fix client backend mtls secrets updates (envoyproxy#3526)

* ensure that whenver client backend mtls secrets are updated, the latest secrets are used

Signed-off-by: Alexander Volchok <alex.volchok@sap.com>

* updating

Signed-off-by: Alexander Volchok <alex.volchok@sap.com>

---------

Signed-off-by: Alexander Volchok <alex.volchok@sap.com>

internal/gatewayapi/backendtlspolicy.go

@@ -82,32 +82,32 @@ func (t *Translator) processBackendTLSPolicy(
 	return tlsBundle, policy
 }
 
-func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsBundle *ir.TLSUpstreamConfig, resources *Resources, parent gwapiv1a2.ParentReference) *ir.TLSUpstreamConfig {
+func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsConfig *ir.TLSUpstreamConfig, resources *Resources, parent gwapiv1a2.ParentReference) *ir.TLSUpstreamConfig {
 	ep := resources.EnvoyProxy
 
-	if ep == nil || ep.Spec.BackendTLS == nil {
-		return tlsBundle
+	if ep == nil || ep.Spec.BackendTLS == nil || tlsConfig == nil {
+		return tlsConfig
 	}
 
 	if len(ep.Spec.BackendTLS.Ciphers) > 0 {
-		tlsBundle.Ciphers = ep.Spec.BackendTLS.Ciphers
+		tlsConfig.Ciphers = ep.Spec.BackendTLS.Ciphers
 	}
 	if len(ep.Spec.BackendTLS.ECDHCurves) > 0 {
-		tlsBundle.ECDHCurves = ep.Spec.BackendTLS.ECDHCurves
+		tlsConfig.ECDHCurves = ep.Spec.BackendTLS.ECDHCurves
 	}
 	if len(ep.Spec.BackendTLS.SignatureAlgorithms) > 0 {
-		tlsBundle.SignatureAlgorithms = ep.Spec.BackendTLS.SignatureAlgorithms
+		tlsConfig.SignatureAlgorithms = ep.Spec.BackendTLS.SignatureAlgorithms
 	}
 	if ep.Spec.BackendTLS.MinVersion != nil {
-		tlsBundle.MinVersion = ptr.To(ir.TLSVersion(*ep.Spec.BackendTLS.MinVersion))
+		tlsConfig.MinVersion = ptr.To(ir.TLSVersion(*ep.Spec.BackendTLS.MinVersion))
 	}
 	if ep.Spec.BackendTLS.MaxVersion != nil {
-		tlsBundle.MaxVersion = ptr.To(ir.TLSVersion(*ep.Spec.BackendTLS.MaxVersion))
+		tlsConfig.MaxVersion = ptr.To(ir.TLSVersion(*ep.Spec.BackendTLS.MaxVersion))
 	}
 	if len(ep.Spec.BackendTLS.ALPNProtocols) > 0 {
-		tlsBundle.ALPNProtocols = make([]string, len(ep.Spec.BackendTLS.ALPNProtocols))
+		tlsConfig.ALPNProtocols = make([]string, len(ep.Spec.BackendTLS.ALPNProtocols))
 		for i := range ep.Spec.BackendTLS.ALPNProtocols {
-			tlsBundle.ALPNProtocols[i] = string(ep.Spec.BackendTLS.ALPNProtocols[i])
+			tlsConfig.ALPNProtocols[i] = string(ep.Spec.BackendTLS.ALPNProtocols[i])
 		}
 	}
 	if ep.Spec.BackendTLS != nil && ep.Spec.BackendTLS.ClientCertificateRef != nil {
@@ -121,7 +121,7 @@ func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendT
 				t.GatewayControllerName,
 				policy.Generation,
 				status.Error2ConditionMsg(fmt.Errorf("client authentication TLS secret is not located in the same namespace as Envoyproxy. Secret namespace: %s does not match Envoyproxy namespace: %s", ns, ep.Namespace)))
-			return tlsBundle
+			return tlsConfig
 		}
 		secret := resources.GetSecret(ns, string(ep.Spec.BackendTLS.ClientCertificateRef.Name))
 		if secret == nil {
@@ -131,12 +131,12 @@ func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendT
 				policy.Generation,
 				status.Error2ConditionMsg(fmt.Errorf("failed to locate TLS secret for client auth: %s in namespace: %s", ep.Spec.BackendTLS.ClientCertificateRef.Name, ns)),
 			)
-			return tlsBundle
+			return tlsConfig
 		}
 		tlsConf := irTLSConfigs(secret)
-		tlsBundle.ClientCertificates = tlsConf.Certificates
+		tlsConfig.ClientCertificates = tlsConf.Certificates
 	}
-	return tlsBundle
+	return tlsConfig
 }
 
