Skip to content

Commit

Permalink
Refactors TLS config schema
Browse files Browse the repository at this point in the history
  • Loading branch information
danehans committed Feb 12, 2020
1 parent 63e2d58 commit 266d652
Show file tree
Hide file tree
Showing 6 changed files with 391 additions and 168 deletions.
87 changes: 42 additions & 45 deletions api/v1alpha1/gateway_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,29 +84,32 @@ type Route struct {
//
// +optional
RouteRef core.ObjectReference `json:"routeRef"`
// TerminationPolicy defines a policy for terminating TLS connections
// of a route.
// TLSTermination defines how to terminate TLS connections.
//
// If unspecified, TLS termination type "Edge" will be used.
//
// Support: Core
//
// +optional
TerminationPolicy TLSTerminationPolicy `json:"terminationPolicy,omitempty"`
TLSTermination TLSTerminationType `json:"tlsTermination,omitempty"`
}

// Listener defines a
type Listener struct {
// Name can be used to tie this Listener to a ListenerStatus entry with the
// same name. Each listener must have a unique name within a Gateway. This
// must be a valid DNS_LABEL.
Name string `json:"string"`
//
// Support: Core
//
// +required
Name string `json:"name"`
// Address requested for this listener. This is optional and behavior
// can depend on GatewayClass. If a value is set in the spec and
// the request address is invalid, the GatewayClass MUST indicate
// this in the associated entry in GatewayStatus.Listeners.
//
// Support:
// Support: Core
//
// +optional
Address *ListenerAddress `json:"address,omitempty"`
Expand All @@ -124,7 +127,7 @@ type Listener struct {
//
// Support:
// +optional
TLS *ListenerTLS `json:"tls,omitempty"`
TLS *TLSConfig `json:"tls,omitempty"`
// Extension for this Listener.
//
// Support: custom.
Expand Down Expand Up @@ -166,7 +169,7 @@ const (
TLS1_3 = "TLS1_3"
)

// ListenerTLS describes the TLS configuration for a given port.
// TLSConfig describes configuration for establishing a TLS connection.
//
// References
// - nginx: https://nginx.org/en/docs/http/configuring_https_servers.html
Expand All @@ -175,15 +178,41 @@ const (
// - gcp: https://cloud.google.com/load-balancing/docs/use-ssl-policies#creating_an_ssl_policy_with_a_custom_profile
// - aws: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies
// - azure: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-1112
type ListenerTLS struct {
// Certificates is a list of certificates containing resources
// that are bound to the listener.
type TLSConfig struct {
// Certificates is a reference to one or more Kubernetes objects each containing
// an identity certificate that is bound to a listener. The hostname in a TLS
// SNI client hello message is used for certificate matching and route hostname
// selection.
//
// If apiGroup and kind are empty, will default to Kubernetes Secrets resources.
//
// Support: Core (Kubernetes Secrets)
// Support: Implementation-specific (Other resource types)
Certificates []core.TypedLocalObjectReference `json:"certificates,omitempty"`
//
// +optional
ListenerCertificates []core.TypedLocalObjectReference `json:"listenerCertificates,omitempty"`
// CACertificates is a reference to one or more Kubernetes objects
// each containing a CA certificate used by the TLS client for
// establishing a connection with a server.
//
// Here is a ConfigMap example (in yaml):
//
// apiVersion: v1
// kind: ConfigMap
// metadata:
// name: my-dest-svc-ca
// namespace: my-dest-svc-namespace
// data:
// ca-bundle.crt: |
// -----BEGIN CERTIFICATE-----
// Destination Service CA Certificate Bundle.
// -----END CERTIFICATE-----
//
// Support: Core (Kubernetes ConfigMap)
// Support: Implementation-specific (For other resource types)
//
// +optional
CACertificates []core.TypedLocalObjectReference `json:"caCertificates,omitempty"`
// MinimumVersion of TLS allowed. It is recommended to use one of
// the TLS_* constants above. Note: this is not strongly
// typed to allow implementation-specific versions to be used without
Expand All @@ -194,7 +223,7 @@ type ListenerTLS struct {
// values.
//
// +optional
MinimumVersion *string `json:"minimumVersion"`
MinimumVersion *string `json:"minimumVersion,omitempty"`
// Options are a list of key/value pairs to give extended options
// to the provider.
//
Expand All @@ -204,41 +233,9 @@ type ListenerTLS struct {
// construct.
//
// Support: Implementation-specific.
Options map[string]string `json:"options"`
}

// TLSTerminationPolicy defines the schema of a TLS termination policy.
type TLSTerminationPolicy struct {
// TerminationType defines how to terminate TLS connections.
//
// If unspecified, TLS termination type "Edge" will be used.
//
// Support: Core
//
// +optional
TerminationType TLSTerminationType `json:"terminationType,omitempty"`
// CACertificates is a reference to one or more CA certificates used
// for establishing a TLS connection with the backend object when
// using TLS termination type "Reencrypt".
//
// Here is a ConfigMap example (in yaml):
//
// apiVersion: v1
// kind: ConfigMap
// metadata:
// name: my-dest-svc-ca
// namespace: my-dest-svc-namespace
// data:
// ca-bundle.crt: |
// -----BEGIN CERTIFICATE-----
// Destination Service CA Certificate Bundle.
// -----END CERTIFICATE-----
//
// Support: Core (Kubernetes ConfigMap)
// Support: Implementation-specific (For other resource types)
//
// +optional
CACertificates []core.ObjectReference `json:"caCertificates,omitempty"`
Options map[string]string `json:"options,omitempty"`
}

// TLSTerminationType specifies where TLS connections will terminate.
Expand Down
8 changes: 7 additions & 1 deletion api/v1alpha1/httproute_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,13 @@ type HTTPHeaderFilter struct {
type HTTPRouteAction struct {
// ForwardTo sends requests to the referenced object.
ForwardTo *core.TypedLocalObjectReference `json:"forwardTo"`

// TLS is the configuration used for establishing a TLS
// connection with the backend Kubernetes object.
//
// Support: extended
//
// +optional
TLS *TLSConfig `json:"tls,omitempty"`
// Extension is an optional, implementation-specific extension
// to the "action" behavior.
//
Expand Down
79 changes: 34 additions & 45 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 266d652

Please sign in to comment.