kubernetes-sigs · Miciah · Feb 13, 2020
diff --git a/api/v1alpha1/generated.pb.go b/api/v1alpha1/generated.pb.go
diff --git a/api/v1alpha1/generated.proto b/api/v1alpha1/generated.proto
diff --git a/api/v1alpha1/httproute_types.go b/api/v1alpha1/httproute_types.go
@@ -55,6 +55,12 @@ type HTTPRouteHost struct {
 	// Rules are a list of HTTP matchers, filters and actions.
 	Rules []HTTPRouteRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
 
+	// TLS specifies the TLS configuration for the target (if the target
+	// uses TLS).
+	//
+	// +optional
+	TLS *HTTPRouteTLS `json:"tls" protobuf:"bytes,4,opt,name=tls"`
+
 	// Extension is an optional, implementation-specific extension to the
 	// "host" block.  The resource may be "configmap" (use the empty string
 	// for the group) or an implementation-defined resource (for example,
@@ -248,6 +254,21 @@ type RouteActionExtensionObjectReference = LocalObjectReference
 // +protobuf=false
 type RouteHostExtensionObjectReference = LocalObjectReference
 
+// HTTPRouteTLS describes the TLS configuration for a given host.
+type HTTPRouteTLS struct {
+	// DestinationCACertificate is a reference to a Kubernetes objects
+	// containing a CA certificate that can be used to validate the route's
+	// target's serving certificate.  If both the group and the resource are
+	// empty, the resource defaults to "secret".  An implementation may
+	// support other resources (for example, resource "mycertificate" in
+	// group "networking.acme.io").
+	//
+	// Support: Extended.
+	//
+	// +optional
+	DestinationCACertificate CertificateObjectReference `json:"destincationCACertificate" protobuf:"bytes,1,opt,name=destincationCACertificate"`
+}
+
 // HTTPRouteStatus defines the observed state of HTTPRoute.
 type HTTPRouteStatus struct {
 	Gateways []GatewayObjectReference `json:"gateways" protobuf:"bytes,1,rep,name=gateways"`

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/networking.x.k8s.io_httproutes.yaml b/config/crd/bases/networking.x.k8s.io_httproutes.yaml
@@ -236,6 +236,35 @@ spec:
                         type: object
                     type: object
                   type: array
+                tls:
+                  description: TLS specifies the TLS configuration for the target
+                    (if the target uses TLS).
+                  properties:
+                    destincationCACertificate:
+                      description: "DestinationCACertificate is a reference to a Kubernetes
+                        objects containing a CA certificate that can be used to validate
+                        the route's target's serving certificate.  If both the group
+                        and the resource are empty, the resource defaults to \"secret\".
+                        \ An implementation may support other resources (for example,
+                        resource \"mycertificate\" in group \"networking.acme.io\").
+                        \n Support: Extended."
+                      properties:
+                        group:
+                          description: Group is the group of the referent.  The empty
+                            string represents the core API group.
+                          type: string
+                        name:
+                          description: Name is the name of the referent.
+                          type: string
+                        resource:
+                          description: Resource is the resource of the referent.
+                          type: string
+                      required:
+                      - group
+                      - name
+                      - resource
+                      type: object
+                  type: object
               required:
               - rules
               type: object
@@ -444,6 +473,35 @@ spec:
                           type: object
                       type: object
                     type: array
+                  tls:
+                    description: TLS specifies the TLS configuration for the target
+                      (if the target uses TLS).
+                    properties:
+                      destincationCACertificate:
+                        description: "DestinationCACertificate is a reference to a
+                          Kubernetes objects containing a CA certificate that can
+                          be used to validate the route's target's serving certificate.
+                          \ If both the group and the resource are empty, the resource
+                          defaults to \"secret\".  An implementation may support other
+                          resources (for example, resource \"mycertificate\" in group
+                          \"networking.acme.io\"). \n Support: Extended."
+                        properties:
+                          group:
+                            description: Group is the group of the referent.  The
+                              empty string represents the core API group.
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            type: string
+                          resource:
+                            description: Resource is the resource of the referent.
+                            type: string
+                        required:
+                        - group
+                        - name
+                        - resource
+                        type: object
+                    type: object
                 required:
                 - rules
                 type: object

diff --git a/docs-src/concepts.md b/docs-src/concepts.md
@@ -347,7 +347,19 @@ TODO
 
 #### `HTTPRoute`
 
-TODO
+`HTTPRoute` is a namespace-scoped resource defined by the application
+developer.  An `HTTPRoute` is associated with an arbitrary number of
+`Gateways` and specifies a mapping between incoming HTTP requests
+matching criteria defined in the `HTTPRoute` and some target
+(typically a `Service`, but implementations may allow other resources
+as targets).
+
+TODO: Describe match rules, filters, and actions.
+
+When a `Gateway` uses an `HTTPRoute` to forward a connection, the
+`Gateway` terminates TLS.  If end-to-end encryption is desired, use
+either an `HTTPRoute` and the `Reencrypt` action or a `TCPRoute` to
+pass TLS through without decryption.
 
 #### `TCPRoute`
 

diff --git a/docs/concepts/index.html b/docs/concepts/index.html
@@ -1073,7 +1073,17 @@ <h4 id="listeners">Listeners</h4>
 <h3 id="routes">Routes</h3>
 <p>TODO</p>
 <h4 id="httproute"><code>HTTPRoute</code></h4>
-<p>TODO</p>
+<p><code>HTTPRoute</code> is a namespace-scoped resource defined by the application
+developer.  An <code>HTTPRoute</code> is associated with an arbitrary number of
+<code>Gateways</code> and specifies a mapping between incoming HTTP requests
+matching criteria defined in the <code>HTTPRoute</code> and some target
+(typically a <code>Service</code>, but implementations may allow other resources
+as targets).</p>
+<p>TODO: Describe match rules, filters, and actions.</p>
+<p>When a <code>Gateway</code> uses an <code>HTTPRoute</code> to forward a connection, the
+<code>Gateway</code> terminates TLS.  If end-to-end encryption is desired, use
+either an <code>HTTPRoute</code> and the <code>Reencrypt</code> action or a <code>TCPRoute</code> to
+pass TLS through without decryption.</p>
 <h4 id="tcproute"><code>TCPRoute</code></h4>
 <p>TODO</p>
 <h4 id="generic-routing">Generic routing</h4>

diff --git a/docs/search/search_index.json b/docs/search/search_index.json