From 70c2aa8e5cca16ca8cd14ba4b7662a6505b00053 Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Wed, 12 Mar 2025 16:53:28 +0530 Subject: [PATCH 1/7] add ecdsa certificate support at gateways Signed-off-by: Rama Chavali --- kubernetes/customresourcedefinitions.gen.yaml | 30 +++ networking/v1/gateway_alias.gen.go | 3 + networking/v1alpha3/gateway.pb.go | 192 +++++++++++++----- networking/v1alpha3/gateway.pb.html | 58 +++++- networking/v1alpha3/gateway.proto | 20 ++ networking/v1alpha3/gateway_deepcopy.gen.go | 21 ++ networking/v1alpha3/gateway_json.gen.go | 11 + networking/v1beta1/gateway_alias.gen.go | 3 + 8 files changed, 286 insertions(+), 52 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 211532393cd..9687de1f2c9 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -6594,6 +6594,11 @@ spec: of the secret that holds the TLS certs including the CA certificates. type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + type: array httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients @@ -6827,6 +6832,11 @@ spec: of the secret that holds the TLS certs including the CA certificates. type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + type: array httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients @@ -7060,6 +7070,11 @@ spec: of the secret that holds the TLS certs including the CA certificates. type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + type: array httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients @@ -8643,6 +8658,11 @@ spec: of the secret that holds the TLS certs including the CA certificates. type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + type: array httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients @@ -9179,6 +9199,11 @@ spec: of the secret that holds the TLS certs including the CA certificates. type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + type: array httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients @@ -9715,6 +9740,11 @@ spec: of the secret that holds the TLS certs including the CA certificates. type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + type: array httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients diff --git a/networking/v1/gateway_alias.gen.go b/networking/v1/gateway_alias.gen.go index b07e7b18018..b8561ddfdc8 100644 --- a/networking/v1/gateway_alias.gen.go +++ b/networking/v1/gateway_alias.gen.go @@ -103,6 +103,9 @@ type Server = v1alpha3.Server type Port = v1alpha3.Port type ServerTLSSettings = v1alpha3.ServerTLSSettings +// TLSCertificate describes the server's TLS certificate. +type ServerTLSSettings_TLSCertificate = v1alpha3.ServerTLSSettings_TLSCertificate + // TLS modes enforced by the proxy type ServerTLSSettings_TLSmode = v1alpha3.ServerTLSSettings_TLSmode diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go index 3a52188183c..e013d64096f 100644 --- a/networking/v1alpha3/gateway.pb.go +++ b/networking/v1alpha3/gateway.pb.go @@ -775,6 +775,9 @@ type ServerTLSSettings struct { // Only one of server certificates and CA certificate // or credentialName can be specified. CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"` + // Same as CredentialName but for multiple certificates. Mainly used for specifying + // RSA and ECDSA certificates for the same server. + CredentialNames []string `protobuf:"bytes,14,rep,name=credential_names,json=credentialNames,proto3" json:"credential_names,omitempty"` // A list of alternate names to verify the subject identity in the // certificate presented by the client. // Requires TLS mode to be set to `MUTUAL`. @@ -903,6 +906,13 @@ func (x *ServerTLSSettings) GetCredentialName() string { return "" } +func (x *ServerTLSSettings) GetCredentialNames() []string { + if x != nil { + return x.CredentialNames + } + return nil +} + func (x *ServerTLSSettings) GetSubjectAltNames() []string { if x != nil { return x.SubjectAltNames @@ -945,6 +955,74 @@ func (x *ServerTLSSettings) GetCipherSuites() []string { return nil } +// TLSCertificate describes the server's TLS certificate. +type ServerTLSSettings_TLSCertificate struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file + // holding the server-side TLS certificate to use. + ServerCertificate string `protobuf:"bytes,1,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"` + // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file + // holding the server's private key. + PrivateKey string `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"` + // REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file + // containing certificate authority certificates to use in verifying a presented + // client side certificate. + CaCertificates string `protobuf:"bytes,3,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ServerTLSSettings_TLSCertificate) Reset() { + *x = ServerTLSSettings_TLSCertificate{} + mi := &file_networking_v1alpha3_gateway_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ServerTLSSettings_TLSCertificate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ServerTLSSettings_TLSCertificate) ProtoMessage() {} + +func (x *ServerTLSSettings_TLSCertificate) ProtoReflect() protoreflect.Message { + mi := &file_networking_v1alpha3_gateway_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ServerTLSSettings_TLSCertificate.ProtoReflect.Descriptor instead. +func (*ServerTLSSettings_TLSCertificate) Descriptor() ([]byte, []int) { + return file_networking_v1alpha3_gateway_proto_rawDescGZIP(), []int{3, 0} +} + +func (x *ServerTLSSettings_TLSCertificate) GetServerCertificate() string { + if x != nil { + return x.ServerCertificate + } + return "" +} + +func (x *ServerTLSSettings_TLSCertificate) GetPrivateKey() string { + if x != nil { + return x.PrivateKey + } + return "" +} + +func (x *ServerTLSSettings_TLSCertificate) GetCaCertificates() string { + if x != nil { + return x.CaCertificates + } + return "" +} + var File_networking_v1alpha3_gateway_proto protoreflect.FileDescriptor var file_networking_v1alpha3_gateway_proto_rawDesc = string([]byte{ @@ -991,7 +1069,7 @@ var file_networking_v1alpha3_gateway_proto_rawDesc = string([]byte{ 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, - 0x22, 0x98, 0x07, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, + 0x22, 0xcf, 0x08, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x68, 0x74, 0x74, 0x70, 0x73, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12, 0x48, 0x0a, @@ -1011,47 +1089,58 @@ var file_networking_v1alpha3_gateway_proto_rawDesc = string([]byte{ 0x52, 0x05, 0x63, 0x61, 0x43, 0x72, 0x6c, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65, - 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x61, 0x6c, 0x74, 0x5f, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x36, 0x0a, 0x17, - 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x5f, 0x73, 0x70, 0x6b, 0x69, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76, - 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x53, 0x70, 0x6b, 0x69, 0x12, 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, - 0x0c, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12, 0x6a, 0x0a, 0x14, - 0x6d, 0x69, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, - 