Skip to content

Commit

Permalink
support protocol TLS with TLS mode Terminate
Browse files Browse the repository at this point in the history
Signed-off-by: Steve Kriss <krisss@vmware.com>
  • Loading branch information
skriss committed Jun 9, 2023
1 parent f8b4bfb commit 83ea358
Showing 1 changed file with 19 additions and 11 deletions.
30 changes: 19 additions & 11 deletions internal/dag/gatewayapi_processor.go
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -519,27 +519,35 @@ func (p *GatewayAPIProcessor) computeListener(
case gatewayapi_v1beta1.TLSProtocolType: case gatewayapi_v1beta1.TLSProtocolType:
// The TLS protocol is used for TCP traffic encrypted with TLS. // The TLS protocol is used for TCP traffic encrypted with TLS.
// Gateway API allows TLS to be either terminated at the proxy // Gateway API allows TLS to be either terminated at the proxy
// or passed through to the backend, but the former requires using // or passed through to the backend. This protocol is compatible
// TCPRoute to route traffic since the underlying protocol is TCP // with both TLSRoute (if SNI is needed for routing decisions) and
// not HTTP, which Contour doesn't support. Therefore, we only // TCPRoute (if SNI is not needed for routing decisions).
// support "Passthrough" with the TLS protocol, which requires
// the use of TLSRoute to route to backends since the traffic is
// still encrypted.


if listener.TLS == nil { if listener.TLS == nil {
addInvalidListenerCondition(fmt.Sprintf("Listener.TLS is required when protocol is %q.", listener.Protocol)) addInvalidListenerCondition(fmt.Sprintf("Listener.TLS is required when protocol is %q.", listener.Protocol))
return false, nil return false, nil
} }


if listener.TLS.Mode == nil || *listener.TLS.Mode != gatewayapi_v1beta1.TLSModePassthrough { if listener.TLS.Mode == nil {
addInvalidListenerCondition(fmt.Sprintf("Listener.TLS.Mode must be %q when protocol is %q.", gatewayapi_v1beta1.TLSModePassthrough, listener.Protocol)) addInvalidListenerCondition(fmt.Sprintf("Listener.TLS.Mode is required when protocol is %q.", listener.Protocol))
return false, nil return false, nil
} }


if len(listener.TLS.CertificateRefs) != 0 { switch *listener.TLS.Mode {
addInvalidListenerCondition(fmt.Sprintf("Listener.TLS.CertificateRefs cannot be defined when Listener.TLS.Mode is %q.", gatewayapi_v1beta1.TLSModePassthrough)) case gatewayapi_v1beta1.TLSModeTerminate:
return false, nil // Resolve the TLS secret.
if listenerSecret = p.resolveListenerSecret(listener.TLS.CertificateRefs, string(listener.Name), gwAccessor); listenerSecret == nil {
// If TLS was configured on the Listener, but the secret ref is invalid, don't allow any
// routes to be bound to this listener since it can't serve TLS traffic.
return false, nil
}
case gatewayapi_v1beta1.TLSModePassthrough:
if len(listener.TLS.CertificateRefs) != 0 {
addInvalidListenerCondition(fmt.Sprintf("Listener.TLS.CertificateRefs cannot be defined when Listener.TLS.Mode is %q.", gatewayapi_v1beta1.TLSModePassthrough))
return false, nil
}
} }

} }


return true, &listenerInfo{ return true, &listenerInfo{
Expand Down

0 comments on commit 83ea358

Please sign in to comment.