From 893a5bdf4dc8440d493c3a22734704f6f5e27d60 Mon Sep 17 00:00:00 2001
From: Harry Bagdi <harrybagdi@gmail.com>
Date: Thu, 13 Aug 2020 12:11:18 -0700
Subject: [PATCH] tls: introduce mode and sni to cert matching behavior

This patch adds a `mode` property to TLSConfig which determines the TLS
behavior for each listener.
---
 apis/v1alpha1/gateway_types.go                |  10 +
 apis/v1alpha1/generated.pb.go                 | 372 ++++++++++--------
 apis/v1alpha1/generated.proto                 |  32 +-
 apis/v1alpha1/tlsconfig_types.go              |  34 +-
 apis/v1alpha1/zz_generated.deepcopy.go        |   6 +-
 .../bases/networking.x-k8s.io_gateways.yaml   |  45 ++-
 docs-src/spec.md                              |  54 ++-
 docs/spec/index.html                          |  54 ++-
 8 files changed, 377 insertions(+), 230 deletions(-)

diff --git a/apis/v1alpha1/gateway_types.go b/apis/v1alpha1/gateway_types.go
index 3424a0ae5f..752380132f 100644
--- a/apis/v1alpha1/gateway_types.go
+++ b/apis/v1alpha1/gateway_types.go
@@ -249,6 +249,16 @@ type Listener struct {
 	// is required if the Protocol field is "HTTPS" or "TLS" and
 	// ignored otherwise.
 	//
+	// The association of SNIs to Certificate defined in TLSConfig is
+	// defined based on the value of HostnameMatchType for this listener:
+	// - "Domain": Certificate should be used used for the domain and its
+	//   first-level subdomains.
+	// - "Exact": Certificate should be used for the domain only.
+	// - "Any": Certificate in TLSConfig is the default certificate to use.
+	//
+	// The GatewayClass MUST use the longest matching SNI out of all
+	// available certificate for any TLS handshake.
+	//
 	// Support: Core
 	//
 	// +optional
diff --git a/apis/v1alpha1/generated.pb.go b/apis/v1alpha1/generated.pb.go
index 705d82b8f0..168bae724c 100644
--- a/apis/v1alpha1/generated.pb.go
+++ b/apis/v1alpha1/generated.pb.go
@@ -1215,152 +1215,154 @@ func init() {
 }
 
 var fileDescriptor_05bb9c0dcaced231 = []byte{
-	// 2314 bytes of a gzipped FileDescriptorProto
+	// 2341 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5a, 0x4d, 0x6c, 0x1b, 0xc7,
-	0x15, 0xf6, 0xf2, 0x47, 0x22, 0x9f, 0x44, 0xcb, 0x9a, 0xd8, 0xae, 0xa2, 0x06, 0xa4, 0xb0, 0x6e,
-	0xd2, 0xd8, 0xa9, 0x49, 0x4b, 0x31, 0x54, 0xd5, 0x8d, 0x0f, 0xa2, 0x62, 0x4b, 0x2d, 0xe4, 0x48,
-	0x1d, 0xb1, 0x4d, 0x93, 0xb8, 0x3f, 0xa3, 0xe5, 0x90, 0xdc, 0x8a, 0xdc, 0x25, 0x76, 0x97, 0x72,
-	0x05, 0xb4, 0x40, 0x92, 0x4b, 0xd1, 0x4b, 0xd1, 0x1e, 0x93, 0xb4, 0xa7, 0x02, 0xbd, 0x17, 0x05,
-	0x72, 0x29, 0x7a, 0x37, 0x7a, 0x4a, 0x6f, 0x3e, 0x11, 0x31, 0x7b, 0xec, 0xa9, 0x4d, 0x51, 0xa0,
-	0x3a, 0xb4, 0xc5, 0xfc, 0xed, 0x1f, 0x25, 0x71, 0x19, 0x58, 0x76, 0x9d, 0xf6, 0x22, 0x70, 0x66,
-	0xde, 0x7c, 0x6f, 0xe6, 0xfd, 0xcd, 0x7b, 0x6f, 0x05, 0xcb, 0xae, 0xd9, 0x74, 0xcb, 0x7b, 0x2b,
-	0x6e, 0xd9, 0xb4, 0x2b, 0x2e, 0x75, 0xf6, 0x4d, 0x83, 0x5e, 0x25, 0x5d, 0xd3, 0xad, 0xf0, 0x3f,
-	0xfb, 0x8b, 0xa4, 0xdd, 0x6d, 0x91, 0xc5, 0x4a, 0x93, 0x5a, 0xd4, 0x21, 0x1e, 0xad, 0x97, 0xbb,
-	0x8e, 0xed, 0xd9, 0x68, 0x41, 0x6c, 0x29, 0xcb, 0x2d, 0xdf, 0x63, 0xd4, 0x65, 0xd2, 0x35, 0xcb,
-	0x6a, 0xc7, 0xfc, 0xd5, 0xa6, 0xe9, 0xb5, 0x7a, 0xbb, 0x65, 0xc3, 0xee, 0x54, 0x9a, 0x76, 0xd3,
-	0xae, 0xf0, 0x8d, 0xbb, 0xbd, 0x06, 0x1f, 0xf1, 0x01, 0xff, 0x25, 0x00, 0xe7, 0x75, 0x79, 0x06,
-	0xd2, 0x35, 0x2b, 0x86, 0xed, 0xd0, 0xca, 0xfe, 0x10, 0xd3, 0xf9, 0xeb, 0x01, 0x4d, 0x87, 0x18,
-	0x2d, 0xd3, 0xa2, 0xce, 0x41, 0xa5, 0xbb, 0xd7, 0x14, 0x67, 0xed, 0x50, 0x8f, 0x1c, 0xb5, 0xab,
-	0x72, 0xdc, 0x2e, 0xa7, 0x67, 0x79, 0x66, 0x87, 0x0e, 0x6d, 0x58, 0x1e, 0xb5, 0xc1, 0x35, 0x5a,
-	0xb4, 0x43, 0xe2, 0xfb, 0xf4, 0x5f, 0x6a, 0xf0, 0xfc, 0x9a, 0x6d, 0x35, 0xcc, 0xe6, 0x1d, 0xd2,
-	0x75, 0x5f, 0xa5, 0x0d, 0xd2, 0x6b, 0x7b, 0x9b, 0xb6, 0x41, 0xda, 0x5b, 0xbb, 0x3f, 0xa0, 0x86,
-	0x87, 0x69, 0x83, 0x3a, 0xd4, 0x32, 0x28, 0xba, 0x04, 0xd9, 0xa6, 0x63, 0xf7, 0xba, 0x73, 0xda,
-	0x82, 0xf6, 0x62, 0xbe, 0x5a, 0xb8, 0xdf, 0x2f, 0x9d, 0x19, 0xf4, 0x4b, 0xd9, 0x75, 0x36, 0x89,
-	0xc5, 0x1a, 0xfa, 0x12, 0xe4, 0x1c, 0xea, 0xda, 0x3d, 0xc7, 0xa0, 0x73, 0x29, 0x4e, 0x77, 0x4e,
-	0xd2, 0xe5, 0xb0, 0x9c, 0xc7, 0x3e, 0x05, 0x5a, 0x80, 0x8c, 0x45, 0x3a, 0x74, 0x2e, 0xcd, 0x29,
-	0xa7, 0x25, 0x65, 0xe6, 0x35, 0xd2, 0xa1, 0x98, 0xaf, 0xe8, 0xff, 0xd6, 0x60, 0xe6, 0xb6, 0xed,
-	0xdc, 0x23, 0x4e, 0xbd, 0x66, 0xd7, 0x88, 0xd3, 0xa4, 0x1e, 0xda, 0x87, 0xbc, 0xc7, 0x7f, 0x61,
-	0xda, 0xe0, 0x87, 0x99, 0x5a, 0xba, 0x55, 0x1e, 0xa5, 0xda, 0xf2, 0x8e, 0x58, 0x39, 0xe9, 0x8a,
-	0xd5, 0x59, 0x79, 0x82, 0x7c, 0x4d, 0xe1, 0xe3, 0x80, 0x15, 0x7a, 0x05, 0x40, 0x0c, 0xb6, 0x6d,
-	0xc7, 0xe3, 0xb7, 0xcb, 0x56, 0x9f, 0x1b, 0xf4, 0x4b, 0x50, 0xf3, 0x67, 0x0f, 0x23, 0x23, 0x1c,
-	0xa2, 0x47, 0xcb, 0x30, 0x71, 0x8f, 0x9a, 0xcd, 0x96, 0xc7, 0x6f, 0x9b, 0xad, 0x16, 0x25, 0xaf,
-	0x89, 0xd7, 0xf9, 0xec, 0x61, 0xbf, 0x34, 0x2d, 0x76, 0x8a, 0x31, 0x96, 0xd4, 0xfa, 0x27, 0x29,
-	0x98, 0x5c, 0x27, 0x1e, 0xbd, 0x47, 0x0e, 0xd0, 0x5d, 0xc8, 0x79, 0x07, 0x5d, 0x7a, 0x87, 0x7a,
-	0x44, 0x5e, 0xbc, 0xac, 0x2e, 0x1e, 0xd6, 0x7b, 0xb9, 0xbb, 0xd7, 0x2c, 0x73, 0x09, 0x30, 0xf3,
-	0x2a, 0xef, 0x2f, 0x96, 0x6b, 0x72, 0x57, 0xa0, 0x0d, 0x35, 0x83, 0x7d, 0x44, 0xf4, 0x7d, 0xc8,
-	0x31, 0xfa, 0x3a, 0xf1, 0x08, 0xbf, 0xdd, 0xd4, 0xd2, 0xb5, 0x64, 0xe8, 0x42, 0x8c, 0x1c, 0x1f,
-	0x49, 0x7c, 0x08, 0xe6, 0xb0, 0x8f, 0x8a, 0xb6, 0x20, 0xe3, 0x76, 0xa9, 0xc1, 0x25, 0x30, 0xb5,
-	0x74, 0x75, 0xb4, 0xd2, 0xe4, 0xc5, 0x77, 0xba, 0xd4, 0x08, 0xcc, 0x83, 0x8d, 0x30, 0x07, 0x42,
-	0xaf, 0xc3, 0x84, 0xeb, 0x11, 0xaf, 0xe7, 0xce, 0x65, 0x38, 0x64, 0x25, 0x39, 0x24, 0xdf, 0x56,
-	0x3d, 0xab, 0xb4, 0x20, 0xc6, 0x58, 0xc2, 0xe9, 0x0d, 0x38, 0x2b, 0x09, 0x57, 0xeb, 0x75, 0x87,
-	0xba, 0x2e, 0xaa, 0x40, 0x86, 0x49, 0x4a, 0x5a, 0xff, 0xe7, 0xd5, 0x61, 0x98, 0x1c, 0x0f, 0xfb,
-	0xa5, 0x29, 0x49, 0xc6, 0x86, 0x98, 0x13, 0x32, 0x7f, 0xd9, 0x27, 0xed, 0x9e, 0xf2, 0x03, 0xdf,
-	0x5f, 0xbe, 0xc5, 0x26, 0xb1, 0x58, 0xd3, 0xdf, 0x4d, 0xc3, 0xb4, 0x64, 0xb4, 0xd6, 0x26, 0xae,