 func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, backendNamespace string) bool {

internal/provider/kubernetes/controller.go

@@ -325,7 +325,7 @@ func (r *gatewayAPIReconciler) processEnvoyProxySecretRef(ctx context.Context, g
 			gatewayapi.KindEnvoyProxy,
 			*certRef); err != nil {
 			r.log.Error(err,
-				"failed to process TLS SecretRef for gateway",
+				"failed to process TLS SecretRef for EnvoyProxy",
 				"gateway", "issue", "secretRef", certRef)
 		}
 	}

internal/provider/kubernetes/indexers.go

@@ -42,6 +42,7 @@ const (
 	configMapBtlsIndex               = "configMapBtlsIndex"
 	backendEnvoyExtensionPolicyIndex = "backendEnvoyExtensionPolicyIndex"
 	backendEnvoyProxyTelemetryIndex  = "backendEnvoyProxyTelemetryIndex"
+	secretEnvoyProxyIndex            = "secretEnvoyProxyIndex"
 )
 
 func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error {
@@ -111,11 +112,32 @@ func backendHTTPRouteIndexFunc(rawObj client.Object) []string {
 	return backendRefs
 }
 
+func secretEnvoyProxyIndexFunc(rawObj client.Object) []string {
+	ep := rawObj.(*v1alpha1.EnvoyProxy)
+	var secretReferences []string
+	if ep.Spec.BackendTLS != nil {
+		if ep.Spec.BackendTLS.ClientCertificateRef != nil {
+			if *ep.Spec.BackendTLS.ClientCertificateRef.Kind == gatewayapi.KindSecret {
+				secretReferences = append(secretReferences,
+					types.NamespacedName{
+						Namespace: gatewayapi.NamespaceDerefOr(ep.Spec.BackendTLS.ClientCertificateRef.Namespace, ep.Namespace),
+						Name:      string(ep.Spec.BackendTLS.ClientCertificateRef.Name),
+					}.String())
+			}
+		}
+	}
+	return secretReferences
+}
+
 func addEnvoyProxyIndexers(ctx context.Context, mgr manager.Manager) error {
 	if err := mgr.GetFieldIndexer().IndexField(ctx, &v1alpha1.EnvoyProxy{}, backendEnvoyProxyTelemetryIndex, backendEnvoyProxyTelemetryIndexFunc); err != nil {
 		return err
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(ctx, &v1alpha1.EnvoyProxy{}, secretEnvoyProxyIndex, secretEnvoyProxyIndexFunc); err != nil {
+		return err
+	}
+
 	return nil
 }
 

internal/provider/kubernetes/predicates.go

@@ -154,6 +154,38 @@ func (r *gatewayAPIReconciler) validateSecretForReconcile(obj client.Object) boo
 		return true
 	}
 
+	if r.isEnvoyProxyReferencingSecret(&nsName) {
+		return true
+	}
+
+	return false
+}
+
+func (r *gatewayAPIReconciler) isEnvoyProxyReferencingSecret(nsName *types.NamespacedName) bool {
+	epList := &egv1a1.EnvoyProxyList{}
+	if err := r.client.List(context.Background(), epList, &client.ListOptions{
+		FieldSelector: fields.OneTermEqualSelector(secretEnvoyProxyIndex, nsName.String()),
+	}); err != nil {
+		r.log.Error(err, "unable to find associated Gateways")
+		return false
+	}
+
+	if len(epList.Items) == 0 {
+		return false
+	}
+
+	for _, ep := range epList.Items {
+		if ep.Spec.BackendTLS != nil {
+			if ep.Spec.BackendTLS.ClientCertificateRef != nil {
+				certRef := ep.Spec.BackendTLS.ClientCertificateRef
+				ns := gatewayapi.NamespaceDerefOr(certRef.Namespace, ep.Namespace)
+				if nsName.Name == string(certRef.Name) && nsName.Namespace == ns {
+					return true
+				}
+				continue
+			}
+		}
+	}
 	return false
 }
 