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, - 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, - 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x69, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, - 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x6a, 0x0a, 0x14, 0x6d, 0x61, 0x78, 0x5f, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, - 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, - 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, - 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, - 0x52, 0x12, 0x6d, 0x61, 0x78, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, - 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f, 0x73, - 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x69, 0x70, - 0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x22, 0x6f, 0x0a, 0x07, 0x54, 0x4c, 0x53, - 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, - 0x55, 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10, - 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a, - 0x10, 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, - 0x48, 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53, 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54, - 0x55, 0x41, 0x4c, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41, - 0x4c, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x05, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c, - 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53, - 0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, - 0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10, - 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b, - 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, 0x10, 0x04, 0x42, 0x22, 0x5a, 0x20, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, - 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x29, 0x0a, 0x10, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x6e, + 0x61, 0x6d, 0x65, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x63, 0x72, 0x65, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x11, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x61, 0x6c, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, + 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, + 0x6c, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, + 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x70, + 0x6b, 0x69, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, + 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x70, 0x6b, 0x69, 0x12, + 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12, 0x6a, 0x0a, 0x14, 0x6d, 0x69, 0x6e, 0x5f, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, + 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, + 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, + 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, + 0x12, 0x6d, 0x69, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, + 0x69, 0x6f, 0x6e, 0x12, 0x6a, 0x0a, 0x14, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, + 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, + 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x61, 0x78, + 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, + 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, + 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53, 0x75, + 0x69, 0x74, 0x65, 0x73, 0x1a, 0x89, 0x01, 0x0a, 0x0e, 0x54, 0x4c, 0x53, 0x43, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x2d, 0x0a, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x11, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, + 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, + 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x61, 0x5f, 0x63, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0e, 0x63, 0x61, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, + 0x22, 0x6f, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50, + 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, + 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55, + 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10, 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53, + 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53, + 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, + 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41, 0x4c, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, + 0x05, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, + 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53, 0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, + 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, + 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, + 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, + 0x10, 0x04, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, + 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, + 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, }) var ( @@ -1067,15 +1156,16 @@ func file_networking_v1alpha3_gateway_proto_rawDescGZIP() []byte { } var file_networking_v1alpha3_gateway_proto_enumTypes = make([]protoimpl.EnumInfo, 2) -var file_networking_v1alpha3_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 5) +var file_networking_v1alpha3_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 6) var file_networking_v1alpha3_gateway_proto_goTypes = []any{ - (ServerTLSSettings_TLSmode)(0), // 0: istio.networking.v1alpha3.ServerTLSSettings.TLSmode - (ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol - (*Gateway)(nil), // 2: istio.networking.v1alpha3.Gateway - (*Server)(nil), // 3: istio.networking.v1alpha3.Server - (*Port)(nil), // 4: istio.networking.v1alpha3.Port - (*ServerTLSSettings)(nil), // 5: istio.networking.v1alpha3.ServerTLSSettings - nil, // 6: istio.networking.v1alpha3.Gateway.SelectorEntry + (ServerTLSSettings_TLSmode)(0), // 0: istio.networking.v1alpha3.ServerTLSSettings.TLSmode + (ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol + (*Gateway)(nil), // 2: istio.networking.v1alpha3.Gateway + (*Server)(nil), // 3: istio.networking.v1alpha3.Server + (*Port)(nil), // 4: istio.networking.v1alpha3.Port + (*ServerTLSSettings)(nil), // 5: istio.networking.v1alpha3.ServerTLSSettings + nil, // 6: istio.networking.v1alpha3.Gateway.SelectorEntry + (*ServerTLSSettings_TLSCertificate)(nil), // 7: istio.networking.v1alpha3.ServerTLSSettings.TLSCertificate } var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{ 3, // 0: istio.networking.v1alpha3.Gateway.servers:type_name -> istio.networking.v1alpha3.Server @@ -1103,7 +1193,7 @@ func file_networking_v1alpha3_gateway_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_gateway_proto_rawDesc), len(file_networking_v1alpha3_gateway_proto_rawDesc)), NumEnums: 2, - NumMessages: 5, + NumMessages: 6, NumExtensions: 0, NumServices: 0, }, diff --git a/networking/v1alpha3/gateway.pb.html b/networking/v1alpha3/gateway.pb.html index be2b7d2e441..4b9c03ac43d 100644 --- a/networking/v1alpha3/gateway.pb.html +++ b/networking/v1alpha3/gateway.pb.html @@ -6,7 +6,7 @@ generator: protoc-gen-docs schema: istio.networking.v1alpha3.Gateway aliases: [/docs/reference/config/networking/v1alpha3/gateway] -number_of_entries: 6 +number_of_entries: 7 ---

Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections. The specification @@ -500,6 +500,16 @@

ServerTLSSettings

Only one of server certificates and CA certificate or credentialName can be specified.

+ + + +
credentialNames
+
string[]
+
+ +

Same as CredentialName but for multiple certificates. Mainly used for specifying +RSA and ECDSA certificates for the same server.

+ @@ -588,6 +598,52 @@

ServerTLSSettings

  • DES-CBC3-SHA
    • + + + + + +

    TLSCertificate

    +
    +

    TLSCertificate describes the server’s TLS certificate.

    + + + + + + + + + + + + + + + + + + + + diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto index 448824a42b8..2a6d29eba44 100644 --- a/networking/v1alpha3/gateway.proto +++ b/networking/v1alpha3/gateway.proto @@ -471,6 +471,26 @@ message ServerTLSSettings { // or credentialName can be specified. string credential_name = 10; + // Same as CredentialName but for multiple certificates. Mainly used for specifying + // RSA and ECDSA certificates for the same server. + repeated string credential_names = 14; + + // TLSCertificate describes the server's TLS certificate. + message TLSCertificate { + // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file + // holding the server-side TLS certificate to use. + string server_certificate = 1; + + // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file + // holding the server's private key. + string private_key = 2; + + // REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file + // containing certificate authority certificates to use in verifying a presented + // client side certificate. + string ca_certificates = 3; + } + // A list of alternate names to verify the subject identity in the // certificate presented by the client. // Requires TLS mode to be set to `MUTUAL`. diff --git a/networking/v1alpha3/gateway_deepcopy.gen.go b/networking/v1alpha3/gateway_deepcopy.gen.go index 9abd995802a..17875c9a64a 100644 --- a/networking/v1alpha3/gateway_deepcopy.gen.go +++ b/networking/v1alpha3/gateway_deepcopy.gen.go @@ -88,3 +88,24 @@ func (in *ServerTLSSettings) DeepCopy() *ServerTLSSettings { func (in *ServerTLSSettings) DeepCopyInterface() interface{} { return in.DeepCopy() } + +// DeepCopyInto supports using ServerTLSSettings_TLSCertificate within kubernetes types, where deepcopy-gen is used. +func (in *ServerTLSSettings_TLSCertificate) DeepCopyInto(out *ServerTLSSettings_TLSCertificate) { + p := proto.Clone(in).(*ServerTLSSettings_TLSCertificate) + *out = *p +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_TLSCertificate. Required by controller-gen. +func (in *ServerTLSSettings_TLSCertificate) DeepCopy() *ServerTLSSettings_TLSCertificate { + if in == nil { + return nil + } + out := new(ServerTLSSettings_TLSCertificate) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_TLSCertificate. Required by controller-gen. +func (in *ServerTLSSettings_TLSCertificate) DeepCopyInterface() interface{} { + return in.DeepCopy() +} diff --git a/networking/v1alpha3/gateway_json.gen.go b/networking/v1alpha3/gateway_json.gen.go index 8dd2ce87eee..0a38246326c 100644 --- a/networking/v1alpha3/gateway_json.gen.go +++ b/networking/v1alpha3/gateway_json.gen.go @@ -50,6 +50,17 @@ func (this *ServerTLSSettings) UnmarshalJSON(b []byte) error { return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this) } +// MarshalJSON is a custom marshaler for ServerTLSSettings_TLSCertificate +func (this *ServerTLSSettings_TLSCertificate) MarshalJSON() ([]byte, error) { + str, err := GatewayMarshaler.MarshalToString(this) + return []byte(str), err +} + +// UnmarshalJSON is a custom unmarshaler for ServerTLSSettings_TLSCertificate +func (this *ServerTLSSettings_TLSCertificate) UnmarshalJSON(b []byte) error { + return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this) +} + var ( GatewayMarshaler = &jsonpb.Marshaler{} GatewayUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} diff --git a/networking/v1beta1/gateway_alias.gen.go b/networking/v1beta1/gateway_alias.gen.go index e855f331d0b..ce785cfc4f4 100644 --- a/networking/v1beta1/gateway_alias.gen.go +++ b/networking/v1beta1/gateway_alias.gen.go @@ -103,6 +103,9 @@ type Server = v1alpha3.Server type Port = v1alpha3.Port type ServerTLSSettings = v1alpha3.ServerTLSSettings +// TLSCertificate describes the server's TLS certificate. +type ServerTLSSettings_TLSCertificate = v1alpha3.ServerTLSSettings_TLSCertificate + // TLS modes enforced by the proxy type ServerTLSSettings_TLSmode = v1alpha3.ServerTLSSettings_TLSmode From 166ea983e5eaf7c62552b12464d1371b65079aa1 Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Wed, 12 Mar 2025 20:22:29 +0530 Subject: [PATCH 2/7] add support for certs Signed-off-by: Rama Chavali --- kubernetes/customresourcedefinitions.gen.yaml | 102 ++++++++++++++ networking/v1alpha3/gateway.pb.go | 131 ++++++++++-------- networking/v1alpha3/gateway.pb.html | 11 ++ networking/v1alpha3/gateway.proto | 5 + 4 files changed, 193 insertions(+), 56 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 9687de1f2c9..dd3193d49d2 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -6653,6 +6653,23 @@ spec: items: type: string type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key`, + `ca_certificates` or `credential_name` or `credential_names` + or `tls_certificates` should be specified. + items: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. @@ -6891,6 +6908,23 @@ spec: items: type: string type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key`, + `ca_certificates` or `credential_name` or `credential_names` + or `tls_certificates` should be specified. + items: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. @@ -7129,6 +7163,23 @@ spec: items: type: string type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key`, + `ca_certificates` or `credential_name` or `credential_names` + or `tls_certificates` should be specified. + items: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. @@ -8717,6 +8768,23 @@ spec: items: type: string type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key`, + `ca_certificates` or `credential_name` or `credential_names` + or `tls_certificates` should be specified. + items: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. @@ -9258,6 +9326,23 @@ spec: items: type: string type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key`, + `ca_certificates` or `credential_name` or `credential_names` + or `tls_certificates` should be specified. + items: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. @@ -9799,6 +9884,23 @@ spec: items: type: string type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key`, + `ca_certificates` or `credential_name` or `credential_names` + or `tls_certificates` should be specified. + items: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go index e013d64096f..8b74b0fcb28 100644 --- a/networking/v1alpha3/gateway.pb.go +++ b/networking/v1alpha3/gateway.pb.go @@ -778,6 +778,10 @@ type ServerTLSSettings struct { // Same as CredentialName but for multiple certificates. Mainly used for specifying // RSA and ECDSA certificates for the same server. CredentialNames []string `protobuf:"bytes,14,rep,name=credential_names,json=credentialNames,proto3" json:"credential_names,omitempty"` + // Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name` + // or `credential_names` or `tls_certificates` should be specified. + // This is mainly used for specifying RSA and ECDSA certificates for the same server. + TlsCertificates []*ServerTLSSettings_TLSCertificate `protobuf:"bytes,15,rep,name=tls_certificates,json=tlsCertificates,proto3" json:"tls_certificates,omitempty"` // A list of alternate names to verify the subject identity in the // certificate presented by the client. // Requires TLS mode to be set to `MUTUAL`. @@ -913,6 +917,13 @@ func (x *ServerTLSSettings) GetCredentialNames() []string { return nil } +func (x *ServerTLSSettings) GetTlsCertificates() []*ServerTLSSettings_TLSCertificate { + if x != nil { + return x.TlsCertificates + } + return nil +} + func (x *ServerTLSSettings) GetSubjectAltNames() []string { if x != nil { return x.SubjectAltNames @@ -1069,7 +1080,7 @@ var file_networking_v1alpha3_gateway_proto_rawDesc = string([]byte{ 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, - 0x22, 