-	0x1b, 0x51, 0x71, 0xe6, 0x54, 0x55, 0xac, 0x9d, 0x8a, 0x8a, 0x6b, 0x52, 0xc5, 0xc2, 0x80, 0x96,
-	0x12, 0xeb, 0x83, 0xdf, 0xfe, 0x58, 0x3d, 0xdf, 0xf5, 0xf5, 0x2c, 0x4c, 0xe7, 0xfa, 0x98, 0xb8,
-	0x27, 0x2b, 0xfb, 0xf7, 0x69, 0xb8, 0x10, 0x26, 0x5f, 0xb3, 0xad, 0xba, 0xe9, 0x99, 0xb6, 0x85,
-	0x6e, 0x46, 0x94, 0x7e, 0x39, 0xa6, 0xf4, 0x67, 0x8f, 0xdc, 0x14, 0x32, 0x81, 0x4d, 0xff, 0xd8,
-	0xc2, 0x06, 0xae, 0x47, 0x0f, 0x70, 0xd8, 0x2f, 0x1d, 0xf1, 0x82, 0x94, 0x7d, 0xa4, 0xe8, 0x31,
-	0xd1, 0x0b, 0x30, 0xe1, 0x50, 0xe2, 0xda, 0x96, 0x8c, 0x97, 0xfe, 0x75, 0x30, 0x9f, 0xc5, 0x72,
-	0x15, 0x5d, 0x86, 0xc9, 0x0e, 0x75, 0x5d, 0xd2, 0xa4, 0xdc, 0x82, 0xf2, 0xd5, 0x19, 0x49, 0x38,
-	0x79, 0x47, 0x4c, 0x63, 0xb5, 0x8e, 0xf6, 0x01, 0xb5, 0x89, 0xeb, 0xd5, 0x1c, 0x62, 0xb9, 0xe2,
-	0xf0, 0x66, 0x87, 0xce, 0x65, 0xb9, 0x8c, 0xaf, 0x24, 0xb4, 0x3b, 0xb3, 0x43, 0xab, 0xf3, 0x92,
-	0x03, 0xda, 0x1c, 0x42, 0xc3, 0x47, 0x70, 0x40, 0x5f, 0x07, 0x64, 0xef, 0x32, 0xdd, 0xd1, 0xfa,
-	0xba, 0x78, 0x90, 0x4c, 0xdb, 0x9a, 0x9b, 0x58, 0xd0, 0x5e, 0x4c, 0x07, 0x58, 0x5b, 0x43, 0x14,
-	0xf8, 0x88, 0x5d, 0xfa, 0xaf, 0x53, 0x70, 0x2e, 0xac, 0x88, 0x4d, 0xd3, 0xf5, 0x22, 0x6e, 0x94,
-	0x7e, 0xe4, 0x6e, 0x74, 0x77, 0xc8, 0x8d, 0x12, 0xa2, 0xb3, 0xb3, 0x45, 0xd1, 0xd5, 0x4c, 0xc8,
-	0x85, 0x76, 0x20, 0x6b, 0x7a, 0xb4, 0xc3, 0x8c, 0x26, 0x1d, 0x86, 0x4e, 0x66, 0xeb, 0x41, 0xa0,
-	0xf9, 0x1a, 0x03, 0xc1, 0x02, 0x4b, 0xff, 0x57, 0x3a, 0x2a, 0x25, 0xe6, 0x5c, 0x68, 0x09, 0xc0,
-	0xb0, 0x2d, 0xcf, 0xb1, 0xdb, 0x6d, 0xea, 0x48, 0x23, 0xf7, 0xdd, 0x7b, 0xcd, 0x5f, 0xc1, 0x21,
-	0x2a, 0xf4, 0x1b, 0x0d, 0x4a, 0xa4, 0xdd, 0xb6, 0xef, 0xd1, 0xba, 0xc4, 0x63, 0xcf, 0xb5, 0xdb,
-	0x25, 0x06, 0xdd, 0xa1, 0x6d, 0x6a, 0x78, 0xb6, 0x23, 0x9d, 0xff, 0xe5, 0x84, 0x32, 0x21, 0xbb,
-	0xb4, 0xad, 0xb6, 0x56, 0xbf, 0x28, 0xd9, 0x97, 0x56, 0x4f, 0xe6, 0x81, 0x47, 0x1d, 0x02, 0xfd,
-	0x54, 0x83, 0x8b, 0x92, 0x06, 0xdb, 0x3d, 0x8f, 0xfa, 0x14, 0x2a, 0x88, 0x2c, 0x8e, 0x16, 0x6c,
-	0x6c, 0xa3, 0xff, 0x68, 0x5f, 0x5c, 0x3d, 0x12, 0x18, 0x1f, 0xc3, 0x10, 0xbd, 0xad, 0x41, 0xa1,
-	0x4b, 0x1c, 0xd2, 0xa1, 0x1e, 0x75, 0x5c, 0x96, 0xb7, 0x88, 0xd8, 0xbe, 0x3e, 0xfa, 0x08, 0x89,
-	0x92, 0xb3, 0xea, 0xec, 0xa0, 0x5f, 0x2a, 0x6c, 0x87, 0x39, 0xe0, 0x28, 0x43, 0xfd, 0x1d, 0x0d,
-	0xd0, 0x70, 0x4c, 0x44, 0x7b, 0xdc, 0x04, 0x44, 0xbc, 0x71, 0xe7, 0x34, 0x6e, 0x71, 0x5f, 0x1e,
-	0xcf, 0xe2, 0xfc, 0x78, 0x15, 0xb1, 0x1d, 0x09, 0x89, 0x43, 0xf0, 0xfa, 0x6f, 0x43, 0x46, 0xe8,
-	0xc7, 0xd8, 0x95, 0x48, 0x8c, 0xfd, 0x42, 0x2c, 0xc6, 0x9e, 0x8f, 0xd3, 0x9f, 0x5a, 0x78, 0x0d,
-	0x85, 0xcd, 0xf4, 0x88, 0xb0, 0x19, 0x44, 0xe2, 0xcc, 0x89, 0x91, 0xf8, 0xb3, 0x10, 0x5e, 0xdf,
-	0x4b, 0xc1, 0x94, 0xd4, 0xc1, 0x50, 0x64, 0xd5, 0x4e, 0x35, 0xb2, 0xa6, 0x1e, 0x79, 0x64, 0x7d,
-	0x4d, 0x45, 0xd6, 0x34, 0xb7, 0xf3, 0xcb, 0x89, 0xed, 0xfc, 0x98, 0xa0, 0xba, 0x07, 0x17, 0x25,
-	0x41, 0xbc, 0x58, 0xaa, 0x40, 0xde, 0x52, 0xee, 0x2f, 0x2d, 0xdb, 0x2f, 0x2e, 0xfc, 0xb8, 0x80,
-	0x03, 0x1a, 0xbf, 0x14, 0x4a, 0x1d, 0x5b, 0x0a, 0xfd, 0x4d, 0xf3, 0x15, 0xc1, 0x83, 0xf7, 0x25,
-	0xc8, 0x1a, 0xcc, 0xfd, 0xe2, 0xf5, 0x18, 0xf7, 0x49, 0x2c, 0xd6, 0xd0, 0x5b, 0x90, 0x6f, 0x9b,
-	0xae, 0xc7, 0xd4, 0xa9, 0xde, 0x93, 0x2b, 0xa3, 0x6f, 0xbd, 0x29, 0xb7, 0x04, 0x67, 0x56, 0x33,
-	0x2e, 0x0e, 0xf0, 0x10, 0x81, 0x3c, 0x11, 0x69, 0x2f, 0x55, 0x22, 0xbd, 0x96, 0x58, 0xa4, 0x32,
-	0x61, 0x0e, 0x58, 0xac, 0x2a, 0x28, 0x1c, 0xa0, 0xea, 0x7f, 0x48, 0x41, 0x21, 0x92, 0xb1, 0x47,
-	0x99, 0x6a, 0xa7, 0xc1, 0x14, 0x35, 0x22, 0x31, 0x51, 0x48, 0x6d, 0x8c, 0x4c, 0x36, 0x69, 0x38,
-	0x64, 0x57, 0x09, 0x94, 0x93, 0x58, 0x7e, 0x4a, 0x15, 0x32, 0xa9, 0x3d, 0x51, 0x45, 0xfa, 0x1f,
-	0x35, 0x38, 0xb7, 0x51, 0xab, 0x6d, 0x6f, 0x50, 0x52, 0xa7, 0xce, 0x6d, 0xb3, 0xed, 0x51, 0x07,
-	0xbd, 0x09, 0x69, 0x52, 0xaf, 0x4b, 0xe1, 0x7d, 0x75, 0x34, 0xc7, 0x38, 0x40, 0x79, 0xb5, 0x5e,
-	0xbf, 0x65, 0x79, 0xce, 0x41, 0x75, 0x4a, 0x32, 0x4f, 0xaf, 0xd6, 0xeb, 0x98, 0x81, 0x22, 0x9d,
-	0x85, 0xc6, 0x8e, 0xbd, 0x4f, 0xb9, 0xdc, 0xf2, 0x55, 0x10, 0x61, 0x91, 0xcd, 0x60, 0xb9, 0x32,
-	0xbf, 0x0c, 0x39, 0x85, 0x80, 0xce, 0x41, 0x7a, 0x8f, 0x1e, 0x08, 0x1b, 0xc6, 0xec, 0x27, 0x3a,
-	0x1f, 0xa9, 0x9b, 0x64, 0xa1, 0x74, 0x23, 0xb5, 0xa2, 0xe9, 0xff, 0x4c, 0x41, 0x9e, 0x9d, 0x85,
-	0xbf, 0xae, 0x4f, 0x7d, 0x31, 0xfc, 0x8d, 0x48, 0x31, 0x5c, 0x49, 0xa6, 0x06, 0x7e, 0xf5, 0x63,
-	0xcb, 0xa4, 0x37, 0x62, 0xe5, 0xf0, 0xe2, 0x38, 0xa0, 0x27, 0xd7, 0x48, 0x7f, 0xd7, 0x60, 0xc6,
-	0xa7, 0x5d, 0x35, 0xf8, 0xcb, 0xbd, 0x0b, 0xf9, 0x86, 0xea, 0xcd, 0x48, 0x6b, 0x4a, 0xc0, 0x31,
-	0xd6, 0xce, 0x09, 0x0c, 0xd8, 0x5f, 0xc0, 0x01, 0x2c, 0xfa, 0x31, 0x4c, 0xd3, 0x1f, 0x7a, 0xd4,
-	0x72, 0xd9, 0xfb, 0x44, 0x1b, 0x52, 0x17, 0x8f, 0x2c, 0x6f, 0x3a, 0x37, 0xe8, 0x97, 0xa6, 0x6f,
-	0x85, 0x18, 0xe0, 0x08, 0x3b, 0xfd, 0x2f, 0xe1, 0x6b, 0x4b, 0xf7, 0x79, 0x03, 0x26, 0x5b, 0xdc,
-	0x1b, 0x5c, 0x69, 0x77, 0x4b, 0xe3, 0xbb, 0x50, 0x75, 0x8a, 0x25, 0x16, 0x62, 0xc6, 0xc5, 0x0a,
-	0xef, 0x49, 0xdf, 0xf6, 0x17, 0x29, 0x28, 0xf8, 0xb7, 0xdd, 0xb0, 0x5d, 0x0f, 0xbd, 0x04, 0xf9,
-	0x96, 0xed, 0x7a, 0xfc, 0x9d, 0xe2, 0x2a, 0xce, 0x57, 0x0b, 0x4c, 0x57, 0x1b, 0x6a, 0x12, 0x07,
-	0xeb, 0xa8, 0x06, 0x59, 0xa7, 0xd7, 0xa6, 0x2a, 0x64, 0x8e, 0x63, 0xd2, 0xb8, 0xd7, 0xa6, 0xc1,
-	0x13, 0xc6, 0x46, 0x2e, 0x16, 0x60, 0x43, 0x32, 0x49, 0x3f, 0x5e, 0x99, 0xfc, 0x2a, 0x2c, 0x93,
-	0xa7, 0x3e, 0x03, 0xda, 0x8e, 0x66, 0x40, 0x2f, 0x8d, 0xa1, 0xa2, 0x63, 0x72, 0xa0, 0x8f, 0xd3,
-	0x70, 0xd6, 0xa7, 0xb9, 0x43, 0x3c, 0xa3, 0x85, 0x36, 0x59, 0xb1, 0xe3, 0xb5, 0xf8, 0xa0, 0x16,
-	0xa4, 0xf6, 0x2f, 0xc8, 0xfd, 0x85, 0xed, 0xf0, 0xe2, 0x61, 0x7c, 0x02, 0x47, 0x37, 0xa3, 0xe7,
-	0x20, 0xc3, 0x26, 0x64, 0x66, 0x94, 0x63, 0x21, 0x8f, 0xd1, 0x63, 0x3e, 0x8b, 0x6e, 0xc2, 0x8c,
-	0x70, 0x9e, 0x80, 0x9b, 0xc8, 0xde, 0x9f, 0x19, 0xf4, 0x4b, 0x33, 0x1b, 0xd1, 0x25, 0x1c, 0xa7,
-	0x45, 0xad, 0xc0, 0x97, 0x33, 0x5c, 0x22, 0x37, 0xc7, 0x90, 0x08, 0x87, 0x29, 0x4b, 0x27, 0x16,
-	0x0f, 0xa2, 0x5f, 0x33, 0x8c, 0x74, 0xed, 0xec, 0x63, 0x35, 0xe3, 0xf9, 0x1b, 0x30, 0x1d, 0x3e,
