diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go
index 66c0e1fc84f..976ffcb4aa5 100644
--- a/api/v1alpha1/wasm_types.go
+++ b/api/v1alpha1/wasm_types.go
@@ -115,6 +115,11 @@ type HTTPWasmCodeSource struct {
// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
// +optional
SHA256 *string `json:"sha256"`
+
+ // TLS configuration when connecting to the Wasm code source.
+ // +optional
+ // +notImplementedHide
+ TLS *WasmCodeSourceTLSConfig `json:"tls,omitempty"`
}
// ImageWasmCodeSource defines the OCI image containing the Wasm code.
@@ -137,6 +142,11 @@ type ImageWasmCodeSource struct {
// +kubebuilder:validation:XValidation:message="only support Secret kind.",rule="self.kind == 'Secret'"
// +optional
PullSecretRef *gwapiv1.SecretObjectReference `json:"pullSecretRef,omitempty"`
+
+ // TLS configuration when connecting to the Wasm code source.
+ // +optional
+ // +notImplementedHide
+ TLS *WasmCodeSourceTLSConfig `json:"tls,omitempty"`
}
// ImagePullPolicy defines the policy to use when pulling an OIC image.
@@ -151,3 +161,14 @@ const (
// Note: EG does not update the Wasm module every time an Envoy proxy requests the Wasm module.
ImagePullPolicyAlways ImagePullPolicy = "Always"
)
+
+// WasmCodeSourceTLSConfig defines the TLS configuration when connecting to the Wasm code source.
+type WasmCodeSourceTLSConfig struct {
+ // CACertificateRef contains a references to
+ // Kubernetes objects that contain TLS certificates of
+ // the Certificate Authorities that can be used
+ // as a trust anchor to validate the certificates presented by the Wasm code source.
+ //
+ // Kubernetes ConfigMap and Kubernetes Secret are supported.
+ CACertificateRef gwapiv1.SecretObjectReference `json:"caCertificateRef"`
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 696c99259fb..25d21e5e096 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -2934,6 +2934,11 @@ func (in *HTTPWasmCodeSource) DeepCopyInto(out *HTTPWasmCodeSource) {
*out = new(string)
**out = **in
}
+ if in.TLS != nil {
+ in, out := &in.TLS, &out.TLS
+ *out = new(WasmCodeSourceTLSConfig)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPWasmCodeSource.
@@ -3104,6 +3109,11 @@ func (in *ImageWasmCodeSource) DeepCopyInto(out *ImageWasmCodeSource) {
*out = new(apisv1.SecretObjectReference)
(*in).DeepCopyInto(*out)
}
+ if in.TLS != nil {
+ in, out := &in.TLS, &out.TLS
+ *out = new(WasmCodeSourceTLSConfig)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageWasmCodeSource.
@@ -5520,6 +5530,22 @@ func (in *WasmCodeSource) DeepCopy() *WasmCodeSource {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WasmCodeSourceTLSConfig) DeepCopyInto(out *WasmCodeSourceTLSConfig) {
+ *out = *in
+ in.CACertificateRef.DeepCopyInto(&out.CACertificateRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WasmCodeSourceTLSConfig.
+func (in *WasmCodeSourceTLSConfig) DeepCopy() *WasmCodeSourceTLSConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(WasmCodeSourceTLSConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *XDSTranslatorHooks) DeepCopyInto(out *XDSTranslatorHooks) {
*out = *in
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
index 6baa2842c0c..c7e509b1ad1 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -1115,6 +1115,61 @@ spec:
If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
type: string
+ tls:
+ description: TLS configuration when connecting to the
+ Wasm code source.
+ properties:
+ caCertificateRef:
+ description: |-
+ CACertificateRef contains a references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the Wasm code source.
+
+ Kubernetes ConfigMap and Kubernetes Secret are supported.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For
+ example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - caCertificateRef
+ type: object
url:
description: URL is the URL containing the Wasm code.
pattern: ^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*
@@ -1184,6 +1239,61 @@ spec:
If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
type: string
+ tls:
+ description: TLS configuration when connecting to the
+ Wasm code source.
+ properties:
+ caCertificateRef:
+ description: |-
+ CACertificateRef contains a references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the Wasm code source.
+
+ Kubernetes ConfigMap and Kubernetes Secret are supported.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For
+ example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - caCertificateRef
+ type: object
url:
description: |-
URL is the URL of the OCI image.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index fe361099a84..ddb267f1516 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -4118,6 +4118,21 @@ _Appears in:_
| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
This field is only applicable when the SHA256 field is not set.
If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
Note: EG does not update the Wasm module every time an Envoy proxy requests
the Wasm module even if the pull policy is set to Always.
It only updates the Wasm module when the EnvoyExtension resource version changes. |
+#### WasmCodeSourceTLSConfig
+
+
+
+WasmCodeSourceTLSConfig defines the TLS configuration when connecting to the Wasm code source.
+
+_Appears in:_
+- [HTTPWasmCodeSource](#httpwasmcodesource)
+- [ImageWasmCodeSource](#imagewasmcodesource)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `caCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CACertificateRef contains a references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the Wasm code source.
Kubernetes ConfigMap and Kubernetes Secret are supported. |
+
+
#### WasmCodeSourceType
_Underlying type:_ _string_
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
index fe361099a84..ddb267f1516 100644
--- a/site/content/zh/latest/api/extension_types.md
+++ b/site/content/zh/latest/api/extension_types.md
@@ -4118,6 +4118,21 @@ _Appears in:_
| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
This field is only applicable when the SHA256 field is not set.
If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
Note: EG does not update the Wasm module every time an Envoy proxy requests
the Wasm module even if the pull policy is set to Always.
It only updates the Wasm module when the EnvoyExtension resource version changes. |
+#### WasmCodeSourceTLSConfig
+
+
+
+WasmCodeSourceTLSConfig defines the TLS configuration when connecting to the Wasm code source.
+
+_Appears in:_
+- [HTTPWasmCodeSource](#httpwasmcodesource)
+- [ImageWasmCodeSource](#imagewasmcodesource)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `caCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CACertificateRef contains a references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the Wasm code source.
Kubernetes ConfigMap and Kubernetes Secret are supported. |
+
+
#### WasmCodeSourceType
_Underlying type:_ _string_