internal/provider/kubernetes/predicates_test.go

@@ -183,12 +183,42 @@ func TestValidateGatewayForReconcile(t *testing.T) {
 // TestValidateSecretForReconcile tests the validateSecretForReconcile
 // predicate function.
 func TestValidateSecretForReconcile(t *testing.T) {
+	mtlsEnabledEnvoyProxyConfig := &v1alpha1.EnvoyProxy{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      "mtls-settings",
+		},
+		Spec: v1alpha1.EnvoyProxySpec{
+			BackendTLS: &v1alpha1.BackendTLSConfig{
+				ClientCertificateRef: &gwapiv1.SecretObjectReference{
+					Kind: gatewayapi.KindPtr("Secret"),
+					Name: "client-tls-certificate",
+				},
+				TLSSettings: v1alpha1.TLSSettings{},
+			},
+		},
+	}
 	testCases := []struct {
 		name    string
 		configs []client.Object
 		secret  client.Object
 		expect  bool
 	}{
+		{
+			name: "envoy proxy references a secret",
+			configs: []client.Object{
+				test.GetGatewayClass("test-secret-ref", v1alpha1.GatewayControllerName, &test.GroupKindNamespacedName{
+					Group:     gwapiv1.Group(mtlsEnabledEnvoyProxyConfig.GroupVersionKind().Group),
+					Kind:      gwapiv1.Kind(mtlsEnabledEnvoyProxyConfig.Kind),
+					Namespace: gwapiv1.Namespace(mtlsEnabledEnvoyProxyConfig.Namespace),
+					Name:      gwapiv1.ObjectName(mtlsEnabledEnvoyProxyConfig.Name),
+				}),
+				test.GetSecret(types.NamespacedName{Namespace: mtlsEnabledEnvoyProxyConfig.Namespace, Name: "client-tls-certificate"}),
+				mtlsEnabledEnvoyProxyConfig,
+			},
+			secret: test.GetSecret(types.NamespacedName{Namespace: mtlsEnabledEnvoyProxyConfig.Namespace, Name: "client-tls-certificate"}),
+			expect: true,
+		},
 		{
 			name: "references valid gateway",
 			configs: []client.Object{
@@ -298,6 +328,7 @@ func TestValidateSecretForReconcile(t *testing.T) {
 			WithObjects(tc.configs...).
 			WithIndex(&gwapiv1.Gateway{}, secretGatewayIndex, secretGatewayIndexFunc).
 			WithIndex(&v1alpha1.SecurityPolicy{}, secretSecurityPolicyIndex, secretSecurityPolicyIndexFunc).
+			WithIndex(&v1alpha1.EnvoyProxy{}, secretEnvoyProxyIndex, secretEnvoyProxyIndexFunc).
 			Build()
 		t.Run(tc.name, func(t *testing.T) {
 			res := r.validateSecretForReconcile(tc.secret)