-	0xe8, 0x58, 0xef, 0xee, 0xfb, 0x61, 0x17, 0x60, 0xbe, 0x89, 0xde, 0x82, 0xc9, 0x0e, 0xbb, 0xfc,
-	0x38, 0x29, 0x58, 0x54, 0x6c, 0xa1, 0xea, 0x4a, 0x00, 0x61, 0x85, 0x88, 0xbe, 0x09, 0x13, 0x0d,
-	0x1e, 0x24, 0xa5, 0xfd, 0x8f, 0xf3, 0x8a, 0xc9, 0xe8, 0xca, 0xb3, 0x0e, 0xf1, 0x1b, 0x4b, 0x30,
-	0x06, 0x4b, 0xf8, 0xbb, 0x95, 0xbc, 0xfc, 0x8f, 0x3d, 0x78, 0x02, 0x56, 0xfc, 0xc6, 0x12, 0x4c,
-	0xa7, 0x21, 0xd9, 0xf0, 0xbc, 0xbc, 0x06, 0x59, 0x16, 0x12, 0x95, 0x64, 0xc6, 0x89, 0x82, 0x2c,
-	0xaa, 0x06, 0x6e, 0xc6, 0x46, 0x2e, 0x16, 0x60, 0xfa, 0xbb, 0xe1, 0x87, 0x48, 0xa6, 0xc2, 0x36,
-	0x4c, 0x35, 0x45, 0xce, 0x89, 0x69, 0x43, 0xf1, 0x5b, 0x49, 0x9c, 0xa8, 0xc6, 0x4d, 0xe8, 0x19,
-	0xc9, 0x58, 0x55, 0x19, 0x0c, 0x14, 0x87, 0x39, 0xe8, 0x7b, 0x50, 0x50, 0x81, 0x5f, 0x78, 0xfa,
-	0x0a, 0x64, 0xb9, 0xd6, 0xa4, 0x87, 0xeb, 0xea, 0xe8, 0x7c, 0xf5, 0xb0, 0x5f, 0x9a, 0x8d, 0x90,
-	0x73, 0x17, 0x14, 0x1b, 0x12, 0xd4, 0x3b, 0x7f, 0x4d, 0x41, 0x4e, 0xe5, 0xb4, 0xe8, 0x3b, 0x90,
-	0x53, 0xef, 0x8c, 0x8c, 0xb9, 0x49, 0xe4, 0x1a, 0x66, 0x1e, 0x84, 0x45, 0x35, 0x8d, 0x7d, 0x48,
-	0x76, 0x9a, 0x6e, 0xf0, 0x51, 0xc7, 0x3f, 0x0d, 0xff, 0x88, 0xc3, 0x57, 0xd0, 0x2b, 0x90, 0xe3,
-	0x1f, 0xcc, 0x0c, 0xbb, 0x2d, 0x03, 0xcc, 0x82, 0xc2, 0xdb, 0x96, 0xf3, 0x87, 0xfd, 0xd2, 0xb4,
-	0xfa, 0xcd, 0xaf, 0xea, 0xef, 0x40, 0xb7, 0x21, 0xed, 0xb5, 0x55, 0x56, 0x96, 0x20, 0xe8, 0xd6,
-	0x36, 0x77, 0x84, 0xdb, 0x57, 0x27, 0x59, 0x76, 0x5d, 0xdb, 0xdc, 0xc1, 0x0c, 0x00, 0x7d, 0x17,
-	0x26, 0x1c, 0x66, 0x00, 0xae, 0x0c, 0x1f, 0xcb, 0x09, 0x5b, 0x58, 0x55, 0xd3, 0xaa, 0x9b, 0x56,
-	0xd3, 0xef, 0xb2, 0x05, 0x0d, 0x0b, 0x8e, 0x86, 0x25, 0xaa, 0xfe, 0xbb, 0x34, 0xcc, 0x2a, 0x99,
-	0x07, 0x1d, 0x9a, 0xaf, 0x44, 0x3a, 0x34, 0xcf, 0xc7, 0x3a, 0x34, 0x17, 0x86, 0x36, 0xfc, 0xbf,
-	0x45, 0xf3, 0x78, 0x5b, 0x34, 0x1f, 0x68, 0x70, 0x36, 0x5a, 0x15, 0xfa, 0x06, 0xad, 0x45, 0xdd,
-	0x2b, 0x64, 0xd0, 0xcd, 0x48, 0x91, 0x2b, 0xd2, 0x81, 0x97, 0x93, 0x57, 0x9f, 0xc9, 0x9b, 0x7e,
-	0x7f, 0x4a, 0xc1, 0xf9, 0xa3, 0x8c, 0x10, 0x79, 0x30, 0xe3, 0xc4, 0x1a, 0xb3, 0xda, 0xa7, 0x6d,
-	0xcc, 0x7e, 0x4e, 0x1e, 0x62, 0x26, 0xde, 0x91, 0x8d, 0xb3, 0x40, 0x5d, 0x28, 0xf0, 0xa9, 0x47,
-	0xd1, 0xac, 0xbe, 0xa0, 0x32, 0x1a, 0x1c, 0x46, 0xc4, 0x51, 0x06, 0xc1, 0x87, 0xf3, 0x74, 0xc2,
-	0x0f, 0xe7, 0x99, 0x51, 0x1f, 0xce, 0xf5, 0x07, 0x1a, 0xc4, 0x6f, 0x8a, 0x7e, 0x04, 0xb3, 0xd6,
-	0x50, 0x27, 0x5e, 0xfb, 0xf4, 0x97, 0x7b, 0x56, 0xf2, 0x9f, 0x1d, 0xee, 0xbd, 0x0f, 0x33, 0x42,
-	0xeb, 0x30, 0x6b, 0x5b, 0xed, 0x83, 0x1d, 0xd2, 0x09, 0xce, 0xc4, 0x45, 0x9b, 0x0b, 0x80, 0xb6,
-	0xe2, 0x04, 0x78, 0x78, 0x8f, 0xfe, 0x9e, 0x06, 0xfa, 0x0e, 0x35, 0x1c, 0xea, 0xfd, 0xf7, 0xfd,
-	0x37, 0xc2, 0xfb, 0x1a, 0x5c, 0x4a, 0xf0, 0x7f, 0x04, 0x4f, 0xe6, 0x70, 0xff, 0x48, 0x41, 0xae,
-	0xb6, 0xf6, 0x19, 0x69, 0x8e, 0x6c, 0x47, 0x9a, 0x23, 0x09, 0x3e, 0x81, 0xa9, 0x9b, 0x1f, 0xdb,
-	0x1b, 0xf9, 0x76, 0xac, 0x37, 0x72, 0x6d, 0x0c, 0xcc, 0x93, 0x5b, 0x23, 0x9f, 0x68, 0x70, 0x56,
-	0x91, 0xfe, 0xef, 0x74, 0x46, 0x3e, 0x48, 0xc1, 0xb4, 0xba, 0xf5, 0x53, 0x5f, 0x16, 0x6f, 0x45,
-	0xcb, 0xe2, 0x2b, 0xc9, 0x6d, 0xe3, 0x98, 0xaa, 0xf8, 0x67, 0x1a, 0x14, 0x14, 0x89, 0x48, 0x95,
-	0xe3, 0xea, 0xd2, 0x1e, 0xaf, 0xba, 0x3e, 0xd4, 0x02, 0x75, 0xf1, 0x12, 0x6e, 0x3b, 0x9c, 0xba,
-	0x27, 0x4a, 0xa7, 0x23, 0xf7, 0xa9, 0xe6, 0xfd, 0x3c, 0x5f, 0xa5, 0xf4, 0x35, 0xbf, 0xc0, 0x4a,
-	0x8d, 0xeb, 0x61, 0x27, 0xd4, 0x57, 0x46, 0x70, 0x6e, 0x5e, 0x5e, 0xed, 0xa8, 0x26, 0x93, 0x96,
-	0xf4, 0xeb, 0x78, 0xf8, 0xda, 0x47, 0xf7, 0x98, 0xf4, 0x77, 0x42, 0x2e, 0xfc, 0xa4, 0x8a, 0xab,
-	0x0f, 0x53, 0x90, 0xf7, 0xf3, 0x7e, 0xf4, 0x13, 0x0d, 0x66, 0x0c, 0xea, 0x78, 0x66, 0xc3, 0x34,
-	0x88, 0x47, 0x43, 0x67, 0x78, 0x35, 0xc9, 0xff, 0xba, 0x8d, 0x7a, 0x3f, 0x83, 0x84, 0x69, 0x2d,
-	0xca, 0x04, 0xc7, 0xb9, 0x22, 0x03, 0x26, 0xed, 0x6e, 0x38, 0x4b, 0x5c, 0x19, 0xa3, 0x7e, 0x29,
-	0x6f, 0x89, 0xad, 0xb1, 0xee, 0x88, 0x9c, 0xc5, 0x0a, 0x79, 0xfe, 0x06, 0x4c, 0x87, 0x29, 0xc7,
-	0x69, 0x4f, 0x54, 0xcb, 0xf7, 0x1f, 0x16, 0xcf, 0x7c, 0xf4, 0xb0, 0x78, 0xe6, 0xc1, 0xc3, 0xe2,
-	0x99, 0xb7, 0x07, 0x45, 0xed, 0xfe, 0xa0, 0xa8, 0x7d, 0x34, 0x28, 0x6a, 0x0f, 0x06, 0x45, 0xed,
-	0xe3, 0x41, 0x51, 0xfb, 0xf9, 0x9f, 0x8b, 0x67, 0xde, 0xcc, 0xa9, 0xc3, 0xfd, 0x27, 0x00, 0x00,
-	0xff, 0xff, 0x5e, 0x44, 0xc9, 0x20, 0x3f, 0x2a, 0x00, 0x00,
+	0x15, 0xf6, 0xf2, 0x47, 0x22, 0x9f, 0x44, 0xc9, 0x9a, 0xd8, 0xae, 0xa2, 0x06, 0xa4, 0xb1, 0x6e,
+	0xd2, 0xd8, 0xae, 0x49, 0x4b, 0x31, 0x54, 0xd5, 0x8d, 0x0f, 0xa2, 0x62, 0x4b, 0x2d, 0xa4, 0x48,
+	0x1d, 0xb2, 0x4d, 0x93, 0xb8, 0x3f, 0xa3, 0xe5, 0x90, 0xdc, 0x8a, 0xe4, 0x12, 0xbb, 0x4b, 0xb9,
+	0x02, 0x5a, 0x20, 0x09, 0x7a, 0xe9, 0xa5, 0x68, 0x8f, 0x49, 0xda, 0x53, 0x81, 0xde, 0x8b, 0x02,
+	0xbd, 0x14, 0xbd, 0x1b, 0x3d, 0xa5, 0x37, 0x9f, 0x08, 0x9b, 0x3d, 0xf6, 0xd4, 0xa6, 0x28, 0x50,
+	0x1d, 0xda, 0x62, 0xfe, 0xf6, 0x8f, 0x92, 0xb8, 0x0c, 0x2c, 0xbb, 0x4e, 0x73, 0x11, 0x38, 0x33,
+	0x6f, 0xbe, 0x37, 0xf3, 0xfe, 0xe6, 0xbd, 0xb7, 0x82, 0x65, 0xc7, 0x6c, 0x38, 0xc5, 0xbd, 0x15,
+	0xa7, 0x68, 0x5a, 0x25, 0x87, 0xda, 0xfb, 0xa6, 0x41, 0xaf, 0x91, 0xae, 0xe9, 0x94, 0xf8, 0x9f,
+	0xfd, 0x45, 0xd2, 0xea, 0x36, 0xc9, 0x62, 0xa9, 0x41, 0x3b, 0xd4, 0x26, 0x2e, 0xad, 0x15, 0xbb,
+	0xb6, 0xe5, 0x5a, 0xe8, 0xa2, 0xd8, 0x52, 0x94, 0x5b, 0xbe, 0xc7, 0xa8, 0x8b, 0xa4, 0x6b, 0x16,
+	0xd5, 0x8e, 0x85, 0x6b, 0x0d, 0xd3, 0x6d, 0xf6, 0x76, 0x8b, 0x86, 0xd5, 0x2e, 0x35, 0xac, 0x86,
+	0x55, 0xe2, 0x1b, 0x77, 0x7b, 0x75, 0x3e, 0xe2, 0x03, 0xfe, 0x4b, 0x00, 0x2e, 0xe8, 0xf2, 0x0c,
+	0xa4, 0x6b, 0x96, 0x0c, 0xcb, 0xa6, 0xa5, 0xfd, 0x21, 0xa6, 0x0b, 0x37, 0x7c, 0x9a, 0x36, 0x31,
+	0x9a, 0x66, 0x87, 0xda, 0x07, 0xa5, 0xee, 0x5e, 0x43, 0x9c, 0xb5, 0x4d, 0x5d, 0x72, 0xd4, 0xae,
+	0xd2, 0x71, 0xbb, 0xec, 0x5e, 0xc7, 0x35, 0xdb, 0x74, 0x68, 0xc3, 0xf2, 0xa8, 0x0d, 0x8e, 0xd1,
+	0xa4, 0x6d, 0x12, 0xdd, 0xa7, 0xff, 0x52, 0x83, 0x17, 0xd7, 0xac, 0x4e, 0xdd, 0x6c, 0x6c, 0x91,
+	0xae, 0xf3, 0x1a, 0xad, 0x93, 0x5e, 0xcb, 0xdd, 0xb4, 0x0c, 0xd2, 0xda, 0xde, 0xfd, 0x01, 0x35,
