api: support crls in client traffic policies

rudrakhp · rudrakhp · commit 3f29b525d0b1 · 2025-09-14T16:53:25.000+05:30
Signed-off-by: Rudrakh Panigrahi &lt;rudrakh97@gmail.com&gt;
diff --git a/api/v1alpha1/tls_types.go b/api/v1alpha1/tls_types.go
@@ -119,6 +119,7 @@ const (
 // ClientValidationContext holds configuration that can be used to validate the client initiating the TLS connection
 // to the Gateway.
 // By default, no client specific configuration is validated.
+// +kubebuilder:validation:XValidation:rule="has(self.onlyVerifyLeafCertificateCrl) ? has(self.crlRef) : true", message="onlyVerifyLeafCertificateCrl can be set only if crlRef is set"
 type ClientValidationContext struct {
 	// Optional set to true accepts connections even when a client doesn't present a certificate.
 	// Defaults to false, which rejects connections without a valid client certificate.
@@ -158,6 +159,21 @@ type ClientValidationContext struct {
 	// matches one of the specified matchers
 	// +optional
 	SubjectAltNames *SubjectAltNames `json:"subjectAltNames,omitempty"`
+
+	// A reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+	// containing the certificate revocation list in PEM format
+	// Expects the content in a key named `crl.pem`.
+	//
+	// References to a resource in different namespace are invalid UNLESS there
+	// is a ReferenceGrant in the target namespace that allows the crl
+	// to be attached.
+	// +optional
+	CrlRef *gwapiv1.SecretObjectReference `json:"crlRef,omitempty"`
+
+	// If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+	// Defaults to false, which will verify the entire certificate chain against the CRL.
+	// +optional
+	OnlyVerifyLeafCertificateCrl *bool `json:"onlyVerifyLeafCertificateCrl,omitempty"`
 }
 
 type SubjectAltNames struct {
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -1013,6 +1013,60 @@ spec:
                         items:
                           type: string
                         type: array
+                      crlRef:
+                        description: |-
+                          A reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+                          containing the certificate revocation list in PEM format
+                          Expects the content in a key named `crl.pem`.
+
+                          References to a resource in different namespace are invalid UNLESS there
+                          is a ReferenceGrant in the target namespace that allows the crl
+                          to be attached.
+                        properties:
+                          group:
+                            default: ""
+                            description: |-
+                              Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                              When unspecified or empty string, core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Secret
+                            description: Kind is kind of the referent. For example
+                              "Secret".
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace is the namespace of the referenced object. When unspecified, the local
+                              namespace is inferred.
+
+                              Note that when a namespace different than the local namespace is specified,
+                              a ReferenceGrant object is required in the referent namespace to allow that
+                              namespace's owner to accept the reference. See the ReferenceGrant
+                              documentation for details.
+
+                              Support: Core
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      onlyVerifyLeafCertificateCrl:
+                        description: |-
+                          If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+                          Defaults to false, which will verify the entire certificate chain against the CRL.
+                        type: boolean
                       optional:
                         description: |-
                           Optional set to true accepts connections even when a client doesn't present a certificate.
@@ -1174,6 +1228,11 @@ spec:
                             type: array
                         type: object
                     type: object
+                    x-kubernetes-validations:
+                    - message: onlyVerifyLeafCertificateCrl can be set only if crlRef
+                        is set
+                      rule: 'has(self.onlyVerifyLeafCertificateCrl) ? has(self.crlRef)
+                        : true'
                   ecdhCurves:
                     description: |-
                       ECDHCurves specifies the set of supported ECDH curves.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -1012,6 +1012,60 @@ spec:
                         items:
                           type: string
                         type: array
+                      crlRef:
+                        description: |-
+                          A reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+                          containing the certificate revocation list in PEM format
+                          Expects the content in a key named `crl.pem`.
+
+                          References to a resource in different namespace are invalid UNLESS there
+                          is a ReferenceGrant in the target namespace that allows the crl
+                          to be attached.
+                        properties:
+                          group:
+                            default: ""
+                            description: |-
+                              Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                              When unspecified or empty string, core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Secret
+                            description: Kind is kind of the referent. For example
+                              "Secret".
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace is the namespace of the referenced object. When unspecified, the local
+                              namespace is inferred.
+
+                              Note that when a namespace different than the local namespace is specified,
+                              a ReferenceGrant object is required in the referent namespace to allow that
+                              namespace's owner to accept the reference. See the ReferenceGrant
+                              documentation for details.
+
+                              Support: Core
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      onlyVerifyLeafCertificateCrl:
+                        description: |-
+                          If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+                          Defaults to false, which will verify the entire certificate chain against the CRL.
+                        type: boolean
                       optional:
                         description: |-
                           Optional set to true accepts connections even when a client doesn't present a certificate.
@@ -1173,6 +1227,11 @@ spec:
                             type: array
                         type: object
                     type: object
+                    x-kubernetes-validations:
+                    - message: onlyVerifyLeafCertificateCrl can be set only if crlRef
+                        is set
+                      rule: 'has(self.onlyVerifyLeafCertificateCrl) ? has(self.crlRef)
+                        : true'
                   ecdhCurves:
                     description: |-
                       ECDHCurves specifies the set of supported ECDH curves.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -802,6 +802,8 @@ _Appears in:_
 | `spkiHashes` | _string array_ |  false  |  | An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will<br />verify that the SHA-256 of the DER-encoded Subject Public Key Information<br />(SPKI) of the presented certificate matches one of the specified values. |
 | `certificateHashes` | _string array_ |  false  |  | An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will<br />verify that the SHA-256 of the DER-encoded presented certificate matches<br />one of the specified values. |
 | `subjectAltNames` | _[SubjectAltNames](#subjectaltnames)_ |  false  |  | An optional list of Subject Alternative name matchers. If specified, Envoy<br />will verify that the Subject Alternative Name of the presented certificate<br />matches one of the specified matchers |
+| `crlRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  false  |  | A reference to a Kubernetes ConfigMap or a Kubernetes Secret,<br />containing the certificate revocation list in PEM format<br />Expects the content in a key named `crl.pem`.<br />References to a resource in different namespace are invalid UNLESS there<br />is a ReferenceGrant in the target namespace that allows the crl<br />to be attached. |
+| `onlyVerifyLeafCertificateCrl` | _boolean_ |  false  |  | If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.<br />Defaults to false, which will verify the entire certificate chain against the CRL. |
 