0xcf, 0x08, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, + 0x22, 0xb7, 0x09, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x68, 0x74, 0x74, 0x70, 0x73, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12, 0x48, 0x0a, @@ -1091,56 +1102,63 @@ var file_networking_v1alpha3_gateway_proto_rawDesc = string([]byte{ 0x52, 0x0e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x29, 0x0a, 0x10, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x63, 0x72, 0x65, 0x64, - 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x11, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x61, 0x6c, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, - 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, - 0x6c, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, - 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x70, - 0x6b, 0x69, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, - 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x70, 0x6b, 0x69, 0x12, - 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x09, - 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12, 0x6a, 0x0a, 0x14, 0x6d, 0x69, 0x6e, 0x5f, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, - 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, + 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x66, 0x0a, 0x10, 0x74, + 0x6c, 0x73, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, + 0x0f, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, - 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, - 0x12, 0x6d, 0x69, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, - 0x69, 0x6f, 0x6e, 0x12, 0x6a, 0x0a, 0x14, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, - 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, - 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, - 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x61, 0x78, - 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, - 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, - 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53, 0x75, - 0x69, 0x74, 0x65, 0x73, 0x1a, 0x89, 0x01, 0x0a, 0x0e, 0x54, 0x4c, 0x53, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x2d, 0x0a, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x11, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, - 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, - 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x61, 0x5f, 0x63, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x0e, 0x63, 0x61, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, - 0x22, 0x6f, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50, - 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, - 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55, - 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10, 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53, - 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53, - 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, - 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41, 0x4c, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, - 0x05, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, - 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53, 0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, - 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, - 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, - 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, - 0x10, 0x04, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, - 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x52, 0x0f, 0x74, 0x6c, 0x73, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x61, + 0x6c, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, + 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, + 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x70, 0x6b, 0x69, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x53, 0x70, 0x6b, 0x69, 0x12, 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, + 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x61, + 0x73, 0x68, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, + 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12, + 0x6a, 0x0a, 0x14, 0x6d, 0x69, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, + 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, + 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, + 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x69, 0x6e, 0x50, 0x72, 0x6f, 0x74, + 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x6a, 0x0a, 0x14, 0x6d, + 0x61, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, + 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, + 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, + 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, + 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x61, 0x78, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, + 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70, 0x68, 0x65, + 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, + 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x1a, 0x89, 0x01, 0x0a, + 0x0e, 0x54, 0x4c, 0x53, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, + 0x2d, 0x0a, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x73, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1f, + 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, + 0x27, 0x0a, 0x0f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x65, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x61, 0x43, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x22, 0x6f, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x6d, + 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, + 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10, 0x01, + 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10, + 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, + 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53, 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54, 0x55, + 0x41, 0x4c, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41, 0x4c, + 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x05, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c, 0x53, + 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53, 0x5f, + 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, + 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10, 0x02, + 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b, 0x0a, + 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, 0x10, 0x04, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73, + 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, + 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, }) var ( @@ -1173,13 +1191,14 @@ var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{ 4, // 2: istio.networking.v1alpha3.Server.port:type_name -> istio.networking.v1alpha3.Port 5, // 3: istio.networking.v1alpha3.Server.tls:type_name -> istio.networking.v1alpha3.ServerTLSSettings 0, // 4: istio.networking.v1alpha3.ServerTLSSettings.mode:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSmode - 1, // 5: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol - 1, // 6: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol - 7, // [7:7] is the sub-list for method output_type - 7, // [7:7] is the sub-list for method input_type - 7, // [7:7] is the sub-list for extension type_name - 7, // [7:7] is the sub-list for extension extendee - 0, // [0:7] is the sub-list for field type_name + 7, // 5: istio.networking.v1alpha3.ServerTLSSettings.tls_certificates:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSCertificate + 1, // 6: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol + 1, // 7: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol + 8, // [8:8] is the sub-list for method output_type + 8, // [8:8] is the sub-list for method input_type + 8, // [8:8] is the sub-list for extension type_name + 8, // [8:8] is the sub-list for extension extendee + 0, // [0:8] is the sub-list for field type_name } func init() { file_networking_v1alpha3_gateway_proto_init() } diff --git a/networking/v1alpha3/gateway.pb.html b/networking/v1alpha3/gateway.pb.html index 4b9c03ac43d..5dd9a3151f7 100644 --- a/networking/v1alpha3/gateway.pb.html +++ b/networking/v1alpha3/gateway.pb.html @@ -510,6 +510,17 @@