+	0x5c, 0x4c, 0xeb, 0xd4, 0xa6, 0x1d, 0x83, 0xa2, 0x4b, 0x90, 0x6e, 0xd8, 0x56, 0xaf, 0x3b, 0xaf,
+	0x5d, 0xd4, 0x5e, 0xce, 0x96, 0x73, 0xf7, 0xfb, 0x85, 0x33, 0x83, 0x7e, 0x21, 0xbd, 0xce, 0x26,
+	0xb1, 0x58, 0x43, 0x5f, 0x82, 0x8c, 0x4d, 0x1d, 0xab, 0x67, 0x1b, 0x74, 0x3e, 0xc1, 0xe9, 0xce,
+	0x4a, 0xba, 0x0c, 0x96, 0xf3, 0xd8, 0xa3, 0x40, 0x17, 0x21, 0xd5, 0x21, 0x6d, 0x3a, 0x9f, 0xe4,
+	0x94, 0xd3, 0x92, 0x32, 0xf5, 0x3a, 0x69, 0x53, 0xcc, 0x57, 0xf4, 0xff, 0x68, 0x30, 0x7b, 0xc7,
+	0xb2, 0xef, 0x11, 0xbb, 0x56, 0xb5, 0xaa, 0xc4, 0x6e, 0x50, 0x17, 0xed, 0x43, 0xd6, 0xe5, 0xbf,
+	0x30, 0xad, 0xf3, 0xc3, 0x4c, 0x2d, 0xdd, 0x2e, 0x8e, 0x52, 0x6d, 0xb1, 0x22, 0x56, 0x4e, 0xba,
+	0x62, 0x79, 0x4e, 0x9e, 0x20, 0x5b, 0x55, 0xf8, 0xd8, 0x67, 0x85, 0x5e, 0x05, 0x10, 0x83, 0x1d,
+	0xcb, 0x76, 0xf9, 0xed, 0xd2, 0xe5, 0x17, 0x06, 0xfd, 0x02, 0x54, 0xbd, 0xd9, 0xc3, 0xd0, 0x08,
+	0x07, 0xe8, 0xd1, 0x32, 0x4c, 0xdc, 0xa3, 0x66, 0xa3, 0xe9, 0xf2, 0xdb, 0xa6, 0xcb, 0x79, 0xc9,
+	0x6b, 0xe2, 0x0d, 0x3e, 0x7b, 0xd8, 0x2f, 0x4c, 0x8b, 0x9d, 0x62, 0x8c, 0x25, 0xb5, 0xfe, 0x71,
+	0x02, 0x26, 0xd7, 0x89, 0x4b, 0xef, 0x91, 0x03, 0x74, 0x17, 0x32, 0xee, 0x41, 0x97, 0x6e, 0x51,
+	0x97, 0xc8, 0x8b, 0x17, 0xd5, 0xc5, 0x83, 0x7a, 0x2f, 0x76, 0xf7, 0x1a, 0x45, 0x2e, 0x01, 0x66,
+	0x5e, 0xc5, 0xfd, 0xc5, 0x62, 0x55, 0xee, 0xf2, 0xb5, 0xa1, 0x66, 0xb0, 0x87, 0x88, 0xbe, 0x0f,
+	0x19, 0x46, 0x5f, 0x23, 0x2e, 0xe1, 0xb7, 0x9b, 0x5a, 0xba, 0x1e, 0x0f, 0x5d, 0x88, 0x91, 0xe3,
+	0x23, 0x89, 0x0f, 0xfe, 0x1c, 0xf6, 0x50, 0xd1, 0x36, 0xa4, 0x9c, 0x2e, 0x35, 0xb8, 0x04, 0xa6,
+	0x96, 0xae, 0x8d, 0x56, 0x9a, 0xbc, 0x78, 0xa5, 0x4b, 0x0d, 0xdf, 0x3c, 0xd8, 0x08, 0x73, 0x20,
+	0xf4, 0x06, 0x4c, 0x38, 0x2e, 0x71, 0x7b, 0xce, 0x7c, 0x8a, 0x43, 0x96, 0xe2, 0x43, 0xf2, 0x6d,
+	0xe5, 0x19, 0xa5, 0x05, 0x31, 0xc6, 0x12, 0x4e, 0xaf, 0xc3, 0x8c, 0x24, 0x5c, 0xad, 0xd5, 0x6c,
+	0xea, 0x38, 0xa8, 0x04, 0x29, 0x26, 0x29, 0x69, 0xfd, 0x9f, 0x57, 0x87, 0x61, 0x72, 0x3c, 0xec,
+	0x17, 0xa6, 0x24, 0x19, 0x1b, 0x62, 0x4e, 0xc8, 0xfc, 0x65, 0x9f, 0xb4, 0x7a, 0xca, 0x0f, 0x3c,
+	0x7f, 0xf9, 0x16, 0x9b, 0xc4, 0x62, 0x4d, 0x7f, 0x2f, 0x09, 0xd3, 0x92, 0xd1, 0x5a, 0x8b, 0x38,
+	0x4e, 0x48, 0xc5, 0xa9, 0x53, 0x55, 0xb1, 0x76, 0x2a, 0x2a, 0xae, 0x4a, 0x15, 0x0b, 0x03, 0x5a,
+	0x8a, 0xad, 0x0f, 0x7e, 0xfb, 0x63, 0xf5, 0x7c, 0xd7, 0xd3, 0xb3, 0x30, 0x9d, 0x1b, 0x63, 0xe2,
+	0x9e, 0xac, 0xec, 0x3f, 0x24, 0xe1, 0x7c, 0x90, 0x7c, 0xcd, 0xea, 0xd4, 0x4c, 0xd7, 0xb4, 0x3a,
+	0xe8, 0x56, 0x48, 0xe9, 0x97, 0x23, 0x4a, 0x7f, 0xfe, 0xc8, 0x4d, 0x01, 0x13, 0xd8, 0xf4, 0x8e,
+	0x2d, 0x6c, 0xe0, 0x46, 0xf8, 0x00, 0x87, 0xfd, 0xc2, 0x11, 0x2f, 0x48, 0xd1, 0x43, 0x0a, 0x1f,
+	0x13, 0xbd, 0x04, 0x13, 0x36, 0x25, 0x8e, 0xd5, 0x91, 0xf1, 0xd2, 0xbb, 0x0e, 0xe6, 0xb3, 0x58,
+	0xae, 0xa2, 0xcb, 0x30, 0xd9, 0xa6, 0x8e, 0x43, 0x1a, 0x94, 0x5b, 0x50, 0xb6, 0x3c, 0x2b, 0x09,
+	0x27, 0xb7, 0xc4, 0x34, 0x56, 0xeb, 0x68, 0x1f, 0x50, 0x8b, 0x38, 0x6e, 0xd5, 0x26, 0x1d, 0x47,
+	0x1c, 0xde, 0x6c, 0xd3, 0xf9, 0x34, 0x97, 0xf1, 0x95, 0x98, 0x76, 0x67, 0xb6, 0x69, 0x79, 0x41,
+	0x72, 0x40, 0x9b, 0x43, 0x68, 0xf8, 0x08, 0x0e, 0xe8, 0xeb, 0x80, 0xac, 0x5d, 0xa6, 0x3b, 0x5a,
+	0x5b, 0x17, 0x0f, 0x92, 0x69, 0x75, 0xe6, 0x27, 0x2e, 0x6a, 0x2f, 0x27, 0x7d, 0xac, 0xed, 0x21,
+	0x0a, 0x7c, 0xc4, 0x2e, 0xfd, 0xd7, 0x09, 0x38, 0x1b, 0x54, 0xc4, 0xa6, 0xe9, 0xb8, 0x21, 0x37,
+	0x4a, 0x3e, 0x76, 0x37, 0xba, 0x3b, 0xe4, 0x46, 0x31, 0xd1, 0xd9, 0xd9, 0xc2, 0xe8, 0x6a, 0x26,
+	0xe0, 0x42, 0x15, 0x48, 0x9b, 0x2e, 0x6d, 0x33, 0xa3, 0x49, 0x06, 0xa1, 0xe3, 0xd9, 0xba, 0x1f,
+	0x68, 0xbe, 0xc6, 0x40, 0xb0, 0xc0, 0xd2, 0xff, 0x9d, 0x0c, 0x4b, 0x89, 0x39, 0x17, 0x5a, 0x02,
+	0x30, 0xac, 0x8e, 0x6b, 0x5b, 0xad, 0x16, 0xb5, 0xa5, 0x91, 0x7b, 0xee, 0xbd, 0xe6, 0xad, 0xe0,
+	0x00, 0x15, 0xfa, 0x8d, 0x06, 0x05, 0xd2, 0x6a, 0x59, 0xf7, 0x68, 0x4d, 0xe2, 0xb1, 0xe7, 0xda,
+	0xe9, 0x12, 0x83, 0x56, 0x68, 0x8b, 0x1a, 0xae, 0x65, 0x4b, 0xe7, 0x7f, 0x25, 0xa6, 0x4c, 0xc8,
+	0x2e, 0x6d, 0xa9, 0xad, 0xe5, 0x2f, 0x4a, 0xf6, 0x85, 0xd5, 0x93, 0x79, 0xe0, 0x51, 0x87, 0x40,
+	0x3f, 0xd5, 0xe0, 0x82, 0xa4, 0xc1, 0x56, 0xcf, 0xa5, 0x1e, 0x85, 0x0a, 0x22, 0x8b, 0xa3, 0x05,
+	0x1b, 0xd9, 0xe8, 0x3d, 0xda, 0x17, 0x56, 0x8f, 0x04, 0xc6, 0xc7, 0x30, 0x44, 0xef, 0x68, 0x90,
+	0xeb, 0x12, 0x9b, 0xb4, 0xa9, 0x4b, 0x6d, 0x87, 0xe5, 0x2d, 0x22, 0xb6, 0xaf, 0x8f, 0x3e, 0x42,
+	0xac, 0xe4, 0xac, 0x3c, 0x37, 0xe8, 0x17, 0x72, 0x3b, 0x41, 0x0e, 0x38, 0xcc, 0x50, 0x7f, 0x57,
+	0x03, 0x34, 0x1c, 0x13, 0xd1, 0x1e, 0x37, 0x01, 0x11, 0x6f, 0x9c, 0x79, 0x8d, 0x5b, 0xdc, 0x97,
+	0xc7, 0xb3, 0x38, 0x2f, 0x5e, 0x85, 0x6c, 0x47, 0x42, 0xe2, 0x00, 0xbc, 0xfe, 0xdb, 0x80, 0x11,
+	0x7a, 0x31, 0x76, 0x25, 0x14, 0x63, 0xbf, 0x10, 0x89, 0xb1, 0xe7, 0xa2, 0xf4, 0xa7, 0x16, 0x5e,
+	0x03, 0x61, 0x33, 0x39, 0x22, 0x6c, 0xfa, 0x91, 0x38, 0x75, 0x62, 0x24, 0xfe, 0x34, 0x84, 0xd7,
+	0xf7, 0x13, 0x30, 0x25, 0x75, 0x30, 0x14, 0x59, 0xb5, 0x53, 0x8d, 0xac, 0x89, 0xc7, 0x1e, 0x59,
+	0x5f, 0x57, 0x91, 0x35, 0xc9, 0xed, 0xfc, 0x72, 0x6c, 0x3b, 0x3f, 0x26, 0xa8, 0xee, 0xc1, 0x05,
+	0x49, 0x10, 0x2d, 0x96, 0x4a, 0x90, 0xed, 0x28, 0xf7, 0x97, 0x96, 0xed, 0x15, 0x17, 0x5e, 0x5c,
+	0xc0, 0x3e, 0x8d, 0x57, 0x0a, 0x25, 0x8e, 0x2d, 0x85, 0xfe, 0xae, 0x79, 0x8a, 0xe0, 0xc1, 0xfb,
+	0x12, 0xa4, 0x0d, 0xe6, 0x7e, 0xd1, 0x7a, 0x8c, 0xfb, 0x24, 0x16, 0x6b, 0xe8, 0x6d, 0xc8, 0xb6,
+	0x4c, 0xc7, 0x65, 0xea, 0x54, 0xef, 0xc9, 0x95, 0xd1, 0xb7, 0xde, 0x94, 0x5b, 0xfc, 0x33, 0xab,
+	0x19, 0x07, 0xfb, 0x78, 0x88, 0x40, 0x96, 0x88, 0xb4, 0x97, 0x2a, 0x91, 0x5e, 0x8f, 0x2d, 0x52,
+	0x99, 0x30, 0xfb, 0x2c, 0x56, 0x15, 0x14, 0xf6, 0x51, 0xf5, 0x3f, 0x26, 0x20, 0x17, 0xca, 0xd8,
+	0xc3, 0x4c, 0xb5, 0xd3, 0x60, 0x8a, 0xea, 0xa1, 0x98, 0x28, 0xa4, 0x36, 0x46, 0x26, 0x1b, 0x37,
+	0x1c, 0xb2, 0xab, 0xf8, 0xca, 0x89, 0x2d, 0x3f, 0xa5, 0x0a, 0x99, 0xd4, 0x9e, 0xa8, 0x22, 0xfd,
+	0x4f, 0x1a, 0x9c, 0xdd, 0xa8, 0x56, 0x77, 0x36, 0x28, 0xa9, 0x51, 0xfb, 0x8e, 0xd9, 0x72, 0xa9,
+	0x8d, 0xde, 0x82, 0x24, 0xa9, 0xd5, 0xa4, 0xf0, 0xbe, 0x3a, 0x9a, 0x63, 0x14, 0xa0, 0xb8, 0x5a,
