Standardizing Behavior for Invalid BackendTLSPolicy #3516
Description
Related to:
GEP: TLS from Gateway to Backend for Ingress (#1897)
In recent discussions regarding the implementation of the BackendTLSPolicy, several concerns have been raised regarding the handling of invalid policies. Notably, there are significant security implications if an invalid BackendTLSPolicy results in the Gateway connecting to the backend over plain HTTP.
Current implementations:
- NGINX: if a BackendTLSPolicy is invalid (e.g., if the ca.crt data field does not contain a valid certificate), the ResolvedRefs condition in the associated HTTPRoute is set to false with the reason UnsupportedValue, resulting in all traffic receiving an HTTP 500 error.
\cc @ciarams87 - Envoy: an invalid BackendTLSPolicy also leads to HTTP 500 errors. However, unlike NGINX, the status of the invalid policy is only reflected in the BackendTLSPolicy itself and is not propagated to the HTTPRoute.
\cc @arkodg
What would you like to be added:
Update the Gateway API specification for the BackendTLSPolicy to clearly define the expected behavior for invalid policies, including specific HTTP error codes and status indications, rather than be implementation specific.
Why this is needed:
This update is essential to ensure consistent handling of invalid BackendTLSPolicies across different implementations.urthermore, the insights and best practices established for the BackendTLSPolicy can serve as general guidelines for specifying the behavior of resources with invalid policies attached.