Skip to content

Commit ffa4a97

Browse files
add ecdsa certificate support at gateways (#3466)
* add ecdsa certificate support at gateways Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add support for certs Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add cel validations Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add comments for subject alt names Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * clean gen Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * fix validations Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * fix message Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
1 parent e41c1d8 commit ffa4a97

File tree

8 files changed

+562
-60
lines changed

8 files changed

+562
-60
lines changed

kubernetes/customresourcedefinitions.gen.yaml

Lines changed: 234 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

networking/v1/gateway_alias.gen.go

Lines changed: 7 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

networking/v1alpha3/gateway.pb.go

Lines changed: 176 additions & 58 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

networking/v1alpha3/gateway.pb.html

Lines changed: 72 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

networking/v1alpha3/gateway.proto

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -380,6 +380,9 @@ message Port {
380380
uint32 target_port = 4 [deprecated=true];
381381
}
382382

383+
// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
384+
// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)"
385+
// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)"
383386
message ServerTLSSettings {
384387
// If set to true, the load balancer will send a 301 redirect for
385388
// all http connections, asking the clients to use HTTPS.
@@ -471,9 +474,40 @@ message ServerTLSSettings {
471474
// or credentialName can be specified.
472475
string credential_name = 10;
473476

477+
// Same as CredentialName but for multiple certificates. Mainly used for specifying
478+
// RSA and ECDSA certificates for the same server.
479+
// +kubebuilder:validation:MaxItems=2
480+
// +kubebuilder:validation:MinItems=1
481+
repeated string credential_names = 14;
482+
483+
// TLSCertificate describes the server's TLS certificate.
484+
message TLSCertificate {
485+
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
486+
// holding the server-side TLS certificate to use.
487+
string server_certificate = 1;
488+
489+
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
490+
// holding the server's private key.
491+
string private_key = 2;
492+
493+
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file
494+
// containing certificate authority certificates to use in verifying a presented
495+
// client side certificate.
496+
string ca_certificates = 3;
497+
}
498+
499+
// Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name`
500+
// or `credential_names` or `tls_certificates` should be specified.
501+
// This is mainly used for specifying RSA and ECDSA certificates for the same server.
502+
// +kubebuilder:validation:MaxItems=2
503+
// +kubebuilder:validation:MinItems=1
504+
repeated TLSCertificate tls_certificates = 15;
505+
474506
// A list of alternate names to verify the subject identity in the
475507
// certificate presented by the client.
476508
// Requires TLS mode to be set to `MUTUAL`.
509+
// When multiple certificates are provided via `credential_names` or `tls_certificates`,
510+
// the subject alternate names are validated against the selected certificate.
477511
repeated string subject_alt_names = 6;
478512

479513
// An optional list of base64-encoded SHA-256 hashes of the SPKIs of

networking/v1alpha3/gateway_deepcopy.gen.go

Lines changed: 21 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

networking/v1alpha3/gateway_json.gen.go

Lines changed: 11 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

networking/v1beta1/gateway_alias.gen.go

Lines changed: 7 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)