+	0xab, 0xdd, 0xee, 0xb8, 0xf6, 0x41, 0x79, 0x4a, 0x32, 0x4f, 0xae, 0xd6, 0x6a, 0x98, 0x81, 0x22,
+	0x9d, 0x85, 0xc6, 0xb6, 0xb5, 0x4f, 0xb9, 0xdc, 0xb2, 0x65, 0x10, 0x61, 0x91, 0xcd, 0x60, 0xb9,
+	0xb2, 0xb0, 0x0c, 0x19, 0x85, 0x80, 0xce, 0x42, 0x72, 0x8f, 0x1e, 0x08, 0x1b, 0xc6, 0xec, 0x27,
+	0x3a, 0x17, 0xaa, 0x9b, 0x64, 0xa1, 0x74, 0x33, 0xb1, 0xa2, 0xe9, 0xff, 0x4a, 0x40, 0x96, 0x9d,
+	0x85, 0xbf, 0xae, 0xcf, 0x7c, 0x31, 0xfc, 0x8d, 0x50, 0x31, 0x5c, 0x8a, 0xa7, 0x06, 0x7e, 0xf5,
+	0x63, 0xcb, 0xa4, 0x37, 0x23, 0xe5, 0xf0, 0xe2, 0x38, 0xa0, 0x27, 0xd7, 0x48, 0xff, 0xd0, 0x60,
+	0xd6, 0xa3, 0x5d, 0x35, 0xf8, 0xcb, 0xbd, 0x0b, 0xd9, 0xba, 0xea, 0xcd, 0x48, 0x6b, 0x8a, 0xc1,
+	0x31, 0xd2, 0xce, 0xf1, 0x0d, 0xd8, 0x5b, 0xc0, 0x3e, 0x2c, 0xfa, 0x31, 0x4c, 0xd3, 0x1f, 0xba,
+	0xb4, 0xe3, 0xb0, 0xf7, 0x89, 0xd6, 0xa5, 0x2e, 0x1e, 0x5b, 0xde, 0x74, 0x76, 0xd0, 0x2f, 0x4c,
+	0xdf, 0x0e, 0x30, 0xc0, 0x21, 0x76, 0xfa, 0x5f, 0x83, 0xd7, 0x96, 0xee, 0xf3, 0x26, 0x4c, 0x36,
+	0xb9, 0x37, 0x38, 0xd2, 0xee, 0x96, 0xc6, 0x77, 0xa1, 0xf2, 0x14, 0x4b, 0x2c, 0xc4, 0x8c, 0x83,
+	0x15, 0xde, 0xd3, 0xbe, 0xed, 0x2f, 0x12, 0x90, 0xf3, 0x6e, 0xbb, 0x61, 0x39, 0x2e, 0xba, 0x0a,
+	0xd9, 0xa6, 0xe5, 0xb8, 0xfc, 0x9d, 0xe2, 0x2a, 0xce, 0x96, 0x73, 0x4c, 0x57, 0x1b, 0x6a, 0x12,
+	0xfb, 0xeb, 0xa8, 0x0a, 0x69, 0xbb, 0xd7, 0xa2, 0x2a, 0x64, 0x8e, 0x63, 0xd2, 0xb8, 0xd7, 0xa2,
+	0xfe, 0x13, 0xc6, 0x46, 0x0e, 0x16, 0x60, 0x43, 0x32, 0x49, 0x3e, 0x59, 0x99, 0xfc, 0x2a, 0x28,
+	0x93, 0x67, 0x3e, 0x03, 0xda, 0x09, 0x67, 0x40, 0x57, 0xc7, 0x50, 0xd1, 0x31, 0x39, 0xd0, 0xc3,
+	0x24, 0xcc, 0x78, 0x34, 0x5b, 0xc4, 0x35, 0x9a, 0x68, 0x93, 0x15, 0x3b, 0x6e, 0x93, 0x0f, 0xaa,
+	0x7e, 0x6a, 0xff, 0x92, 0xdc, 0x9f, 0xdb, 0x09, 0x2e, 0x1e, 0x46, 0x27, 0x70, 0x78, 0x33, 0x7a,
+	0x01, 0x52, 0x6c, 0x42, 0x66, 0x46, 0x19, 0x16, 0xf2, 0x18, 0x3d, 0xe6, 0xb3, 0xe8, 0x16, 0xcc,
+	0x0a, 0xe7, 0xf1, 0xb9, 0x89, 0xec, 0xfd, 0xb9, 0x41, 0xbf, 0x30, 0xbb, 0x11, 0x5e, 0xc2, 0x51,
+	0x5a, 0xd4, 0xf4, 0x7d, 0x39, 0xc5, 0x25, 0x72, 0x6b, 0x0c, 0x89, 0x70, 0x98, 0xa2, 0x74, 0x62,
+	0xf1, 0x20, 0x7a, 0x35, 0xc3, 0x48, 0xd7, 0x4e, 0x3f, 0x51, 0x33, 0x5e, 0xb8, 0x09, 0xd3, 0xc1,
+	0x83, 0x8e, 0xf5, 0xee, 0x7e, 0x10, 0x74, 0x01, 0xe6, 0x9b, 0xe8, 0x6d, 0x98, 0x6c, 0xb3, 0xcb,
+	0x8f, 0x93, 0x82, 0x85, 0xc5, 0x16, 0xa8, 0xae, 0x04, 0x10, 0x56, 0x88, 0xe8, 0x9b, 0x30, 0x51,
+	0xe7, 0x41, 0x52, 0xda, 0xff, 0x38, 0xaf, 0x98, 0x8c, 0xae, 0x3c, 0xeb, 0x10, 0xbf, 0xb1, 0x04,
+	0x63, 0xb0, 0x84, 0xbf, 0x5b, 0xf1, 0xcb, 0xff, 0xc8, 0x83, 0x27, 0x60, 0xc5, 0x6f, 0x2c, 0xc1,
+	0x74, 0x1a, 0x90, 0x0d, 0xcf, 0xcb, 0xab, 0x90, 0x66, 0x21, 0x51, 0x49, 0x66, 0x9c, 0x28, 0xc8,
+	0xa2, 0xaa, 0xef, 0x66, 0x6c, 0xe4, 0x60, 0x01, 0xa6, 0xbf, 0x17, 0x7c, 0x88, 0x64, 0x2a, 0x6c,
+	0xc1, 0x54, 0x43, 0xe4, 0x9c, 0x98, 0xd6, 0x15, 0xbf, 0x95, 0xd8, 0x89, 0x6a, 0xd4, 0x84, 0x9e,
+	0x93, 0x8c, 0x55, 0x95, 0xc1, 0x40, 0x71, 0x90, 0x83, 0xbe, 0x07, 0x39, 0x15, 0xf8, 0x85, 0xa7,
+	0xaf, 0x40, 0x9a, 0x6b, 0x4d, 0x7a, 0xb8, 0xae, 0x8e, 0xce, 0x57, 0x0f, 0xfb, 0x85, 0xb9, 0x10,
+	0x39, 0x77, 0x41, 0xb1, 0x21, 0x46, 0xbd, 0xf3, 0xb7, 0x04, 0x64, 0x54, 0x4e, 0x8b, 0xbe, 0x03,
+	0x19, 0xf5, 0xce, 0xc8, 0x98, 0x1b, 0x47, 0xae, 0x41, 0xe6, 0x7e, 0x58, 0x54, 0xd3, 0xd8, 0x83,
+	0x64, 0xa7, 0xe9, 0xfa, 0x1f, 0x75, 0xbc, 0xd3, 0xf0, 0x8f, 0x38, 0x7c, 0x05, 0xbd, 0x0a, 0x19,
+	0xfe, 0xc1, 0xcc, 0xb0, 0x5a, 0x32, 0xc0, 0x5c, 0x54, 0x78, 0x3b, 0x72, 0xfe, 0xb0, 0x5f, 0x98,
+	0x56, 0xbf, 0xf9, 0x55, 0xbd, 0x1d, 0xe8, 0x0e, 0x24, 0xdd, 0x96, 0xca, 0xca, 0x62, 0x04, 0xdd,
+	0xea, 0x66, 0x45, 0xb8, 0x7d, 0x79, 0x92, 0x65, 0xd7, 0xd5, 0xcd, 0x0a, 0x66, 0x00, 0xe8, 0xbb,
+	0x30, 0x61, 0x33, 0x03, 0x70, 0x64, 0xf8, 0x58, 0x8e, 0xd9, 0xc2, 0x2a, 0x9b, 0x9d, 0x9a, 0xd9,
+	0x69, 0x78, 0x5d, 0x36, 0xbf, 0x61, 0xc1, 0xd1, 0xb0, 0x44, 0xd5, 0x7f, 0x97, 0x84, 0x39, 0x25,
+	0x73, 0xbf, 0x43, 0xf3, 0x95, 0x50, 0x87, 0xe6, 0xc5, 0x48, 0x87, 0xe6, 0xfc, 0xd0, 0x86, 0xcf,
+	0x5a, 0x34, 0x4f, 0xb6, 0x45, 0xf3, 0xa1, 0x06, 0x33, 0xe1, 0xaa, 0xd0, 0x33, 0x68, 0x2d, 0xec,
+	0x5e, 0x01, 0x83, 0x6e, 0x84, 0x8a, 0x5c, 0x91, 0x0e, 0xbc, 0x12, 0xbf, 0xfa, 0x8c, 0xdf, 0xf4,
+	0xfb, 0x73, 0x02, 0xce, 0x1d, 0x65, 0x84, 0xc8, 0x85, 0x59, 0x3b, 0xd2, 0x98, 0xd5, 0x3e, 0x69,
+	0x63, 0xf6, 0x73, 0xf2, 0x10, 0xb3, 0xd1, 0x8e, 0x6c, 0x94, 0x05, 0xea, 0x42, 0x8e, 0x4f, 0x3d,
+	0x8e, 0x66, 0xf5, 0x79, 0x95, 0xd1, 0xe0, 0x20, 0x22, 0x0e, 0x33, 0xf0, 0x3f, 0x9c, 0x27, 0x63,
+	0x7e, 0x38, 0x4f, 0x8d, 0xfa, 0x70, 0xae, 0x3f, 0xd0, 0x20, 0x7a, 0x53, 0xf4, 0x23, 0x98, 0xeb,
+	0x0c, 0x75, 0xe2, 0xb5, 0x4f, 0x7e, 0xb9, 0xe7, 0x25, 0xff, 0xb9, 0xe1, 0xde, 0xfb, 0x30, 0x23,
+	0xb4, 0x0e, 0x73, 0x56, 0xa7, 0x75, 0x50, 0x21, 0x6d, 0xff, 0x4c, 0x5c, 0xb4, 0x19, 0x1f, 0x68,
+	0x3b, 0x4a, 0x80, 0x87, 0xf7, 0xe8, 0xef, 0x6b, 0xa0, 0x57, 0xa8, 0x61, 0x53, 0xf7, 0x7f, 0xef,
+	0xbf, 0x11, 0x3e, 0xd0, 0xe0, 0x52, 0x8c, 0xff, 0x23, 0x78, 0x3a, 0x87, 0xfb, 0x67, 0x02, 0x32,
+	0xd5, 0xb5, 0x4f, 0x49, 0x73, 0x64, 0x27, 0xd4, 0x1c, 0x89, 0xf1, 0x09, 0x4c, 0xdd, 0xfc, 0xd8,
+	0xde, 0xc8, 0xb7, 0x23, 0xbd, 0x91, 0xeb, 0x63, 0x60, 0x9e, 0xdc, 0x1a, 0xf9, 0x58, 0x83, 0x19,
+	0x45, 0xfa, 0xff, 0xd3, 0x19, 0xf9, 0x30, 0x01, 0xd3, 0xea, 0xd6, 0xcf, 0x7c, 0x59, 0xbc, 0x1d,
+	0x2e, 0x8b, 0xaf, 0xc4, 0xb7, 0x8d, 0x63, 0xaa, 0xe2, 0x9f, 0x69, 0x90, 0x53, 0x24, 0x22, 0x55,
+	0x8e, 0xaa, 0x4b, 0x7b, 0xb2, 0xea, 0xfa, 0xbd, 0xe6, 0xab, 0x8b, 0x97, 0x70, 0x3b, 0xc1, 0xd4,
+	0x3d, 0x56, 0x3a, 0x1d, 0xba, 0x4f, 0x39, 0xeb, 0xe5, 0xf9, 0x2a, 0xa5, 0xaf, 0x7a, 0x05, 0x56,
+	0x62, 0x5c, 0x0f, 0x3b, 0xa1, 0xbe, 0x32, 0xfc, 0x73, 0xf3, 0xf2, 0xaa, 0xa2, 0x9a, 0x4c, 0x5a,
+	0xdc, 0xaf, 0xe3, 0xc1, 0x6b, 0x1f, 0xdd, 0x63, 0xd2, 0xdf, 0x0d, 0xb8, 0xf0, 0xd3, 0x2a, 0xae,
+	0x1e, 0x26, 0x20, 0xeb, 0xe5, 0xfd, 0xe8, 0x2a, 0xa4, 0xda, 0x56, 0x4d, 0xe5, 0xdc, 0x2a, 0xbd,
+	0x49, 0x6d, 0x59, 0x35, 0x96, 0x73, 0x4f, 0x56, 0x37, 0x2b, 0xec, 0x27, 0xe6, 0x44, 0xe8, 0x27,
+	0x1a, 0xcc, 0x18, 0xd4, 0x76, 0xcd, 0xba, 0x69, 0x10, 0x97, 0xfa, 0xd1, 0xe0, 0xb5, 0x38, 0xff,