    ServerTLSSettings

    Same as CredentialName but for multiple certificates. Mainly used for specifying RSA and ECDSA certificates for the same server.

    + + +     + + diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto index 2a6d29eba44..28c769b039a 100644 --- a/networking/v1alpha3/gateway.proto +++ b/networking/v1alpha3/gateway.proto @@ -491,6 +491,11 @@ message ServerTLSSettings { string ca_certificates = 3; } + // Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name` + // or `credential_names` or `tls_certificates` should be specified. + // This is mainly used for specifying RSA and ECDSA certificates for the same server. + repeated TLSCertificate tls_certificates = 15; + // A list of alternate names to verify the subject identity in the // certificate presented by the client. // Requires TLS mode to be set to `MUTUAL`. From f781c831e9526dfe314abb0119a6e580497a9ffa Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Fri, 14 Mar 2025 14:16:29 +0530 Subject: [PATCH 3/7] add cel validations Signed-off-by: Rama Chavali --- kubernetes/customresourcedefinitions.gen.yaml | 39 +++++++++++++++++++ networking/v1/gateway_alias.gen.go | 4 ++ networking/v1alpha3/gateway.pb.go | 4 ++ networking/v1alpha3/gateway.proto | 4 ++ networking/v1beta1/gateway_alias.gen.go | 4 ++ 5 files changed, 55 insertions(+) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index dd3193d49d2..f98d141f9e0 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -6689,6 +6689,19 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: credential_names cannot have more than two credentials + rule: '(has(self.credential_names) ? self.credential_names : []).size() + <= 2' + - message: cannot have more than two tls certificates + rule: '(has(self.tls_certificates) ? self.tls_certificates : []).size() + <= 2' + - message: only one of credential_names or tls_certificates can be set + rule: '(has(self.tls_certificates) ? 1 : 0) + (has(self.credential_names) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can be set + rule: '(has(self.credential_name) ? 1 : 0) + (has(self.credential_names) + ? 1 : 0) <= 1' status: properties: conditions: @@ -6944,6 +6957,19 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: credential_names cannot have more than two credentials + rule: '(has(self.credential_names) ? self.credential_names : []).size() + <= 2' + - message: cannot have more than two tls certificates + rule: '(has(self.tls_certificates) ? self.tls_certificates : []).size() + <= 2' + - message: only one of credential_names or tls_certificates can be set + rule: '(has(self.tls_certificates) ? 1 : 0) + (has(self.credential_names) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can be set + rule: '(has(self.credential_name) ? 1 : 0) + (has(self.credential_names) + ? 1 : 0) <= 1' status: properties: conditions: @@ -7199,6 +7225,19 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: credential_names cannot have more than two credentials + rule: '(has(self.credential_names) ? self.credential_names : []).size() + <= 2' + - message: cannot have more than two tls certificates + rule: '(has(self.tls_certificates) ? self.tls_certificates : []).size() + <= 2' + - message: only one of credential_names or tls_certificates can be set + rule: '(has(self.tls_certificates) ? 1 : 0) + (has(self.credential_names) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can be set + rule: '(has(self.credential_name) ? 1 : 0) + (has(self.credential_names) + ? 1 : 0) <= 1' status: properties: conditions: diff --git a/networking/v1/gateway_alias.gen.go b/networking/v1/gateway_alias.gen.go index b8561ddfdc8..5565cc73d10 100644 --- a/networking/v1/gateway_alias.gen.go +++ b/networking/v1/gateway_alias.gen.go @@ -23,6 +23,10 @@ import "istio.io/api/networking/v1alpha3" // +genclient // +k8s:deepcopy-gen=true // --> +// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" type Gateway = v1alpha3.Gateway // `Server` describes the properties of the proxy on a given load balancer diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go index 8b74b0fcb28..45768847bbd 100644 --- a/networking/v1alpha3/gateway.pb.go +++ b/networking/v1alpha3/gateway.pb.go @@ -385,6 +385,10 @@ func (ServerTLSSettings_TLSProtocol) EnumDescriptor() ([]byte, []int) { // +genclient // +k8s:deepcopy-gen=true // --> +// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" type Gateway struct { state protoimpl.MessageState `protogen:"open.v1"` // A list of server specifications. diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto index 28c769b039a..023cf712d4a 100644 --- a/networking/v1alpha3/gateway.proto +++ b/networking/v1alpha3/gateway.proto @@ -216,6 +216,10 @@ option go_package = "istio.io/api/networking/v1alpha3"; // +genclient // +k8s:deepcopy-gen=true // --> +// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" message Gateway { // A list of server specifications. repeated Server servers = 1; diff --git a/networking/v1beta1/gateway_alias.gen.go b/networking/v1beta1/gateway_alias.gen.go index ce785cfc4f4..0c4fc609a28 100644 --- a/networking/v1beta1/gateway_alias.gen.go +++ b/networking/v1beta1/gateway_alias.gen.go @@ -23,6 +23,10 @@ import "istio.io/api/networking/v1alpha3" // +genclient // +k8s:deepcopy-gen=true // --> +// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" type Gateway = v1alpha3.Gateway // `Server` describes the properties of the proxy on a given load balancer From 856a1274b2d83660af4650e198bf34178bceeead Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Fri, 