api: support crls in client traffic policies

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

Author: rudrakhp

api/v1alpha1/tls_types.go

@@ -161,6 +161,32 @@ type ClientValidationContext struct {
 	// matches one of the specified matchers
 	// +optional
 	SubjectAltNames *SubjectAltNames `json:"subjectAltNames,omitempty"`
+
+	// Crl specifies the crl configuration that can be used to validate the client initiating the TLS connection
+	// +optional
+	// +notImplementedHide
+	Crl *CrlContext `json:"crl,omitempty"`
+}
+
+// CrlContext holds certificate revocation list configuration that can be used to validate the client initiating the TLS connection
+type CrlContext struct {
+	// Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
+	// containing the certificate revocation list in PEM format
+	// Expects the content in a key named `ca.crl`.
+	//
+	// References to a resource in different namespace are invalid UNLESS there
+	// is a ReferenceGrant in the target namespace that allows the crl
+	// to be attached.
+	//
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=8
+	Refs []gwapiv1.SecretObjectReference `json:"refs"`
+
+	// If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+	// Defaults to false, which will verify the entire certificate chain against the CRL.
+	// +optional
+	OnlyVerifyLeafCertificate *bool `json:"onlyVerifyLeafCertificate,omitempty"`
 }
 
 type SubjectAltNames struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -1043,6 +1043,81 @@ spec:
                         items:
                           type: string
                         type: array
+                      crl:
+                        description: Crl specifies the crl configuration that can
+                          be used to validate the client initiating the TLS connection
+                        properties:
+                          onlyVerifyLeafCertificate:
+                            description: |-
+                              If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+                              Defaults to false, which will verify the entire certificate chain against the CRL.
+                            type: boolean
+                          refs:
+                            description: |-
+                              Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
+                              containing the certificate revocation list in PEM format
+                              Expects the content in a key named `ca.crl`.
+
+                              References to a resource in different namespace are invalid UNLESS there
+                              is a ReferenceGrant in the target namespace that allows the crl
+                              to be attached.
+                            items:
+                              description: |-
+                                SecretObjectReference identifies an API object including its namespace,
+                                defaulting to Secret.
+
+                                The API object must be valid in the cluster; the Group and Kind must
+                                be registered in the cluster for this reference to be valid.
+
+                                References to objects with invalid Group and Kind are not valid, and must
+                                be rejected by the implementation, with appropriate Conditions set
+                                on the containing object.
+                              properties:
+                                group:
+                                  default: ""
+                                  description: |-
+                                    Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                                    When unspecified or empty string, core API group is inferred.
+                                  maxLength: 253
+                                  pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                  type: string
+                                kind:
+                                  default: Secret
+                                  description: Kind is kind of the referent. For example
+                                    "Secret".
+                                  maxLength: 63
+                                  minLength: 1
+                                  pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                  type: string
+                                name:
+                                  description: Name is the name of the referent.
+                                  maxLength: 253
+                                  minLength: 1
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    Namespace is the namespace of the referenced object. When unspecified, the local
+                                    namespace is inferred.
+
+                                    Note that when a namespace different than the local namespace is specified,
+                                    a ReferenceGrant object is required in the referent namespace to allow that
+                                    namespace's owner to accept the reference. See the ReferenceGrant
+                                    documentation for details.
+
+                                    Support: Core
+                                  maxLength: 63
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            maxItems: 8
+                            minItems: 1
+                            type: array
+                        required:
+                        - refs
+                        type: object
                       optional:
                         description: |-
                           Optional set to true accepts connections even when a client doesn't present a certificate.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -1042,6 +1042,81 @@ spec:
                         items:
                           type: string
                         type: array
+                      crl:
+                        description: Crl specifies the crl configuration that can
+                          be used to validate the client initiating the TLS connection
+                        properties:
+                          onlyVerifyLeafCertificate:
+                            description: |-
+                              If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+                              Defaults to false, which will verify the entire certificate chain against the CRL.
+                            type: boolean
+                          refs:
+                            description: |-
+                              Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
+                              containing the certificate revocation list in PEM format
+                              Expects the content in a key named `ca.crl`.
+
+                              References to a resource in different namespace are invalid UNLESS there
+                              is a ReferenceGrant in the target namespace that allows the crl
+                              to be attached.
+                            items:
+                              description: |-
+                                SecretObjectReference identifies an API object including its namespace,
+                                defaulting to Secret.
+
+                                The API object must be valid in the cluster; the Group and Kind must
+                                be registered in the cluster for this reference to be valid.
+
+                                References to objects with invalid Group and Kind are not valid, and must
+                                be rejected by the implementation, with appropriate Conditions set
+                                on the containing object.
+                              properties:
+                                group:
+                                  default: ""
+                                  description: |-
+                                    Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                                    When unspecified or empty string, core API group is inferred.
+                                  maxLength: 253
+                                  pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                  type: string
+                                kind:
+                                  default: Secret
+                                  description: Kind is kind of the referent. For example
+                                    "Secret".
+                                  maxLength: 63
+                                  minLength: 1
+                                  pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                  type: string
+                                name:
+                                  description: Name is the name of the referent.
+                                  maxLength: 253
+                                  minLength: 1
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    Namespace is the namespace of the referenced object. When unspecified, the local
+                                    namespace is inferred.
+
+                                    Note that when a namespace different than the local namespace is specified,
+                                    a ReferenceGrant object is required in the referent namespace to allow that
+                                    namespace's owner to accept the reference. See the ReferenceGrant
+                                    documentation for details.
+
+                                    Support: Core
+                                  maxLength: 63
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            maxItems: 8
+                            minItems: 1
+                            type: array
+                        required:
+                        - refs
+                        type: object
                       optional:
                         description: |-
                           Optional set to true accepts connections even when a client doesn't present a certificate.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -968,6 +968,21 @@ _Appears in:_
 | `attributes` | _object (keys:string, values:string)_ |  false  |  | Additional Attributes to set for the generated cookie. |
 