test/e2e/testdata/backend-tls-settings-client-cert-rotation.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFVENDQWZrQ0ZGZ1A5ckEyNFA2NnhXcDRQSnEzY05KdHJYRXBNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1FVXgKQ3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbApjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3SGhjTk1qUXdOakF5TVRnMU5ESXlXaGNOTWpVd05qQXlNVGcxCk5ESXlXakJGTVFzd0NRWURWUVFHRXdKQlZURVRNQkVHQTFVRUNBd0tVMjl0WlMxVGRHRjBaVEVoTUI4R0ExVUUKQ2d3WVNXNTBaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBblpYeHQ0Tk5TQVYxT2YyWDBDY1E2clk1eUlKQjRVWlkzVytPSlpQZmZtT0xZSFE5Cld6ZEQyUStCdHpocHNnVmhuZ25XZjVCeDlzbFExakdmSWY3eGFJbDNHcE13S3dsbk1mRlB6d0lxcTc1MHV4bzIKcU9QV1VwTHhoWXl4eVVHU0xXeTZuZ1RHOTBnRjM2MUNsWkJqVWxML2g3M2VHSmMydERVWG85T1k1SFhJc0hnbwp0WlJTWXdJV1kwbjgyMmFTT0tPTCtBeDc0eVV3ODMwSnRxK1RmbDlCbjFZMWNZVjgrNDZqVnhodzBVWHlac1diCk5CdllzQk1jZmFVcmdyWjlSVXYzYlJuNS9kUVFlanMvRzJVOGlmNW9qR0NaSG5nUEFLV0NyS0MxejU1RmVYbEgKSDR1cVJ5ZGRKL1IyYUVsYnkyeUhrSmVEaFRjQmhxUXFIT2dMU1FJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFBTU1ldzg2dmVrM1hpdGNUd25lcnlNOUU0MjVCOVYrd24ya2swYTFNMDhlSGhNU2xHREQ4bG5mb1hKClNhZHEzbStBSlgyNHByZTBJQkMzRlhXajBrdCt5ZXN1dCtQR01jaHR1YXJYOU1PakpPRVk1NFFCRUdBNXJ0TzgKRWM0bWdqNkkzSGxGa2RTbUVkZTJjVTFPMDFlU3JZZG9vWUpmc2RLN1drUWEzNElRb1lPREhPbUFnMnluaVhZbQppSXZaUHkzUHdYSnN5VFNpYi9BMXQ3WEpoS3RIdUxvWGxPTHpVSUFMVkZsRzRNQjRreHcrMlVueFZHdjI0NUg0CjFsTnVaRk1BSXhWMXdZYkplbTFUT1ZLcFdMVmVqWE85SWZvcks1VmdqVzV2TkM1ejU3Um41dDljSGwxUHVhVmQKYk01U2ozU2pMWW52cXNQZ2JReXAxdWc3UEJBUwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2RsZkczZzAxSUJYVTUKL1pmUUp4RHF0am5JZ2tIaFJsamRiNDRsazk5K1k0dGdkRDFiTjBQWkQ0RzNPR215QldHZUNkWi9rSEgyeVZEVwpNWjhoL3ZGb2lYY2FrekFyQ1djeDhVL1BBaXFydm5TN0dqYW80OVpTa3ZHRmpMSEpRWkl0YkxxZUJNYjNTQVhmCnJVS1ZrR05TVXYrSHZkNFlsemEwTlJlajA1amtkY2l3ZUNpMWxGSmpBaFpqU2Z6YlpwSTRvNHY0REh2akpURHoKZlFtMnI1TitYMEdmVmpWeGhYejdqcU5YR0hEUlJmSm14WnMwRzlpd0V4eDlwU3VDdG4xRlMvZHRHZm45MUJCNgpPejhiWlR5Si9taU1ZSmtlZUE4QXBZS3NvTFhQbmtWNWVVY2ZpNnBISjEwbjlIWm9TVnZMYkllUWw0T0ZOd0dHCnBDb2M2QXRKQWdNQkFBRUNnZ0VBVVN0ejl4K2x4ZXd4eHE0TjdZVEIzUFFCN1hyU3JsUEs0RHhlenBKTmMwK1kKOGhUTnFkZGNsa2k3ZXdHT3g4aW4wSHlteE14Rk4yWFl3b3VLdVRzVlk5QXl6amgwZmlaNHhpdlMvUURUcytVRgpRWDZ1R3U1SWJmNE1jOHJWcEtHbXhza1RrdU5KRFFSSEtrQ1haR3ljREVKK0pwQXcveCtjYU5SVUdlbWEva215CklrZ0FRMUpxQ1lFNTJKUG1PWGRhL3VjMEJtMGYyQkFZUmh6V3JmRGV4SnlzelloMDdhNHNWVW9FRXlxbjlFV2EKbVZOQkV2SzQwVm1KVFcyV1ZuN3lZUnk2OUgvbGl2cGZWdG1RbE9SaVBkYXRaK1RUaXA2VHF2SFIwNHZyam1pMApQUXdhbkJmN3Z6aE9SU3Z1VDhOUEtWV1pkeHAxQm1JaWtrUmpSYjRyMFFLQmdRRE0yaWk5QXowZDVSbnZzV24zClJrWlNZbG1CaHhROGFKajBqY1l0cHBycEQ3ZFgvbGh4dDRHNFBSVWx5QTcwSmFMOVBrTVhZcklhNlpJMUQyRC8Kb2ZSbFoybE9HMUtnVVVTUW42bFFiaWo3NkdyaFhlOXhvRDE5eEdEai9HWTFSRDB1VGI5OWhtU1lyVzJySnREQwpMWG0vWUV1TjJGc2N4Q3QzOHhBVWl1bzZiUUtCZ1FERTdwV1laa3RzeXcyTkJhRmo1NXZJYkcyVjhkUk9vdzFsCnY4cWxsMllHWXpHWEJzNlBodzlGMUNzcjl4dm9HNmhPR1hFNmxOL25RZGtxTEtONEJqM25lNXZJMGUxKzI0TG0Ka0lZK0ltTWo1U2w4QzFuUzR3MVFVTlREYWIyakhackFXd0hJQlBUdFYzbDdMY3cvQXh5NnRjcVJ2alpoQjVnZAplL1N3RStzS3pRS0JnQm5wbHJHaUVUOFExZUVPRGh0clZrWGhqdlRsZzFmSTIyQkQ5c2ViaFlqcHBnV0pkT0tkCmxka2FVT3lBaS9PeU54WFZwR0wyNXhTa2F3d3ZMOVBtUnFYMUdNcjZoYzhsdUlpYXlhNFU0VFpNUmdqUCt4UGkKY3lUUGpIb0tXVnR2a0ZXbEhBM2l6Q0xML1UxakVaRWVjNElUeWpyZEhWbGNMeXR6SVp1WG50MVpBb0dBQUxsago0WENXM0dxT3ZUTUZHZW56SDdTT1hwdktEUlA2YTZKZDYyZjRIeFBrVGNyZm5aV0FqK0FzM0hlSEtiNVlTeGs2CjJsMUx5WHpyZ0lVemdMQjlMOG03ayt4NXRCcTRpNEtDaTkzeWdXSkpXY1JzNnlLY25Pdi9MRXpLUHJ4UUlsN3oKVGJuKzhKUit4TjR4UHhZUzEvanRLc1lKU3lnTS9pYkRpcFk0S2cwQ2dZQmExL0RYQlVIVWI3UlFWcVBrdVJsYQpHenhVeTd4c3dXQkNVbWtkNkdyUG4vM0pGRW5udTRCdUovUHBRNTNQY1hLTTNWM041Uis2dkVHdHRteWtxRDZZCkp5NjZrQkxMdk1aLzZvUHJzZWxNUUVZZjRwa21CSnlHdHNxOElkR3RZT1dVdXpwbmhuTUdWRG8vODVrUVIvaEwKaUhxQW9TMEJXMDU1eEdsVzVFa2VGZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+kind: Secret
+metadata:
+  name: client-tls-certificate
+  namespace: envoy-gateway-system