14 Mar 2025 14:19:18 +0530 Subject: [PATCH 4/7] add comments for subject alt names Signed-off-by: Rama Chavali --- networking/v1alpha3/gateway.proto | 2 ++ 1 file changed, 2 insertions(+) diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto index 023cf712d4a..c6654419a3d 100644 --- a/networking/v1alpha3/gateway.proto +++ b/networking/v1alpha3/gateway.proto @@ -503,6 +503,8 @@ message ServerTLSSettings { // A list of alternate names to verify the subject identity in the // certificate presented by the client. // Requires TLS mode to be set to `MUTUAL`. + // When multiple certificates are provided via `credential_names` or `tls_certificates`, + // the subject alternate names are validated against the selected certificate. repeated string subject_alt_names = 6; // An optional list of base64-encoded SHA-256 hashes of the SPKIs of From 3bea8701e3d0ce9de0a8cd98e70b8c6aba8a2bbc Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Fri, 14 Mar 2025 14:25:54 +0530 Subject: [PATCH 5/7] clean gen Signed-off-by: Rama Chavali --- kubernetes/customresourcedefinitions.gen.yaml | 39 ------------------- networking/v1/gateway_alias.gen.go | 4 -- networking/v1alpha3/gateway.pb.go | 6 +-- networking/v1alpha3/gateway.pb.html | 5 ++- networking/v1alpha3/gateway.proto | 9 +++-- networking/v1beta1/gateway_alias.gen.go | 4 -- 6 files changed, 11 insertions(+), 56 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index f98d141f9e0..dd3193d49d2 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -6689,19 +6689,6 @@ spec: type: object type: array type: object - x-kubernetes-validations: - - message: credential_names cannot have more than two credentials - rule: '(has(self.credential_names) ? self.credential_names : []).size() - <= 2' - - message: cannot have more than two tls certificates - rule: '(has(self.tls_certificates) ? self.tls_certificates : []).size() - <= 2' - - message: only one of credential_names or tls_certificates can be set - rule: '(has(self.tls_certificates) ? 1 : 0) + (has(self.credential_names) - ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can be set - rule: '(has(self.credential_name) ? 1 : 0) + (has(self.credential_names) - ? 1 : 0) <= 1' status: properties: conditions: @@ -6957,19 +6944,6 @@ spec: type: object type: array type: object - x-kubernetes-validations: - - message: credential_names cannot have more than two credentials - rule: '(has(self.credential_names) ? self.credential_names : []).size() - <= 2' - - message: cannot have more than two tls certificates - rule: '(has(self.tls_certificates) ? self.tls_certificates : []).size() - <= 2' - - message: only one of credential_names or tls_certificates can be set - rule: '(has(self.tls_certificates) ? 1 : 0) + (has(self.credential_names) - ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can be set - rule: '(has(self.credential_name) ? 1 : 0) + (has(self.credential_names) - ? 1 : 0) <= 1' status: properties: conditions: @@ -7225,19 +7199,6 @@ spec: type: object type: array type: object - x-kubernetes-validations: - - message: credential_names cannot have more than two credentials - rule: '(has(self.credential_names) ? self.credential_names : []).size() - <= 2' - - message: cannot have more than two tls certificates - rule: '(has(self.tls_certificates) ? self.tls_certificates : []).size() - <= 2' - - message: only one of credential_names or tls_certificates can be set - rule: '(has(self.tls_certificates) ? 1 : 0) + (has(self.credential_names) - ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can be set - rule: '(has(self.credential_name) ? 1 : 0) + (has(self.credential_names) - ? 1 : 0) <= 1' status: properties: conditions: diff --git a/networking/v1/gateway_alias.gen.go b/networking/v1/gateway_alias.gen.go index 5565cc73d10..b8561ddfdc8 100644 --- a/networking/v1/gateway_alias.gen.go +++ b/networking/v1/gateway_alias.gen.go @@ -23,10 +23,6 @@ import "istio.io/api/networking/v1alpha3" // +genclient // +k8s:deepcopy-gen=true // --> -// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" type Gateway = v1alpha3.Gateway // `Server` describes the properties of the proxy on a given load balancer diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go index 45768847bbd..2a84bde37fd 100644 --- a/networking/v1alpha3/gateway.pb.go +++ b/networking/v1alpha3/gateway.pb.go @@ -385,10 +385,6 @@ func (ServerTLSSettings_TLSProtocol) EnumDescriptor() ([]byte, []int) { // +genclient // +k8s:deepcopy-gen=true // --> -// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" type Gateway struct { state protoimpl.MessageState `protogen:"open.v1"` // A list of server specifications. @@ -789,6 +785,8 @@ type ServerTLSSettings struct { // A list of alternate names to verify the subject identity in the // certificate presented by the client. // Requires TLS mode to be set to `MUTUAL`. + // When multiple certificates are provided via `credential_names` or `tls_certificates`, + // the subject alternate names are validated against the selected certificate. SubjectAltNames []string `protobuf:"bytes,6,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"` // An optional list of base64-encoded SHA-256 hashes of the SPKIs of // authorized client certificates. diff --git a/networking/v1alpha3/gateway.pb.html b/networking/v1alpha3/gateway.pb.html index 5dd9a3151f7..fbcbfa87103 100644 --- a/networking/v1alpha3/gateway.pb.html +++ b/networking/v1alpha3/gateway.pb.html @@ -409,6 +409,7 @@