 
+#### CrlContext
+
+
+
+CrlContext holds certificate revocation list configuration that can be used to validate the client initiating the TLS connection
+
+_Appears in:_
+- [ClientValidationContext](#clientvalidationcontext)
+
+| Field | Type | Required | Default | Description |
+| ---   | ---  | ---      | ---     | ---         |
+| `refs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ |  true  |  | Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,<br />containing the certificate revocation list in PEM format<br />Expects the content in a key named `ca.crl`.<br />References to a resource in different namespace are invalid UNLESS there<br />is a ReferenceGrant in the target namespace that allows the crl<br />to be attached. |
+| `onlyVerifyLeafCertificate` | _boolean_ |  false  |  | If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.<br />Defaults to false, which will verify the entire certificate chain against the CRL. |
+
+
 #### CustomHeaderExtensionSettings
 
 

site/content/en/latest/api/extension_types.md

@@ -21182,6 +21182,81 @@ spec:
                         items:
                           type: string
                         type: array
+                      crl:
+                        description: Crl specifies the crl configuration that can
+                          be used to validate the client initiating the TLS connection
+                        properties:
+                          onlyVerifyLeafCertificate:
+                            description: |-
+                              If this option is set to true,  Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+                              Defaults to false, which will verify the entire certificate chain against the CRL.
+                            type: boolean
+                          refs:
+                            description: |-
+                              Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
+                              containing the certificate revocation list in PEM format
+                              Expects the content in a key named `ca.crl`.
+
+                              References to a resource in different namespace are invalid UNLESS there
+                              is a ReferenceGrant in the target namespace that allows the crl
+                              to be attached.
+                            items:
+                              description: |-
+                                SecretObjectReference identifies an API object including its namespace,
+                                defaulting to Secret.
+
+                                The API object must be valid in the cluster; the Group and Kind must
+                                be registered in the cluster for this reference to be valid.
+
+                                References to objects with invalid Group and Kind are not valid, and must
+                                be rejected by the implementation, with appropriate Conditions set
+                                on the containing object.
+                              properties:
+                                group:
+                                  default: ""
+                                  description: |-
+                                    Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                                    When unspecified or empty string, core API group is inferred.
+                                  maxLength: 253
+                                  pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                  type: string
+                                kind:
+                                  default: Secret
+                                  description: Kind is kind of the referent. For example
+                                    "Secret".
+                                  maxLength: 63
+                                  minLength: 1
+                                  pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                  type: string
+                                name:
+                                  description: Name is the name of the referent.
+                                  maxLength: 253
+                                  minLength: 1
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    Namespace is the namespace of the referenced object. When unspecified, the local
+                                    namespace is inferred.
+
+                                    Note that when a namespace different than the local namespace is specified,
+                                    a ReferenceGrant object is required in the referent namespace to allow that
+                                    namespace's owner to accept the reference. See the ReferenceGrant
+                                    documentation for details.
+
+                                    Support: Core
+                                  maxLength: 63
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            maxItems: 8
+                            minItems: 1
+                            type: array
+                        required:
+                        - refs
+                        type: object
                       optional:
                         description: |-
                           Optional set to true accepts connections even when a client doesn't present a certificate.