Add BackendTLSPolicy implementation and make generate

Signed-off-by: Nick Young <nick@isovalent.com>
kubernetes-sigs · Oct 1, 2023 · 91a98bd · 91a98bd
1 parent f938efd
commit 91a98bd
Show file tree

Hide file tree

Showing 19 changed files with 1,411 additions and 4 deletions.
diff --git a/apis/v1alpha2/backendtlspolicy_types.go b/apis/v1alpha2/backendtlspolicy_types.go
@@ -0,0 +1,157 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:storageversion
+// +kubebuilder:resource:categories=gateway-api,shortName=btlspolicy
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// BackendTLSPolicy provides a way to publish TLS configuration
+// that enables a gateway client to connect to a backend pod.
+type BackendTLSPolicy struct {
+    metav1.TypeMeta   `json:",inline"`
+    metav1.ObjectMeta `json:"metadata,omitempty"`
+
+    // Spec defines the desired state of BackendTLSPolicy.
+    Spec BackendTLSPolicySpec `json:"spec"`
+
+    // Status defines the current state of BackendTLSPolicy.
+    Status PolicyStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// BackendTLSPolicyList contains a list of TCPRoute
+type BackendTLSPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BackendTLSPolicy `json:"items"`
+}
+
+// BackendTLSPolicySpec defines the desired state of
+// BackendTLSPolicy.
+// Note: there is no Override or Default policy configuration.
+//
+// Support: Extended
+type BackendTLSPolicySpec struct {
+    // TargetRef identifies an API object to apply policy to.
+    // Services are the only valid API target references.
+    // Note that this config applies to the entire referenced resource
+    // by default, but this default may change in the future to provide
+    // a more granular application of the policy.
+    TargetRef PolicyTargetReference `json:"targetRef"`
+
+    // TLS contains backend TLS policy configuration.
+    TLS *BackendTLSPolicyConfig `json:"tls"`
+}
+
+// BackendTLSPolicyConfig contains backend TLS policy configuration.
+// +kubebuilder:validation:XValidation:message="must not contain both CertRefs and StandardCerts",rule="(has(self.certRefs) && size(self.certRefs > 0) && has(self.standardCerts) && self.standardCerts != '')"
+// +kubebuilder:validation:XValidation:message="must specify either CertRefs or StandardCerts",rule="!(has(self.certRefs) && size(self.certRefs > 0) || has(self.standardCerts) && self.standardCerts != '')"
+type BackendTLSPolicyConfig struct {
+    // CertRefs contains one or more references to
+    // Kubernetes objects that contain PEM-encoded TLS certificates,
+    // which are used to establish a TLS handshake between the gateway
+    // and backend pod.
+    //
+    // If CertRefs is empty or unspecified, then StandardCerts must
+    // be specified.  Only one of CertRefs or StandardCerts may be
+    // specified, not both.
+    //
+    // If CertRefs is empty or unspecified, then system trusted
+    // certificates should be used. If there are none, or the
+    // implementation doesn't define system trusted certificates,
+    // then a TLS connection must fail.
+    //
+    // References to a resource in a different namespace are
+    // invalid.
+    //
+    // A single CertRef to a Kubernetes ConfigMap kind has "Core"
+    // support.  Implementations MAY choose to support attaching
+    // multiple certificates to a backend, but this behavior is
+    // implementation-specific.  Also implementation-specific is
+    // a CertRef of other object kinds, e.g. Secret.
+    // 
+    // Support: Core - An optional single reference to a Kubernetes
+    // ConfigMap.
+    //
+    // Support: Implementation-specific (No reference, more than one
+    // reference, or resource types other than ConfigMaps.
+    // Service mesh may ignore.)
+    //
+    // +kubebuilder:validation:MaxItems=8
+    // +optional
+    CertRefs []v1beta1.ConfigMapObjectReference `json:"certRefs,omitempty"`
+
+    // StandardCerts specifies whether system CA certificates may
+    // be used in the TLS handshake between the gateway and
+    // backend pod.
+    // 
+    // If StandardCerts is unspecified or set to "", then CertRefs must
+    // be specified with at least one entry for a valid configuration.
+    // If StandardCerts is unspecified or set to "", then CertRefs must
+    // be specified.  Only one of CertRefs or StandardCerts may be
+    // specified, not both.
+    //
+    // StandardCerts must be set to "System" when CertRefs is unspecified.
+    //
+    // If StandardCerts is set to "System", then the system trusted
+    // certificates should be used. If there are none, or the
+    // implementation doesn't define system trusted certificates,
+    // then a TLS connection must fail.
+    //
+    // Support: Core - An optional value to specify whether to use
+    // system certificates or not.
+    //
+    // Support: Implementation-specific (In the absence of support
+    // for usable system certs, may be ignored. Service mesh may ignore.)
+    //
+    // +optional
+    StandardCerts *StandardCertType `json:"standardCerts,omitempty"`
+
+    // Hostname is the Server Name Indication that the Gateway uses to
+    // connect to the backend.  It represents the fully qualified domain
+    // name of a network host, as defined by RFC1123 - except that numeric
+    // IP addresses are not allowed. Each label of the FQDN must consist
+    // of lower case alphanumeric characters or '-', and must start and
+    // end with an alphanumeric character.  No other punctuation is allowed.
+    // Wildcard domain names are specifically disallowed.
+    //
+    // It specifies the hostname that may authenticate, and must be in the
+    // certificate served by the matching backend.
+    //
+    // Support: Core - A required value used by the Gateway to connect to
+    // the backend when a BackendTLSPolicy is specified.
+    Hostname v1beta1.PreciseHostname `json:"hostname"`
+}
+
+// StandardCertType is the type of CA certificate that will be used when
+// the TLS.certRefs is unspecified.
+// +kubebuilder:validation:Enum=System
+type StandardCertType string
+
+const (
+    StandardCertSystem StandardCertType = "System"
+)
+
diff --git a/apis/v1alpha2/policy_types.go b/apis/v1alpha2/policy_types.go
@@ -31,8 +31,6 @@ const (
 	PolicyLabelKey = "gateway.networking.k8s.io/policy"
 )
 