 
 #### ClusterSettings
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
@@ -21016,6 +21016,60 @@ spec:
                         items:
                           type: string
                         type: array
+                      crlRef:
+                        description: |-
+                          A reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+                          containing the certificate revocation list in PEM format
+                          Expects the content in a key named `crl.pem`.
+
+                          References to a resource in different namespace are invalid UNLESS there
+                          is a ReferenceGrant in the target namespace that allows the crl
+                          to be attached.
+                        properties:
+                          group:
+                            default: ""
+                            description: |-
+                              Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                              When unspecified or empty string, core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Secret
+                            description: Kind is kind of the referent. For example
+                              "Secret".
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace is the namespace of the referenced object. When unspecified, the local
+                              namespace is inferred.
+
+                              Note that when a namespace different than the local namespace is specified,
+                              a ReferenceGrant object is required in the referent namespace to allow that
+                              namespace's owner to accept the reference. See the ReferenceGrant
+                              documentation for details.
+
+                              Support: Core
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      onlyVerifyLeafCertificateCrl:
+                        description: |-
+                          If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+                          Defaults to false, which will verify the entire certificate chain against the CRL.
+                        type: boolean
                       optional:
                         description: |-
                           Optional set to true accepts connections even when a client doesn't present a certificate.
@@ -21177,6 +21231,11 @@ spec:
                             type: array
                         type: object
                     type: object
+                    x-kubernetes-validations:
+                    - message: onlyVerifyLeafCertificateCrl can be set only if crlRef
+                        is set
+                      rule: 'has(self.onlyVerifyLeafCertificateCrl) ? has(self.crlRef)
+                        : true'
                   ecdhCurves:
                     description: |-
                       ECDHCurves specifies the set of supported ECDH curves.
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -3704,6 +3704,60 @@ spec:
                         items:
                           type: string
                         type: array
+                      crlRef:
+                        description: |-
+                          A reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+                          containing the certificate revocation list in PEM format
+                          Expects the content in a key named `crl.pem`.
+
+                          References to a resource in different namespace are invalid UNLESS there
+                          is a ReferenceGrant in the target namespace that allows the crl
+                          to be attached.
+                        properties:
+                          group:
+                            default: ""
+                            description: |-
+                              Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                              When unspecified or empty string, core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Secret
+                            description: Kind is kind of the referent. For example
+                              "Secret".
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace is the namespace of the referenced object. When unspecified, the local
+                              namespace is inferred.
+
+                              Note that when a namespace different than the local namespace is specified,
+                              a ReferenceGrant object is required in the referent namespace to allow that
+                              namespace's owner to accept the reference. See the ReferenceGrant
+                              documentation for details.
+
+                              Support: Core
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      onlyVerifyLeafCertificateCrl:
+                        description: |-
+                          If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+                          Defaults to false, which will verify the entire certificate chain against the CRL.
+                        type: boolean
                       optional:
                         description: |-
                           Optional set to true accepts connections even when a client doesn't present a certificate.
@@ -3865,6 +3919,11 @@ spec:
                             type: array
                         type: object
                     type: object
+                    x-kubernetes-validations:
+                    - message: onlyVerifyLeafCertificateCrl can be set only if crlRef
+                        is set
+                      rule: 'has(self.onlyVerifyLeafCertificateCrl) ? has(self.crlRef)
+                        : true'
                   ecdhCurves:
                     description: |-
                       ECDHCurves specifies the set of supported ECDH curves.