+type: kubernetes.io/tls
+---
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFVENDQWZrQ0ZGZ1A5ckEyNFA2NnhXcDRQSnEzY05KdHJYRXBNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1FVXgKQ3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbApjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3SGhjTk1qUXdOakF5TVRnMU5ESXlXaGNOTWpVd05qQXlNVGcxCk5ESXlXakJGTVFzd0NRWURWUVFHRXdKQlZURVRNQkVHQTFVRUNBd0tVMjl0WlMxVGRHRjBaVEVoTUI4R0ExVUUKQ2d3WVNXNTBaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBblpYeHQ0Tk5TQVYxT2YyWDBDY1E2clk1eUlKQjRVWlkzVytPSlpQZmZtT0xZSFE5Cld6ZEQyUStCdHpocHNnVmhuZ25XZjVCeDlzbFExakdmSWY3eGFJbDNHcE13S3dsbk1mRlB6d0lxcTc1MHV4bzIKcU9QV1VwTHhoWXl4eVVHU0xXeTZuZ1RHOTBnRjM2MUNsWkJqVWxML2g3M2VHSmMydERVWG85T1k1SFhJc0hnbwp0WlJTWXdJV1kwbjgyMmFTT0tPTCtBeDc0eVV3ODMwSnRxK1RmbDlCbjFZMWNZVjgrNDZqVnhodzBVWHlac1diCk5CdllzQk1jZmFVcmdyWjlSVXYzYlJuNS9kUVFlanMvRzJVOGlmNW9qR0NaSG5nUEFLV0NyS0MxejU1RmVYbEgKSDR1cVJ5ZGRKL1IyYUVsYnkyeUhrSmVEaFRjQmhxUXFIT2dMU1FJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFBTU1ldzg2dmVrM1hpdGNUd25lcnlNOUU0MjVCOVYrd24ya2swYTFNMDhlSGhNU2xHREQ4bG5mb1hKClNhZHEzbStBSlgyNHByZTBJQkMzRlhXajBrdCt5ZXN1dCtQR01jaHR1YXJYOU1PakpPRVk1NFFCRUdBNXJ0TzgKRWM0bWdqNkkzSGxGa2RTbUVkZTJjVTFPMDFlU3JZZG9vWUpmc2RLN1drUWEzNElRb1lPREhPbUFnMnluaVhZbQppSXZaUHkzUHdYSnN5VFNpYi9BMXQ3WEpoS3RIdUxvWGxPTHpVSUFMVkZsRzRNQjRreHcrMlVueFZHdjI0NUg0CjFsTnVaRk1BSXhWMXdZYkplbTFUT1ZLcFdMVmVqWE85SWZvcks1VmdqVzV2TkM1ejU3Um41dDljSGwxUHVhVmQKYk01U2ozU2pMWW52cXNQZ2JReXAxdWc3UEJBUwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2RsZkczZzAxSUJYVTUKL1pmUUp4RHF0am5JZ2tIaFJsamRiNDRsazk5K1k0dGdkRDFiTjBQWkQ0RzNPR215QldHZUNkWi9rSEgyeVZEVwpNWjhoL3ZGb2lYY2FrekFyQ1djeDhVL1BBaXFydm5TN0dqYW80OVpTa3ZHRmpMSEpRWkl0YkxxZUJNYjNTQVhmCnJVS1ZrR05TVXYrSHZkNFlsemEwTlJlajA1amtkY2l3ZUNpMWxGSmpBaFpqU2Z6YlpwSTRvNHY0REh2akpURHoKZlFtMnI1TitYMEdmVmpWeGhYejdqcU5YR0hEUlJmSm14WnMwRzlpd0V4eDlwU3VDdG4xRlMvZHRHZm45MUJCNgpPejhiWlR5Si9taU