    Port

    ServerTLSSettings

    +
    FieldDescription
    serverCertificate
    +
    string
    +
    		 +

    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file +holding the server-side TLS certificate to use.

    + +
    privateKey
    +
    string
    +
    		 +

    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file +holding the server’s private key.

    + +
    caCertificates
    +
    string
    +
    		 +

    REQUIRED if mode is MUTUAL or OPTIONAL_MUTUAL. The path to a file +containing certificate authority certificates to use in verifying a presented +client side certificate.

    +
    tlsCertificates
    +
    TLSCertificate[]
    +
    		 +

    Only one of server_certificate, private_key, ca_certificates or credential_name +or credential_names or tls_certificates should be specified. +This is mainly used for specifying RSA and ECDSA certificates for the same server.

    +
    @@ -530,7 +531,9 @@

    ServerTLSSettings

    diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto index c6654419a3d..d8080e43865 100644 --- a/networking/v1alpha3/gateway.proto +++ b/networking/v1alpha3/gateway.proto @@ -216,10 +216,6 @@ option go_package = "istio.io/api/networking/v1alpha3"; // +genclient // +k8s:deepcopy-gen=true // --> -// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" message Gateway { // A list of server specifications. repeated Server servers = 1; @@ -385,6 +381,11 @@ message Port { } message ServerTLSSettings { +// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" + // If set to true, the load balancer will send a 301 redirect for // all http connections, asking the clients to use HTTPS. bool https_redirect = 1; diff --git a/networking/v1beta1/gateway_alias.gen.go b/networking/v1beta1/gateway_alias.gen.go index 0c4fc609a28..ce785cfc4f4 100644 --- a/networking/v1beta1/gateway_alias.gen.go +++ b/networking/v1beta1/gateway_alias.gen.go @@ -23,10 +23,6 @@ import "istio.io/api/networking/v1alpha3" // +genclient // +k8s:deepcopy-gen=true // --> -// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" type Gateway = v1alpha3.Gateway // `Server` describes the properties of the proxy on a given load balancer From 1fcc2439c4f80d9a4790f208a9147d8351a32056 Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Wed, 19 Mar 2025 15:56:44 +0530 Subject: [PATCH 6/7] fix validations Signed-off-by: Rama Chavali --- kubernetes/customresourcedefinitions.gen.yaml | 102 ++++++++++++++++++ networking/v1/gateway_alias.gen.go | 4 + networking/v1alpha3/gateway.pb.go | 7 ++ networking/v1alpha3/gateway.proto | 12 ++- networking/v1beta1/gateway_alias.gen.go | 4 + 5 files changed, 124 insertions(+), 5 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index dd3193d49d2..7b374295278 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -6598,6 +6598,8 @@ spec: description: Same as CredentialName but for multiple certificates. items: type: string + maxItems: 2 + minItems: 1 type: array httpsRedirect: description: If set to true, the load balancer will send @@ -6669,6 +6671,8 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string type: object + maxItems: 2 + minItems: 1 type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes @@ -6683,6 +6687,19 @@ spec: type: string type: array type: object + x-kubernetes-validations: + - message: only one of credential_names or tls_certificates + can be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or tls_certificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' required: - port - hosts @@ -6853,6 +6870,8 @@ spec: description: Same as CredentialName but for multiple certificates. items: type: string + maxItems: 2 + minItems: 1 type: array httpsRedirect: description: If set to true, the load balancer will send @@ -6924,6 +6943,8 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string type: object + maxItems: 2 + minItems: 1 type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes @@ -6938,6 +6959,19 @@ spec: type: string type: array type: object + x-kubernetes-validations: + - message: only one of credential_names or tls_certificates + can be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or tls_certificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' required: - port - hosts @@ -7108,6 +7142,8 @@ spec: description: Same as CredentialName but for multiple certificates. items: type: string + maxItems: 2 + minItems: 1 type: array httpsRedirect: description: If set to true, the load balancer will send @@ -7179,6 +7215,8 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string type: object + maxItems: 2 + minItems: 1 type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes @@ -7193,6 +7231,19 @@ spec: type: string type: array type: object + x-kubernetes-validations: + - message: only one of credential_names or tls_certificates + can be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or tls_certificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' required: - port - hosts @@ -8713,6 +8764,8 @@ spec: description: Same as CredentialName but for multiple certificates. items: type: string + maxItems: 2 + minItems: 1 type: array httpsRedirect: description: If set to true, the load balancer will send @@ -8784,6 +8837,8 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string type: object + maxItems: 2 + minItems: 1 type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes @@ -8798,6 +8853,19 @@ spec: type: string type: array type: object + x-kubernetes-validations: + - message: only one of credential_names or tls_certificates + can be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or tls_certificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' required: - port type: object @@ -9271,6 +9339,8 @@ spec: description: Same as CredentialName but for multiple certificates. items: type: string + maxItems: 2 + minItems: 1 type: array httpsRedirect: description: If set to true, the load balancer will send @@ -9342,6 +9412,8 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string type: object + maxItems: 2 + minItems: 1 type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes @@ -9356,6 +9428,19 @@ spec: type: string type: array type: object + x-kubernetes-validations: + - message: only one of credential_names or tls_certificates + can be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or tls_certificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' required: - port type: object @@ -9829,6 +9914,8 @@ spec: description: Same as CredentialName but for multiple certificates. items: type: string + maxItems: 2 + minItems: 1 type: array httpsRedirect: description: If set to true, the load balancer will send @@ -9900,6 +9987,8 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string type: object + maxItems: 2 + minItems: 1 type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes @@ -9914,6 +10003,19 @@ spec: type: string type: array type: object + x-kubernetes-validations: + - message: only one of credential_names or tls_certificates + can be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or credential_names can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credential_name or tls_certificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' required: - port type: object diff --git a/networking/v1/gateway_alias.gen.go b/networking/v1/gateway_alias.gen.go index b8561ddfdc8..2c194b5532e 100644 --- a/networking/v1/gateway_alias.gen.go +++ b/networking/v1/gateway_alias.gen.go @@ -101,6 +101,10 @@ type Server = v1alpha3.Server // Port describes the properties of a specific port of a service. type Port = v1alpha3.Port + +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credentialName, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or tls_certificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" type ServerTLSSettings = v1alpha3.ServerTLSSettings // TLSCertificate describes the server's TLS certificate. diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go index 2a84bde37fd..5e00d6cef5c 100644 --- a/networking/v1alpha3/gateway.pb.go +++ b/networking/v1alpha3/gateway.pb.go @@ -737,6 +737,9 @@ func (x *Port) GetTargetPort() uint32 { return 0 } +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credentialName, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or tls_certificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" type ServerTLSSettings struct { state protoimpl.MessageState `protogen:"open.v1"` // If set to true, the load balancer will send a 301 redirect for @@ -777,10 +780,14 @@ type ServerTLSSettings struct { CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"` // Same as CredentialName but for multiple certificates. Mainly used for specifying // RSA and ECDSA certificates for the same server. + // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MinItems=1 CredentialNames []string `protobuf:"bytes,14,rep,name=credential_names,json=credentialNames,proto3" json:"credential_names,omitempty"` // Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name` // or `credential_names` or `tls_certificates` should be specified. // This is mainly used for specifying RSA and ECDSA certificates for the same server. + // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MinItems=1 TlsCertificates []*ServerTLSSettings_TLSCertificate `protobuf:"bytes,15,rep,name=tls_certificates,json=tlsCertificates,proto3" json:"tls_certificates,omitempty"` // A list of alternate names to verify the subject identity in the // certificate presented by the client. diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto index d8080e43865..83d72058014 100644 --- a/networking/v1alpha3/gateway.proto +++ b/networking/v1alpha3/gateway.proto @@ -380,12 +380,10 @@ message Port { uint32 target_port = 4 [deprecated=true]; } +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credentialName, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or