
// References to a resource in different namespace are invalid UNLESS there
// is a ReferenceGrant in the target namespace that allows the crl
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thoughts on

crl:
  refs:
 - <>
  onlyVerifyLeafCertificate:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wdyt @envoyproxy/gateway-maintainers

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good 👍

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be

  1. Refs
  2. References
  3. CertificateReferences ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. crl.refs[] should be explicit enough IMO.
  2. crl.references[] is more verbose and doesn't align with other APIs.
  3. Not sure about crl.certificateReferences[] as CRL itself is a list of certificates, so technically each certificateReferences[i] can be a list of certificates, might be technically inaccurate. Is this commonly used anywhere else?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 with 1

// to be attached.
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=8
Refs []gwapiv1.SecretObjectReference `json:"refs"`

// If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.
// Defaults to false, which will verify the entire certificate chain against the CRL.
// +optional
OnlyVerifyLeafCertificate *bool `json:"onlyVerifyLeafCertificate,omitempty"`
}

type SubjectAltNames struct {
Expand Down
32 changes: 32 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

75 changes: 75 additions & 0 deletions ...ts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1043,6 +1043,81 @@ spec:
items:
type: string
type: array
crl:
description: Crl specifies the crl configuration that can
be used to validate the client initiating the TLS connection
properties:
onlyVerifyLeafCertificate:
description: |-
If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.
Defaults to false, which will verify the entire certificate chain against the CRL.
type: boolean
refs:
description: |-
Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
containing the certificate revocation list in PEM format
Expects the content in a key named `ca.crl`.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the crl
to be attached.
items:
description: |-
SecretObjectReference identifies an API object including its namespace,
defaulting to Secret.

The API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must
be rejected by the implementation, with appropriate Conditions set
on the containing object.
properties:
group:
default: ""
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example
"Secret".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
maxItems: 8
minItems: 1
type: array
required:
- refs
type: object
optional:
description: |-
Optional set to true accepts connections even when a client doesn't present a certificate.
Expand Down
75 changes: 75 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1042,6 +1042,81 @@ spec:
items:
type: string
type: array
crl:
description: Crl specifies the crl configuration that can
be used to validate the client initiating the TLS connection
properties:
onlyVerifyLeafCertificate:
description: |-
If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.
Defaults to false, which will verify the entire certificate chain against the CRL.
type: boolean
refs:
description: |-
Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
containing the certificate revocation list in PEM format
Expects the content in a key named `ca.crl`.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the crl
to be attached.
items:
description: |-
SecretObjectReference identifies an API object including its namespace,
defaulting to Secret.

The API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must
be rejected by the implementation, with appropriate Conditions set
on the containing object.
properties:
group:
default: ""
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example
"Secret".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
maxItems: 8
minItems: 1
type: array
required:
- refs
type: object
optional:
description: |-
Optional set to true accepts connections even when a client doesn't present a certificate.
Expand Down
15 changes: 15 additions & 0 deletions site/content/en/latest/api/extension_types.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -968,6 +968,21 @@ _Appears in:_
| `attributes` | _object (keys:string, values:string)_ | false | | Additional Attributes to set for the generated cookie. |


#### CrlContext



CrlContext holds certificate revocation list configuration that can be used to validate the client initiating the TLS connection

_Appears in:_
- [ClientValidationContext](#clientvalidationcontext)

| Field | Type | Required | Default | Description |
| --- | --- | --- | --- | --- |
| `refs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | true | | Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,<br />containing the certificate revocation list in PEM format<br />Expects the content in a key named `ca.crl`.<br />References to a resource in different namespace are invalid UNLESS there<br />is a ReferenceGrant in the target namespace that allows the crl<br />to be attached. |
| `onlyVerifyLeafCertificate` | _boolean_ | false | | If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.<br />Defaults to false, which will verify the entire certificate chain against the CRL. |


#### CustomHeaderExtensionSettings


Expand Down
75 changes: 75 additions & 0 deletions test/helm/gateway-crds-helm/all.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21182,6 +21182,81 @@ spec:
items:
type: string
type: array
crl:
description: Crl specifies the crl configuration that can
be used to validate the client initiating the TLS connection
properties:
onlyVerifyLeafCertificate:
description: |-
If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.
Defaults to false, which will verify the entire certificate chain against the CRL.
type: boolean
refs:
description: |-
Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
containing the certificate revocation list in PEM format
Expects the content in a key named `ca.crl`.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the crl
to be attached.
items:
description: |-
SecretObjectReference identifies an API object including its namespace,
defaulting to Secret.

The API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must
be rejected by the implementation, with appropriate Conditions set
on the containing object.
properties:
group:
default: ""
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example
"Secret".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
maxItems: 8
minItems: 1
type: array
required:
- refs
type: object
optional:
description: |-
Optional set to true accepts connections even when a client doesn't present a certificate.
Expand Down
Loading
Loading