-
-
 // PolicyTargetReference identifies an API object to apply a direct or
 // inherited policy to. This should be used as part of Policy resources
 // that can target Gateway API resources. For more information on how this

diff --git a/apis/v1alpha2/zz_generated.deepcopy.go b/apis/v1alpha2/zz_generated.deepcopy.go
diff --git a/apis/v1alpha2/zz_generated.register.go b/apis/v1alpha2/zz_generated.register.go
diff --git a/apis/v1beta1/object_reference_types.go b/apis/v1beta1/object_reference_types.go
@@ -145,3 +145,44 @@ type BackendObjectReference struct {
 	// +optional
 	Port *PortNumber `json:"port,omitempty"`
 }
+
+// ConfigMapObjectReference identifies an API object including its namespace,
+// defaulting to ConfigMap.
+//
+// The API object must be valid in the cluster; the Group and Kind must
+// be registered in the cluster for this reference to be valid.
+//
+// References to objects with invalid Group and Kind are not valid, and must
+// be rejected by the implementation, with appropriate Conditions set
+// on the containing object.
+type ConfigMapObjectReference struct {
+    // Group is the group of the referent.  For example, "gateway.networking.k8s.io".
+    // When unspecified or empty string, core API group is inferred.
+    //
+    // +optional
+    // +kubebuilder:default=""
+    Group *Group `json:"group"`
+
+    // Kind is the kind of the referent.  For example, "ConfigMap".
+    //
+    // +optional
+    // +kubebuilder:default=ConfigMap
+    Kind *Kind `json:"kind"`
+
+    // Name is the metadata.name of the referenced config map.
+    // +kubebuilder:validation:Required
+    Name ObjectName `json:"name"`
+
+    // Namespace is the namespace of the referenced object. When unspecified, the local
+    // namespace is inferred.
+    //
+    // Note that when a namespace different than the local namespace is specified,
+    // a ReferenceGrant object is required in the referent namespace to allow that
+    // namespace's owner to accept the reference. See the ReferenceGrant
+    // documentation for details.
+    //
+    // Support: Core
+    //
+    // +optional
+    Namespace *Namespace `json:"namespace,omitempty"`
+}