+	0x17, 0x37, 0xea, 0xad, 0x2d, 0x5f, 0x90, 0xdc, 0x67, 0xd6, 0x42, 0x3c, 0x70, 0x84, 0x27, 0x32,
+	0x60, 0xd2, 0xea, 0x06, 0xf3, 0xc9, 0x95, 0x31, 0x2a, 0x9d, 0xe2, 0xb6, 0xd8, 0x1a, 0xe9, 0xa3,
+	0xc8, 0x59, 0xac, 0x90, 0x17, 0x6e, 0xc2, 0x74, 0x90, 0x72, 0x9c, 0x46, 0x46, 0xb9, 0x78, 0xff,
+	0x51, 0xfe, 0xcc, 0x47, 0x8f, 0xf2, 0x67, 0x1e, 0x3c, 0xca, 0x9f, 0x79, 0x67, 0x90, 0xd7, 0xee,
+	0x0f, 0xf2, 0xda, 0x47, 0x83, 0xbc, 0xf6, 0x60, 0x90, 0xd7, 0x1e, 0x0e, 0xf2, 0xda, 0xcf, 0xff,
+	0x92, 0x3f, 0xf3, 0x56, 0x46, 0x1d, 0xee, 0xbf, 0x01, 0x00, 0x00, 0xff, 0xff, 0xdc, 0xb2, 0xe0,
+	0xce, 0x69, 0x2a, 0x00, 0x00,
 }
 
 func (m *ConfigMapsDefaultLocalObjectReference) Marshal() (dAtA []byte, err error) {
@@ -3354,20 +3356,21 @@ func (m *TLSConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 			dAtA[i] = 0x1a
 		}
 	}
-	if len(m.CertificateRefs) > 0 {
-		for iNdEx := len(m.CertificateRefs) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.CertificateRefs[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintGenerated(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
+	{
+		size, err := m.CertificateRef.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
 		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
 	}
+	i--
+	dAtA[i] = 0x12
+	i -= len(m.Mode)
+	copy(dAtA[i:], m.Mode)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Mode)))
+	i--
+	dAtA[i] = 0xa
 	return len(dAtA) - i, nil
 }
 
@@ -4088,12 +4091,10 @@ func (m *TLSConfig) Size() (n int) {
 	}
 	var l int
 	_ = l
-	if len(m.CertificateRefs) > 0 {
-		for _, e := range m.CertificateRefs {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
+	l = len(m.Mode)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.CertificateRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
 	if len(m.Options) > 0 {
 		for k, v := range m.Options {
 			_ = k
@@ -4695,11 +4696,6 @@ func (this *TLSConfig) String() string {
 	if this == nil {
 		return "nil"
 	}
-	repeatedStringForCertificateRefs := "[]SecretsDefaultLocalObjectReference{"
-	for _, f := range this.CertificateRefs {
-		repeatedStringForCertificateRefs += strings.Replace(strings.Replace(f.String(), "SecretsDefaultLocalObjectReference", "SecretsDefaultLocalObjectReference", 1), `&`, ``, 1) + ","
-	}
-	repeatedStringForCertificateRefs += "}"
 	keysForOptions := make([]string, 0, len(this.Options))
 	for k := range this.Options {
 		keysForOptions = append(keysForOptions, k)
@@ -4711,7 +4707,8 @@ func (this *TLSConfig) String() string {
 	}
 	mapStringForOptions += "}"
 	s := strings.Join([]string{`&TLSConfig{`,
-		`CertificateRefs:` + repeatedStringForCertificateRefs + `,`,
+		`Mode:` + fmt.Sprintf("%v", this.Mode) + `,`,
+		`CertificateRef:` + strings.Replace(strings.Replace(this.CertificateRef.String(), "SecretsDefaultLocalObjectReference", "SecretsDefaultLocalObjectReference", 1), `&`, ``, 1) + `,`,
 		`Options:` + mapStringForOptions + `,`,
 		`}`,
 	}, "")
@@ -10699,7 +10696,39 @@ func (m *TLSConfig) Unmarshal(dAtA []byte) error {
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field CertificateRefs", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Mode = TLSMode(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CertificateRef", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -10726,8 +10755,7 @@ func (m *TLSConfig) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.CertificateRefs = append(m.CertificateRefs, SecretsDefaultLocalObjectReference{})
-			if err := m.CertificateRefs[len(m.CertificateRefs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if err := m.CertificateRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
diff --git a/apis/v1alpha1/generated.proto b/apis/v1alpha1/generated.proto
index d677a86188..7a383972ce 100644
--- a/apis/v1alpha1/generated.proto
+++ b/apis/v1alpha1/generated.proto
@@ -827,6 +827,16 @@ message Listener {
   // is required if the Protocol field is "HTTPS" or "TLS" and
   // ignored otherwise.
   //
+  // The association of SNIs to Certificate defined in TLSConfig is
+  // defined based on the value of HostnameMatchType for this listener:
+  // - "Domain": Certificate should be used used for the domain and its
+  //   first-level subdomains.
+  // - "Exact": Certificate should be used for the domain only.
+  // - "Any": Certificate in TLSConfig is the default certificate to use.
+  //
+  // The GatewayClass MUST use the longest matching SNI out of all
+  // available certificate for any TLS handshake.
+  //
   // Support: Core
   //
   // +optional
@@ -1201,20 +1211,28 @@ message TCPRouteStatus {
 // - aws: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies
 // - azure: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-1112
 message TLSConfig {
-  // CertificateRefs is a list of references to Kubernetes objects that each
-  // contain an identity certificate.  The host name in a TLS SNI client hello
-  // message is used for certificate matching and route host name selection.
-  // The SNI server_name must match a route host name for the Gateway to route
-  // the TLS request.  If an entry in this list omits or specifies the empty
+  // Mode defines the TLS behavior for the TLS session initiated by the client.
+  // There are two possible modes:
+  // - Terminate: The TLS session between the downstream client
+  //   and the Gateway is terminated at the Gateway.
+  // - Passthrough: The TLS session NOT terminated by the Gateway. This
+  //   implies that the Gateway can't decipher the TLS stream except for
+  //   the ClientHello message of the TLS protocol.
+  optional string mode = 1;
+
+  // CertificateRef is the reference to Kubernetes object that
+  // contain an identity certificate.
+  // This certificate MUST be used for TLS handshakes for the domain
+  // this TLSConfig is associated with.
+  // If an entry in this list omits or specifies the empty
   // string for both the group and the resource, the resource defaults to "secrets".
   // An implementation may support other resources (for example, resource
   // "mycertificates" in group "networking.acme.io").
-  //
   // Support: Core (Kubernetes Secrets)
   // Support: Implementation-specific (Other resource types)
   //
   // +required
-  repeated SecretsDefaultLocalObjectReference certificateRefs = 1;
+  optional SecretsDefaultLocalObjectReference certificateRef = 2;
 
   // Options are a list of key/value pairs to give extended options
   // to the provider.
diff --git a/apis/v1alpha1/tlsconfig_types.go b/apis/v1alpha1/tlsconfig_types.go
index 2cc97aa7fc..f1380f4c68 100644
--- a/apis/v1alpha1/tlsconfig_types.go
+++ b/apis/v1alpha1/tlsconfig_types.go
@@ -15,6 +15,18 @@ limitations under the License.
 
 package v1alpha1
 
+// TLSMode type defines behavior of gateway with TLS protocol.
+// +kubebuilder:validation:Enum=Terminate;Passthrough
+// +kubebuilder:default=Terminate
+type TLSMode string
+
+const (
+	// TLSModeTerminate represents the Terminate mode.
+	TLSModeTerminate TLSMode = "Terminate"
+	// TLSModePassthrough represents the Passthrough mode.
+	TLSModePassthrough TLSMode = "Passthrough"
+)
+
 // TLSConfig describes a TLS configuration.
 //
 // References
@@ -25,20 +37,28 @@ package v1alpha1
 // - aws: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies
 // - azure: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-1112
 type TLSConfig struct {
-	// CertificateRefs is a list of references to Kubernetes objects that each
-	// contain an identity certificate.  The host name in a TLS SNI client hello
-	// message is used for certificate matching and route host name selection.
-	// The SNI server_name must match a route host name for the Gateway to route
-	// the TLS request.  If an entry in this list omits or specifies the empty
+	// Mode defines the TLS behavior for the TLS session initiated by the client.
+	// There are two possible modes:
+	// - Terminate: The TLS session between the downstream client
+	//   and the Gateway is terminated at the Gateway.
+	// - Passthrough: The TLS session NOT terminated by the Gateway. This
+	//   implies that the Gateway can't decipher the TLS stream except for
+	//   the ClientHello message of the TLS protocol.
+	Mode TLSMode `json:"mode,omitempty" protobuf:"bytes,1,opt,name=mode"`
+
+	// CertificateRef is the reference to Kubernetes object that
+	// contain an identity certificate.
+	// This certificate MUST be used for TLS handshakes for the domain
+	// this TLSConfig is associated with.
+	// If an entry in this list omits or specifies the empty
 	// string for both the group and the resource, the resource defaults to "secrets".
 	// An implementation may support other resources (for example, resource
 	// "mycertificates" in group "networking.acme.io").
-	//
 	// Support: Core (Kubernetes Secrets)
 	// Support: Implementation-specific (Other resource types)
 	//
 	// +required
-	CertificateRefs []CertificateObjectReference `json:"certificateRefs,omitempty" protobuf:"bytes,1,rep,name=certificateRefs"`
+	CertificateRef CertificateObjectReference `json:"certificateRef,omitempty" protobuf:"bytes,2,opt,name=certificateRef"`
 	// Options are a list of key/value pairs to give extended options
 	// to the provider.
 	//
diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go
index 288b273558..17912b073b 100644
--- a/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/v1alpha1/zz_generated.deepcopy.go
@@ -939,11 +939,7 @@ func (in *TCPRouteStatus) DeepCopy() *TCPRouteStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
 	*out = *in
-	if in.CertificateRefs != nil {
-		in, out := &in.CertificateRefs, &out.CertificateRefs
-		*out = make([]SecretsDefaultLocalObjectReference, len(*in))
-		copy(*out, *in)
-	}
+	out.CertificateRef = in.CertificateRef
 	if in.Options != nil {
 		in, out := &in.Options, &out.Options
 		*out = make(map[string]string, len(*in))
diff --git a/config/crd/bases/networking.x-k8s.io_gateways.yaml b/config/crd/bases/networking.x-k8s.io_gateways.yaml
index bca2f92872..eea490055f 100644
--- a/config/crd/bases/networking.x-k8s.io_gateways.yaml
+++ b/config/crd/bases/networking.x-k8s.io_gateways.yaml
@@ -176,28 +176,31 @@ spec:
                       - resource
                       type: object
                     tls:
-                      description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\" and ignored otherwise. \n Support: Core"
+                      description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\" and ignored otherwise. \n The association of SNIs to Certificate defined in TLSConfig is defined based on the value of HostnameMatchType for this listener: - \"Domain\": Certificate should be used used for the domain and its   first-level subdomains. - \"Exact\": Certificate should be used for the domain only. - \"Any\": Certificate in TLSConfig is the default certificate to use. \n The GatewayClass MUST use the longest matching SNI out of all available certificate for any TLS handshake. \n Support: Core"
                       properties:
-                        certificateRefs:
-                          description: "CertificateRefs is a list of references to Kubernetes objects that each contain an identity certificate.  The host name in a TLS SNI client hello message is used for certificate matching and route host name selection. The SNI server_name must match a route host name for the Gateway to route the TLS request.  If an entry in this list omits or specifies the empty string for both the group and the resource, the resource defaults to \"secrets\". An implementation may support other resources (for example, resource \"mycertificates\" in group \"networking.acme.io\"). \n Support: Core (Kubernetes Secrets) Support: Implementation-specific (Other resource types)"
-                          items:
-                            description: SecretsDefaultLocalObjectReference identifies an API object within a known namespace that defaults group to core and resource to secrets if unspecified.