1ZSmtlZUE4QXBZS3NvTFhQbmtWNWVVY2ZpNnBISjEwbjlIWm9TVnZMYkllUWw0T0ZOd0dHCnBDb2M2QXRKQWdNQkFBRUNnZ0VBVVN0ejl4K2x4ZXd4eHE0TjdZVEIzUFFCN1hyU3JsUEs0RHhlenBKTmMwK1kKOGhUTnFkZGNsa2k3ZXdHT3g4aW4wSHlteE14Rk4yWFl3b3VLdVRzVlk5QXl6amgwZmlaNHhpdlMvUURUcytVRgpRWDZ1R3U1SWJmNE1jOHJWcEtHbXhza1RrdU5KRFFSSEtrQ1haR3ljREVKK0pwQXcveCtjYU5SVUdlbWEva215CklrZ0FRMUpxQ1lFNTJKUG1PWGRhL3VjMEJtMGYyQkFZUmh6V3JmRGV4SnlzelloMDdhNHNWVW9FRXlxbjlFV2EKbVZOQkV2SzQwVm1KVFcyV1ZuN3lZUnk2OUgvbGl2cGZWdG1RbE9SaVBkYXRaK1RUaXA2VHF2SFIwNHZyam1pMApQUXdhbkJmN3Z6aE9SU3Z1VDhOUEtWV1pkeHAxQm1JaWtrUmpSYjRyMFFLQmdRRE0yaWk5QXowZDVSbnZzV24zClJrWlNZbG1CaHhROGFKajBqY1l0cHBycEQ3ZFgvbGh4dDRHNFBSVWx5QTcwSmFMOVBrTVhZcklhNlpJMUQyRC8Kb2ZSbFoybE9HMUtnVVVTUW42bFFiaWo3NkdyaFhlOXhvRDE5eEdEai9HWTFSRDB1VGI5OWhtU1lyVzJySnREQwpMWG0vWUV1TjJGc2N4Q3QzOHhBVWl1bzZiUUtCZ1FERTdwV1laa3RzeXcyTkJhRmo1NXZJYkcyVjhkUk9vdzFsCnY4cWxsMllHWXpHWEJzNlBodzlGMUNzcjl4dm9HNmhPR1hFNmxOL25RZGtxTEtONEJqM25lNXZJMGUxKzI0TG0Ka0lZK0ltTWo1U2w4QzFuUzR3MVFVTlREYWIyakhackFXd0hJQlBUdFYzbDdMY3cvQXh5NnRjcVJ2alpoQjVnZAplL1N3RStzS3pRS0JnQm5wbHJHaUVUOFExZUVPRGh0clZrWGhqdlRsZzFmSTIyQkQ5c2ViaFlqcHBnV0pkT0tkCmxka2FVT3lBaS9PeU54WFZwR0wyNXhTa2F3d3ZMOVBtUnFYMUdNcjZoYzhsdUlpYXlhNFU0VFpNUmdqUCt4UGkKY3lUUGpIb0tXVnR2a0ZXbEhBM2l6Q0xML1UxakVaRWVjNElUeWpyZEhWbGNMeXR6SVp1WG50MVpBb0dBQUxsago0WENXM0dxT3ZUTUZHZW56SDdTT1hwdktEUlA2YTZKZDYyZjRIeFBrVGNyZm5aV0FqK0FzM0hlSEtiNVlTeGs2CjJsMUx5WHpyZ0lVemdMQjlMOG03ayt4NXRCcTRpNEtDaTkzeWdXSkpXY1JzNnlLY25Pdi9MRXpLUHJ4UUlsN3oKVGJuKzhKUit4TjR4UHhZUzEvanRLc1lKU3lnTS9pYkRpcFk0S2cwQ2dZQmExL0RYQlVIVWI3UlFWcVBrdVJsYQpHenhVeTd4c3dXQkNVbWtkNkdyUG4vM0pGRW5udTRCdUovUHBRNTNQY1hLTTNWM041Uis2dkVHdHRteWtxRDZZCkp5NjZrQkxMdk1aLzZvUHJzZWxNUUVZZjRwa21CSnlHdHNxOElkR3RZT1dVdXpwbmhuTUdWRG8vODVrUVIvaEwKaUhxQW9TMEJXMDU1eEdsVzVFa2VGZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+kind: Secret
+metadata:
+  name: client-tls-validation
+  namespace: gateway-conformance-infra
+type: kubernetes.io/tls

