AlinsRan opened a new pull request, #2792:
URL: https://github.com/apache/apisix-ingress-controller/pull/2792

   ## What this does
   
   Adds support for **downstream (client) mTLS** on Gateway API listeners via 
`spec.listeners[].tls.frontendValidation`.
   
   When a `Terminate` listener sets `frontendValidation.caCertificateRefs`, the 
controller resolves the referenced CA certificate and configures the translated 
APISIX SSL object's `client` field, so the data plane requires connecting 
clients to present a certificate signed by one of the trusted CAs during the 
TLS handshake.
   
   Closes #2781
   
   ## Design
   
   - **CA source**: a `ConfigMap` holding the CA under the `ca.crt` key — the 
Gateway API *Core* support level for `frontendValidation`. The CA is validated 
to contain a PEM `CERTIFICATE` block; non-`ConfigMap`/non-core-group refs are 
rejected with an `InvalidCertificateRef` listener condition.
   - **Scope**: applies to `Terminate` listeners (where `frontendValidation` is 
defined). Multiple `caCertificateRefs` are bundled into a single trust anchor.
   
   ## Changes
   
   - `internal/adc/translator/gateway.go`: `translateFrontendValidation` builds 
`SSL.client.ca` from the referenced CA ConfigMaps.
   - `internal/ssl/util.go`: `ExtractCAFromConfigMap` reads `ca.crt` 
(Data/BinaryData) and validates it contains a PEM certificate.
   - `internal/provider/provider.go`: `TranslateContext` gains a `ConfigMaps` 
map.
   - `internal/controller/gateway_controller.go`: load CA ConfigMaps in 
`processListenerConfig`; watch ConfigMaps and enqueue affected Gateways.
   - `internal/controller/indexer/indexer.go`: index Gateways by CA ConfigMap 
references so ConfigMap changes trigger reconciliation.
   - `internal/controller/utils.go`: listener status validation for 
`frontendValidation` (group/kind, ReferenceGrant for cross-namespace refs, 
existence, malformed CA) → sets `ResolvedRefs`/`Programmed`.
   - RBAC: add `configmaps` get/list/watch.
   - Docs: document `frontendValidation` support in `gateway-api.md`.
   
   ## Tests
   
   - Unit: `internal/adc/translator/gateway_test.go` — sets client CA, leaves 
it nil when absent, errors on missing ConfigMap / unsupported group/kind / 
malformed CA.
   - E2E: `test/e2e/gatewayapi/gateway.go` — verifies the data plane SSL object 
carries the expected `client.ca`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to