envoyproxy · zhaohuabing · Mar 20, 2024 · Mar 20, 2024 · Mar 20, 2024 · Mar 20, 2024
@@ -7,6 +7,7 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
 const (
@@ -87,6 +88,11 @@ type EnvoyProxySpec struct {
 	// +optional
 	Shutdown *ShutdownConfig `json:"shutdown,omitempty"`
 
+	// TLS is the TLS configuration for the Envoy proxy to use when connecting to
+	// backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+	// +optional
+	TLS *EnvoyTLSConfig `json:"tls,omitempty"`
+
 	// FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
 	// If unspecified, the default filter order is applied.
 	// Default filter order is:
@@ -172,6 +178,15 @@ const (
 	EnvoyFilterRouter EnvoyFilter = "envoy.filters.http.router"
 )
 
+// EnvoyTLSConfig describes the TLS configuration for Envoy Proxy.
+type EnvoyTLSConfig struct {
+	// ClientCertRef defines the reference to a Kubernetes Secret that contains
+	// the client certificate and private key for Envoy to use when connecting to
+	// backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+	// +optional
+	ClientCertRef *gwapiv1.SecretObjectReference `json:"clientCertRef,omitempty"`
+}
+
 type ProxyTelemetry struct {
 	// AccessLogs defines accesslog parameters for managed proxies.
 	// If unspecified, will send default format to stdout.

@@ -6698,6 +6698,58 @@ spec:
                     - provider
                     type: object
                 type: object
+              tls:
+                description: |-
+                  TLS is the TLS configuration for the Envoy proxy to use when connecting to
+                  backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+                properties:
+                  clientCertRef:
+                    description: |-
+                      ClientCertRef defines the reference to a Kubernetes Secret that contains
+                      the client certificate and private key for Envoy to use when connecting to
+                      backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+                    properties:
+                      group:
+                        default: ""
+                        description: |-
+                          Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                          When unspecified or empty string, core API group is inferred.
+                        maxLength: 253
+                        pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                      kind:
+                        default: Secret
+                        description: Kind is kind of the referent. For example "Secret".
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                        type: string
+                      name:
+                        description: Name is the name of the referent.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: |-
+                          Namespace is the namespace of the referenced object. When unspecified, the local
+                          namespace is inferred.
+
+
+                          Note that when a namespace different than the local namespace is specified,
+                          a ReferenceGrant object is required in the referent namespace to allow that
+                          namespace's owner to accept the reference. See the ReferenceGrant
+                          documentation for details.
+
+
+                          Support: Core
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
             type: object
           status:
             description: EnvoyProxyStatus defines the actual state of EnvoyProxy.

@@ -1115,6 +1115,7 @@ _Appears in:_
 | `extraArgs` | _string array_ |  false  | ExtraArgs defines additional command line options that are provided to Envoy.<br />More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options<br />Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
 | `mergeGateways` | _boolean_ |  false  | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.<br />Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.<br />This means that the port, protocol and hostname tuple must be unique for every listener.<br />If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
 | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ |  false  | Shutdown defines configuration for graceful envoy shutdown process. |
+| `tls` | _[EnvoyTLSConfig](#envoytlsconfig)_ |  false  | TLS is the TLS configuration for the Envoy proxy to use when connecting to<br />backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc. |
 
 
 
@@ -1136,6 +1137,20 @@ _Appears in:_
 | `type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment` | ClusterLoadAssignmentEnvoyResourceType defines the Type URL of the ClusterLoadAssignment resource<br /> | 
 
 
+#### EnvoyTLSConfig
+
+
+
+EnvoyTLSConfig describes the TLS configuration for Envoy Proxy.
+
+_Appears in:_
+- [EnvoyProxySpec](#envoyproxyspec)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `clientCertRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  false  | ClientCertRef defines the reference to a Kubernetes Secret that contains<br />the client certificate and private key for Envoy to use when connecting to<br />backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc. |
+
+
 #### ExtAuth