test/e2e/testdata/expect/echo-service-tls-settings-new-mtls-secret.yaml

@@ -0,0 +1,28 @@
+---
+tls:
+  cipherSuite: "TLS_AES_128_GCM_SHA256"
+  negotiatedProtocol: "http/1.1"
+  peerCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      MIIDETCCAfkCFFgP9rA24P66xWp4PJq3cNJtrXEpMA0GCSqGSIb3DQEBCwUAMEUx
+      CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+      cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjQwNjAyMTg1NDIyWhcNMjUwNjAyMTg1
+      NDIyWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+      CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC
+      AQ8AMIIBCgKCAQEAnZXxt4NNSAV1Of2X0CcQ6rY5yIJB4UZY3W+OJZPffmOLYHQ9
+      WzdD2Q+BtzhpsgVhngnWf5Bx9slQ1jGfIf7xaIl3GpMwKwlnMfFPzwIqq750uxo2
+      qOPWUpLxhYyxyUGSLWy6ngTG90gF361ClZBjUlL/h73eGJc2tDUXo9OY5HXIsHgo
+      tZRSYwIWY0n822aSOKOL+Ax74yUw830Jtq+Tfl9Bn1Y1cYV8+46jVxhw0UXyZsWb
+      NBvYsBMcfaUrgrZ9RUv3bRn5/dQQejs/G2U8if5ojGCZHngPAKWCrKC1z55FeXlH
+      H4uqRyddJ/R2aElby2yHkJeDhTcBhqQqHOgLSQIDAQABMA0GCSqGSIb3DQEBCwUA
+      A4IBAQAMMew86vek3XitcTwneryM9E425B9V+wn2kk0a1M08eHhMSlGDD8lnfoXJ
+      Sadq3m+AJX24pre0IBC3FXWj0kt+yesut+PGMchtuarX9MOjJOEY54QBEGA5rtO8
+      Ec4mgj6I3HlFkdSmEde2cU1O01eSrYdooYJfsdK7WkQa34IQoYODHOmAg2yniXYm
+      iIvZPy3PwXJsyTSib/A1t7XJhKtHuLoXlOLzUIALVFlG4MB4kxw+2UnxVGv245H4
+      1lNuZFMAIxV1wYbJem1TOVKpWLVejXO9IforK5VgjW5vNC5z57Rn5t9cHl1PuaVd
+      bM5Sj3SjLYnvqsPgbQyp1ug7PBAS
+      -----END CERTIFICATE-----
+
+  serverName: "example.com"
+  version: "TLSv1.3"

test/e2e/testdata/expect/echo-service-tls-settings-updated-tls-settings.yaml

@@ -0,0 +1,28 @@
+---
+tls:
+  cipherSuite: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+  negotiatedProtocol: "http/1.1"
+  peerCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      MIIDETCCAfkCFFgP9rA24P66xWp4PJq3cNJtrXEpMA0GCSqGSIb3DQEBCwUAMEUx
+      CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+      cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjQwNjAyMTg1NDIyWhcNMjUwNjAyMTg1
+      NDIyWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+      CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC
+      AQ8AMIIBCgKCAQEAnZXxt4NNSAV1Of2X0CcQ6rY5yIJB4UZY3W+OJZPffmOLYHQ9
+      WzdD2Q+BtzhpsgVhngnWf5Bx9slQ1jGfIf7xaIl3GpMwKwlnMfFPzwIqq750uxo2
+      qOPWUpLxhYyxyUGSLWy6ngTG90gF361ClZBjUlL/h73eGJc2tDUXo9OY5HXIsHgo
+      tZRSYwIWY0n822aSOKOL+Ax74yUw830Jtq+Tfl9Bn1Y1cYV8+46jVxhw0UXyZsWb
+      NBvYsBMcfaUrgrZ9RUv3bRn5/dQQejs/G2U8if5ojGCZHngPAKWCrKC1z55FeXlH
+      H4uqRyddJ/R2aElby2yHkJeDhTcBhqQqHOgLSQIDAQABMA0GCSqGSIb3DQEBCwUA
+      A4IBAQAMMew86vek3XitcTwneryM9E425B9V+wn2kk0a1M08eHhMSlGDD8lnfoXJ
+      Sadq3m+AJX24pre0IBC3FXWj0kt+yesut+PGMchtuarX9MOjJOEY54QBEGA5rtO8
+      Ec4mgj6I3HlFkdSmEde2cU1O01eSrYdooYJfsdK7WkQa34IQoYODHOmAg2yniXYm
+      iIvZPy3PwXJsyTSib/A1t7XJhKtHuLoXlOLzUIALVFlG4MB4kxw+2UnxVGv245H4
+      1lNuZFMAIxV1wYbJem1TOVKpWLVejXO9IforK5VgjW5vNC5z57Rn5t9cHl1PuaVd
+      bM5Sj3SjLYnvqsPgbQyp1ug7PBAS
+      -----END CERTIFICATE-----
+
+  serverName: "example.com"
+  version: "TLSv1.2"