-                            properties:
-                              group:
-                                default: core
-                                description: "Group is the group of the referent.  Omitting the value or specifying the empty string indicates the core API group.  For example, use the following to specify a secrets resource: \n fooRef:   resource: secrets   name: mysecret \n Otherwise, if the core API group is not desired, specify the desired group: \n fooRef:   group: acme.io   resource: foos   name: myfoo"
-                                type: string
-                              name:
-                                description: Name is the name of the referent.
-                                type: string
-                              resource:
-                                default: secrets
-                                description: "Resource is the API resource name of the referent. Omitting the value or specifying the empty string indicates the secrets resource. For example, use the following to specify a secrets resource: \n fooRef:   name: mysecret \n Otherwise, if the secrets resource is not desired, specify the desired group: \n fooRef:   group: acme.io   resource: foos   name: myfoo"
-                                type: string
-                            required:
-                            - name
-                            type: object
-                          type: array
+                        certificateRef:
+                          description: 'CertificateRef is the reference to Kubernetes object that contain an identity certificate. This certificate MUST be used for TLS handshakes for the domain this TLSConfig is associated with. If an entry in this list omits or specifies the empty string for both the group and the resource, the resource defaults to "secrets". An implementation may support other resources (for example, resource "mycertificates" in group "networking.acme.io"). Support: Core (Kubernetes Secrets) Support: Implementation-specific (Other resource types)'
+                          properties:
+                            group:
+                              default: core
+                              description: "Group is the group of the referent.  Omitting the value or specifying the empty string indicates the core API group.  For example, use the following to specify a secrets resource: \n fooRef:   resource: secrets   name: mysecret \n Otherwise, if the core API group is not desired, specify the desired group: \n fooRef:   group: acme.io   resource: foos   name: myfoo"
+                              type: string
+                            name:
+                              description: Name is the name of the referent.
+                              type: string
+                            resource:
+                              default: secrets
+                              description: "Resource is the API resource name of the referent. Omitting the value or specifying the empty string indicates the secrets resource. For example, use the following to specify a secrets resource: \n fooRef:   name: mysecret \n Otherwise, if the secrets resource is not desired, specify the desired group: \n fooRef:   group: acme.io   resource: foos   name: myfoo"
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        mode:
+                          description: 'Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - Terminate: The TLS session between the downstream client   and the Gateway is terminated at the Gateway. - Passthrough: The TLS session NOT terminated by the Gateway. This   implies that the Gateway can''t decipher the TLS stream except for   the ClientHello message of the TLS protocol.'
+                          enum:
+                          - Terminate
+                          - Passthrough
+                          type: string
                         options:
                           additionalProperties:
                             type: string
diff --git a/docs-src/spec.md b/docs-src/spec.md
index 88f0a935eb..25fec693a3 100644
--- a/docs-src/spec.md
+++ b/docs-src/spec.md
@@ -1995,6 +1995,14 @@ TLSConfig
 <p>TLS is the TLS configuration for the Listener. This field
 is required if the Protocol field is &ldquo;HTTPS&rdquo; or &ldquo;TLS&rdquo; and
 ignored otherwise.</p>
+<p>The association of SNIs to Certificate defined in TLSConfig is
+defined based on the value of HostnameMatchType for this listener:
+- &ldquo;Domain&rdquo;: Certificate should be used used for the domain and its
+first-level subdomains.
+- &ldquo;Exact&rdquo;: Certificate should be used for the domain only.
+- &ldquo;Any&rdquo;: Certificate in TLSConfig is the default certificate to use.</p>
+<p>The GatewayClass MUST use the longest matching SNI out of all
+available certificate for any TLS handshake.</p>
 <p>Support: Core</p>
 </td>
 </tr>
@@ -2750,23 +2758,42 @@ TCPRouteAction
 <tbody>
 <tr>
 <td>
-<code>certificateRefs</code></br>
+<code>mode</code></br>
+<em>
+<a href="#networking.x-k8s.io/v1alpha1.TLSMode">
+TLSMode
+</a>
+</em>
+</td>
+<td>
+<p>Mode defines the TLS behavior for the TLS session initiated by the client.
+There are two possible modes:
+- Terminate: The TLS session between the downstream client
+and the Gateway is terminated at the Gateway.
+- Passthrough: The TLS session NOT terminated by the Gateway. This
+implies that the Gateway can&rsquo;t decipher the TLS stream except for
+the ClientHello message of the TLS protocol.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certificateRef</code></br>
 <em>
 <a href="#networking.x-k8s.io/v1alpha1.SecretsDefaultLocalObjectReference">
-[]SecretsDefaultLocalObjectReference
+SecretsDefaultLocalObjectReference
 </a>
 </em>
 </td>
 <td>
-<p>CertificateRefs is a list of references to Kubernetes objects that each
-contain an identity certificate.  The host name in a TLS SNI client hello
-message is used for certificate matching and route host name selection.
-The SNI server_name must match a route host name for the Gateway to route
-the TLS request.  If an entry in this list omits or specifies the empty
+<p>CertificateRef is the reference to Kubernetes object that
+contain an identity certificate.
+This certificate MUST be used for TLS handshakes for the domain
+this TLSConfig is associated with.
+If an entry in this list omits or specifies the empty
 string for both the group and the resource, the resource defaults to &ldquo;secrets&rdquo;.
 An implementation may support other resources (for example, resource
-&ldquo;mycertificates&rdquo; in group &ldquo;networking.acme.io&rdquo;).</p>
-<p>Support: Core (Kubernetes Secrets)
+&ldquo;mycertificates&rdquo; in group &ldquo;networking.acme.io&rdquo;).
+Support: Core (Kubernetes Secrets)
 Support: Implementation-specific (Other resource types)</p>
 </td>
 </tr>
@@ -2789,6 +2816,15 @@ construct.</p>
 </tr>
 </tbody>
 </table>
+<h3 id="networking.x-k8s.io/v1alpha1.TLSMode">TLSMode
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#networking.x-k8s.io/v1alpha1.TLSConfig">TLSConfig</a>)
+</p>
+<p>
+<p>TLSMode type defines behavior of gateway with TLS protocol.</p>
+</p>
 <h3 id="networking.x-k8s.io/v1alpha1.TargetPort">TargetPort
 (<code>int32</code> alias)</p></h3>
 <p>
diff --git a/docs/spec/index.html b/docs/spec/index.html
index 42840e9b2a..4ba33091bd 100644
--- a/docs/spec/index.html
+++ b/docs/spec/index.html
@@ -2320,6 +2320,14 @@ <h3 id="networking.x-k8s.io/v1alpha1.Listener">Listener
 <p>TLS is the TLS configuration for the Listener. This field
 is required if the Protocol field is &ldquo;HTTPS&rdquo; or &ldquo;TLS&rdquo; and
 ignored otherwise.</p>
+<p>The association of SNIs to Certificate defined in TLSConfig is
+defined based on the value of HostnameMatchType for this listener:
+- &ldquo;Domain&rdquo;: Certificate should be used used for the domain and its
+first-level subdomains.
+- &ldquo;Exact&rdquo;: Certificate should be used for the domain only.
+- &ldquo;Any&rdquo;: Certificate in TLSConfig is the default certificate to use.</p>
+<p>The GatewayClass MUST use the longest matching SNI out of all
+available certificate for any TLS handshake.</p>
 <p>Support: Core</p>
 </td>
 </tr>
@@ -3075,23 +3083,42 @@ <h3 id="networking.x-k8s.io/v1alpha1.TLSConfig">TLSConfig
 <tbody>
 <tr>
 <td>
-<code>certificateRefs</code></br>
+<code>mode</code></br>
+<em>
+<a href="#networking.x-k8s.io/v1alpha1.TLSMode">
+TLSMode
+</a>
+</em>
+</td>
+<td>
+<p>Mode defines the TLS behavior for the TLS session initiated by the client.
+There are two possible modes:
+- Terminate: The TLS session between the downstream client
+and the Gateway is terminated at the Gateway.
+- Passthrough: The TLS session NOT terminated by the Gateway. This
+implies that the Gateway can&rsquo;t decipher the TLS stream except for
+the ClientHello message of the TLS protocol.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certificateRef</code></br>
 <em>
 <a href="#networking.x-k8s.io/v1alpha1.SecretsDefaultLocalObjectReference">
-[]SecretsDefaultLocalObjectReference
+SecretsDefaultLocalObjectReference
 </a>
 </em>
 </td>
 <td>
-<p>CertificateRefs is a list of references to Kubernetes objects that each
-contain an identity certificate.  The host name in a TLS SNI client hello
-message is used for certificate matching and route host name selection.
-The SNI server_name must match a route host name for the Gateway to route
-the TLS request.  If an entry in this list omits or specifies the empty
+<p>CertificateRef is the reference to Kubernetes object that
+contain an identity certificate.
+This certificate MUST be used for TLS handshakes for the domain
+this TLSConfig is associated with.
+If an entry in this list omits or specifies the empty
 string for both the group and the resource, the resource defaults to &ldquo;secrets&rdquo;.
 An implementation may support other resources (for example, resource
-&ldquo;mycertificates&rdquo; in group &ldquo;networking.acme.io&rdquo;).</p>
-<p>Support: Core (Kubernetes Secrets)
+&ldquo;mycertificates&rdquo; in group &ldquo;networking.acme.io&rdquo;).
+Support: Core (Kubernetes Secrets)
 Support: Implementation-specific (Other resource types)</p>
 </td>
 </tr>
@@ -3114,6 +3141,15 @@ <h3 id="networking.x-k8s.io/v1alpha1.TLSConfig">TLSConfig
 </tr>
 </tbody>
 </table>
+<h3 id="networking.x-k8s.io/v1alpha1.TLSMode">TLSMode
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#networking.x-k8s.io/v1alpha1.TLSConfig">TLSConfig</a>)
+</p>
+<p>
+<p>TLSMode type defines behavior of gateway with TLS protocol.</p>
+</p>
 <h3 id="networking.x-k8s.io/v1alpha1.TargetPort">TargetPort
 (<code>int32</code> alias)</p></h3>
 <p>