AlinsRan opened a new pull request, #2792: URL: https://github.com/apache/apisix-ingress-controller/pull/2792
## What this does Adds support for **downstream (client) mTLS** on Gateway API listeners via `spec.listeners[].tls.frontendValidation`. When a `Terminate` listener sets `frontendValidation.caCertificateRefs`, the controller resolves the referenced CA certificate and configures the translated APISIX SSL object's `client` field, so the data plane requires connecting clients to present a certificate signed by one of the trusted CAs during the TLS handshake. Closes #2781 ## Design - **CA source**: a `ConfigMap` holding the CA under the `ca.crt` key — the Gateway API *Core* support level for `frontendValidation`. The CA is validated to contain a PEM `CERTIFICATE` block; non-`ConfigMap`/non-core-group refs are rejected with an `InvalidCertificateRef` listener condition. - **Scope**: applies to `Terminate` listeners (where `frontendValidation` is defined). Multiple `caCertificateRefs` are bundled into a single trust anchor. ## Changes - `internal/adc/translator/gateway.go`: `translateFrontendValidation` builds `SSL.client.ca` from the referenced CA ConfigMaps. - `internal/ssl/util.go`: `ExtractCAFromConfigMap` reads `ca.crt` (Data/BinaryData) and validates it contains a PEM certificate. - `internal/provider/provider.go`: `TranslateContext` gains a `ConfigMaps` map. - `internal/controller/gateway_controller.go`: load CA ConfigMaps in `processListenerConfig`; watch ConfigMaps and enqueue affected Gateways. - `internal/controller/indexer/indexer.go`: index Gateways by CA ConfigMap references so ConfigMap changes trigger reconciliation. - `internal/controller/utils.go`: listener status validation for `frontendValidation` (group/kind, ReferenceGrant for cross-namespace refs, existence, malformed CA) → sets `ResolvedRefs`/`Programmed`. - RBAC: add `configmaps` get/list/watch. - Docs: document `frontendValidation` support in `gateway-api.md`. ## Tests - Unit: `internal/adc/translator/gateway_test.go` — sets client CA, leaves it nil when absent, errors on missing ConfigMap / unsupported group/kind / malformed CA. - E2E: `test/e2e/gatewayapi/gateway.go` — verifies the data plane SSL object carries the expected `client.ca`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