tls_certificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" message ServerTLSSettings { -// +kubebuilder:validation:XValidation:message="credential_names cannot have more than two credentials",rule="default(self.credential_names, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="cannot have more than two tls certificates",rule="default(self.tls_certificates, []).size() <= 2" -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tls_certificates, self.credential_names)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credential_name, self.credential_names)" - // If set to true, the load balancer will send a 301 redirect for // all http connections, asking the clients to use HTTPS. bool https_redirect = 1; @@ -478,6 +476,8 @@ message ServerTLSSettings { // Same as CredentialName but for multiple certificates. Mainly used for specifying // RSA and ECDSA certificates for the same server. + // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MinItems=1 repeated string credential_names = 14; // TLSCertificate describes the server's TLS certificate. @@ -499,6 +499,8 @@ message ServerTLSSettings { // Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name` // or `credential_names` or `tls_certificates` should be specified. // This is mainly used for specifying RSA and ECDSA certificates for the same server. + // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MinItems=1 repeated TLSCertificate tls_certificates = 15; // A list of alternate names to verify the subject identity in the diff --git a/networking/v1beta1/gateway_alias.gen.go b/networking/v1beta1/gateway_alias.gen.go index ce785cfc4f4..db18e343c63 100644 --- a/networking/v1beta1/gateway_alias.gen.go +++ b/networking/v1beta1/gateway_alias.gen.go @@ -101,6 +101,10 @@ type Server = v1alpha3.Server // Port describes the properties of a specific port of a service. type Port = v1alpha3.Port + +// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credentialName, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credential_name or tls_certificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" type ServerTLSSettings = v1alpha3.ServerTLSSettings // TLSCertificate describes the server's TLS certificate. From a25c2ce5e55066eef218b796827ab8a5c33eedbe Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Sat, 22 Mar 2025 15:34:46 +0530 Subject: [PATCH 7/7] fix message Signed-off-by: Rama Chavali --- kubernetes/customresourcedefinitions.gen.yaml | 48 +++++++++---------- networking/v1/gateway_alias.gen.go | 6 +-- networking/v1alpha3/gateway.pb.go | 6 +-- networking/v1alpha3/gateway.proto | 6 +-- networking/v1beta1/gateway_alias.gen.go | 6 +-- 5 files changed, 36 insertions(+), 36 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 7b374295278..c49f8d8d694 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -6688,15 +6688,15 @@ spec: type: array type: object x-kubernetes-validations: - - message: only one of credential_names or tls_certificates - can be set + - message: only one of credentialNames or tlsCertificates can + be set rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can + - message: only one of credentialName or credentialNames can be set rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or tls_certificates can + - message: only one of credentialName or tlsCertificates can be set rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) ? 1 : 0) <= 1' @@ -6960,15 +6960,15 @@ spec: type: array type: object x-kubernetes-validations: - - message: only one of credential_names or tls_certificates - can be set + - message: only one of credentialNames or tlsCertificates can + be set rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can + - message: only one of credentialName or credentialNames can be set rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or tls_certificates can + - message: only one of credentialName or tlsCertificates can be set rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) ? 1 : 0) <= 1' @@ -7232,15 +7232,15 @@ spec: type: array type: object x-kubernetes-validations: - - message: only one of credential_names or tls_certificates - can be set + - message: only one of credentialNames or tlsCertificates can + be set rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can + - message: only one of credentialName or credentialNames can be set rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or tls_certificates can + - message: only one of credentialName or tlsCertificates can be set rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) ? 1 : 0) <= 1' @@ -8854,15 +8854,15 @@ spec: type: array type: object x-kubernetes-validations: - - message: only one of credential_names or tls_certificates - can be set + - message: only one of credentialNames or tlsCertificates can + be set rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can + - message: only one of credentialName or credentialNames can be set rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or tls_certificates can + - message: only one of credentialName or tlsCertificates can be set rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) ? 1 : 0) <= 1' @@ -9429,15 +9429,15 @@ spec: type: array type: object x-kubernetes-validations: - - message: only one of credential_names or tls_certificates - can be set + - message: only one of credentialNames or tlsCertificates can + be set rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can + - message: only one of credentialName or credentialNames can be set rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or tls_certificates can + - message: only one of credentialName or tlsCertificates can be set rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) ? 1 : 0) <= 1' @@ -10004,15 +10004,15 @@ spec: type: array type: object x-kubernetes-validations: - - message: only one of credential_names or tls_certificates - can be set + - message: only one of credentialNames or tlsCertificates can + be set rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or credential_names can + - message: only one of credentialName or credentialNames can be set rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) ? 1 : 0) <= 1' - - message: only one of credential_name or tls_certificates can + - message: only one of credentialName or tlsCertificates can be set rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) ? 1 : 0) <= 1' diff --git a/networking/v1/gateway_alias.gen.go b/networking/v1/gateway_alias.gen.go index 2c194b5532e..464da5acab7 100644 --- a/networking/v1/gateway_alias.gen.go +++ b/networking/v1/gateway_alias.gen.go @@ -102,9 +102,9 @@ type Server = v1alpha3.Server // Port describes the properties of a specific port of a service. type Port = v1alpha3.Port -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credentialName, self.credentialNames)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or tls_certificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" +// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" type ServerTLSSettings = v1alpha3.ServerTLSSettings // TLSCertificate describes the server's TLS certificate. diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go index 5e00d6cef5c..22b3a67aedb 100644 --- a/networking/v1alpha3/gateway.pb.go +++ b/networking/v1alpha3/gateway.pb.go @@ -737,9 +737,9 @@ func (x *Port) GetTargetPort() uint32 { return 0 } -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credentialName, self.credentialNames)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or tls_certificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" +// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" type ServerTLSSettings struct { state protoimpl.MessageState `protogen:"open.v1"` // If set to true, the load balancer will send a 301 redirect for diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto index 83d72058014..4c8e9047f1b 100644 --- a/networking/v1alpha3/gateway.proto +++ b/networking/v1alpha3/gateway.proto @@ -380,9 +380,9 @@ message Port { uint32 target_port = 4 [deprecated=true]; } -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credentialName, self.credentialNames)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or tls_certificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" +// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" message ServerTLSSettings { // If set to true, the load balancer will send a 301 redirect for // all http connections, asking the clients to use HTTPS. diff --git a/networking/v1beta1/gateway_alias.gen.go b/networking/v1beta1/gateway_alias.gen.go index db18e343c63..063b55808e8 100644 --- a/networking/v1beta1/gateway_alias.gen.go +++ b/networking/v1beta1/gateway_alias.gen.go @@ -102,9 +102,9 @@ type Server = v1alpha3.Server // Port describes the properties of a specific port of a service. type Port = v1alpha3.Port -// +kubebuilder:validation:XValidation:message="only one of credential_names or tls_certificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or credential_names can be set",rule="oneof(self.credentialName, self.credentialNames)" -// +kubebuilder:validation:XValidation:message="only one of credential_name or tls_certificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" +// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)" +// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)" type ServerTLSSettings = v1alpha3.ServerTLSSettings // TLSCertificate describes the server's TLS certificate.

    A list of alternate names to verify the subject identity in the certificate presented by the client. -Requires TLS mode to be set to MUTUAL.

    +Requires TLS mode to be set to MUTUAL. +When multiple certificates are provided via credential_names or tls_certificates, +the subject alternate names are validated against the selected certificate.