During our recent discussion, we identified a need to balance strict field validation with the requirements of Gateway API conformance tests, while also ensuring secure configuration for egress traffic.
Currently, strict validation on certain fields can cause conformance tests to fail if they don't provide all fields that we might ideally want. However, for egress traffic, missing specific fields can lead to insecure configurations.
- Short-Term: Relax Validation for Conformance
The controller will relax strict validation regarding the simultaneous presence of both fields ( tls.CertificateRef and FrontendTLSValidation.CACertificateRefs). The controller will program the Gateway anyway to allow conformance tests to pass.
We will rely on documentation to guide users on maintaining good hygiene and providing both fields.
- Long-Term: Egress-Specific GatewayClass
Egress Traffic Behavior: We will enforce strict validation specifically for egress traffic.
we could introduce a specific GatewayClass dedicated to egress traffic.
Gateways created using this specific egress GatewayClass will be subject to the strict validation mentioned above.
If a Gateway belonging to this egress class is created without the required validation (i.e., missing the CA reference when a certificate reference is provided), the controller will set the Programmed status condition to False.
During our recent discussion, we identified a need to balance strict field validation with the requirements of Gateway API conformance tests, while also ensuring secure configuration for egress traffic.
Currently, strict validation on certain fields can cause conformance tests to fail if they don't provide all fields that we might ideally want. However, for egress traffic, missing specific fields can lead to insecure configurations.
The controller will relax strict validation regarding the simultaneous presence of both fields ( tls.CertificateRef and FrontendTLSValidation.CACertificateRefs). The controller will program the Gateway anyway to allow conformance tests to pass.
We will rely on documentation to guide users on maintaining good hygiene and providing both fields.
Egress Traffic Behavior: We will enforce strict validation specifically for egress traffic.
we could introduce a specific GatewayClass dedicated to egress traffic.
Gateways created using this specific egress GatewayClass will be subject to the strict validation mentioned above.
If a Gateway belonging to this egress class is created without the required validation (i.e., missing the CA reference when a certificate reference is provided), the controller will set the Programmed status condition to False.