kubernetes-sigs
diff --git a/‎apis/v1alpha2/backendtlspolicy_types.go
Lines changed: 148 additions & 0 deletions b/‎apis/v1alpha2/backendtlspolicy_types.go
Lines changed: 148 additions & 0 deletions
diff --git a/‎apis/v1alpha2/policy_types.go
Lines changed: 34 additions & 19 deletions b/‎apis/v1alpha2/policy_types.go
Lines changed: 34 additions & 19 deletions
@@ -0,0 +1,148 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:storageversion
+// +kubebuilder:resource:categories=gateway-api,shortName=btlspolicy
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// BackendTLSPolicy provides a way to configure how a Gateway
+// connects to a Backend via TLS.
+type BackendTLSPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the desired state of BackendTLSPolicy.
+	Spec BackendTLSPolicySpec `json:"spec"`
+
+	// Status defines the current state of BackendTLSPolicy.
+	Status PolicyStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// BackendTLSPolicyList contains a list of BackendTLSPolicies
+type BackendTLSPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BackendTLSPolicy `json:"items"`
+}
+
+// BackendTLSPolicySpec defines the desired state of
+// BackendTLSPolicy.
+// Note: BackendTLSPolicy is a Direct Attached Policy only.
+//
+// Support: Extended
+type BackendTLSPolicySpec struct {
+	// TargetRef identifies an API object to apply the policy to.
+	// Only Services have Extended support. Implementations MAY support
+	// additional objects, with Implementation Specific support.
+	// Note that this config applies to the entire referenced resource
+	// by default, but this default may change in the future to provide
+	// a more granular application of the policy.
+	//
+	// Support: Extended for Kubernetes Service
+	//
+	// Support: Implementation-specific for any other resource
+	//
+	TargetRef PolicyTargetReferenceWithSectionName `json:"targetRef"`
+
+	// TLS contains backend TLS policy configuration.
+	TLS BackendTLSPolicyConfig `json:"tls"`
+}
+
+// BackendTLSPolicyConfig contains backend TLS policy configuration.
+// +kubebuilder:validation:XValidation:message="must not contain both CertRefs and StandardCerts",rule="(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts) && self.wellKnownCACerts != \"\")"
+// +kubebuilder:validation:XValidation:message="must specify either CertRefs or StandardCerts",rule="!(has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts) && self.wellKnownCACerts != \"\")"
+type BackendTLSPolicyConfig struct {
+	// CACertRefs contains one or more references to Kubernetes objects that
+	// contain a PEM-encoded TLS CA certificate bundle, which is used to
+	// validate a TLS handshake between the Gateway and backend Pod.
+	//
+	// If CACertRefs is empty or unspecified, then StandardCerts must
+	// be specified.  Only one of CACertRefs or StandardCerts may be
+	// specified, not both.
+	//
+	// If CACertRefs is empty or unspecified, then system trusted
+	// certificates should be used. If there are none, or the
+	// implementation doesn't define system trusted certificates,
+	// then a TLS connection must fail.
+	//
+	// References to a resource in a different namespace are
+	// invalid for the moment, although we will revisit this
+	// in the future.
+	//
+	// A single CACertRef to a Kubernetes ConfigMap kind has "Core"
+	// support.  Implementations MAY choose to support attaching
+	// multiple certificates to a backend, but this behavior is
+	// implementation-specific.
+	//
+	// Support: Core - An optional single reference to a Kubernetes
+	// ConfigMap, with the CA certificate in a key named `ca.crt`.
+	//
+	// Support: Implementation-specific (More than one reference, or other kinds
+	// of resources).
+	//
+	// +kubebuilder:validation:MaxItems=8
+	// +optional
+	CACertRefs []v1beta1.ObjectReference `json:"caCertRefs,omitempty"`
+
+	// WellKnownCACerts specifies whether system CA certificates may
+	// be used in the TLS handshake between the gateway and
+	// backend pod.
+	//
+	// If WellKnownCACerts is unspecified or set to "", then CACertRefs must
+	// be specified with at least one entry for a valid configuration.
+	// Only one of CACertRefs or WellKnownCACerts may be specified, not both.
+	//
+	// WellKnownCACerts must be set to "System" when CACertRefs is unspecified.
+	//
+	//
+	// Support: Core for "System"
+	//
+	//
+	// +optional
+	WellKnownCACerts *WellKnownCACertType `json:"wellKnownCACerts,omitempty"`
+
+	// Hostname is used for two purposes in the connection between Gateways and
+	// backends:
+	//
+	// 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+	// 2. Hostname MUST be used for authentication and MUST match the certificate
+	//    served by the matching backend.
+	//
+	// Support: Core
+	Hostname v1beta1.PreciseHostname `json:"hostname"`
+}
+
+// WellKnownCACertType is the type of CA certificate that will be used when
+// the TLS.caCertRefs is unspecified.
+// +kubebuilder:validation:Enum=System
+type WellKnownCACertType string
+
+const (
+	// Indicates that standard system CA certificates should be used.
+	WellKnownCACertSystem WellKnownCACertType = "System"
+)
@@ -31,8 +31,6 @@ const (
 	PolicyLabelKey = "gateway.networking.k8s.io/policy"
 )
 
-
-
 // PolicyTargetReference identifies an API object to apply a direct or
 // inherited policy to. This should be used as part of Policy resources
 // that can target Gateway API resources. For more information on how this
@@ -128,12 +126,22 @@ const (
 // PolicyAncestorStatus describes the status of a route with respect to an
 // associated Ancestor.
 //
-// The object that a Policy attaches to (the object in its TargetRef) is its
-// _parent_, and any other objects above it in an object hierarchy are its
-// _ancestors_.
-// 
-// For some Policies, particularly Direct Attached Policies, the relevant object
-// that distinguishes its status is not necessarily the parent object.
+// Ancestors refer to objects that are either the Target of a policy or above it
+// in terms of object hierarchy. For example, if a policy targets a Service, the
+// Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+// the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+// useful object to place Policy status on, so we recommend that implementations
+// SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+// have a _very_ good reason otherwise.
+//
+// In the context of policy attachment, the Ancestor is used to distinguish which
+// resource results in a distinct application of this policy. For example, if a policy
+// targets a Service, it may have a distinct result per attached Gateway.
+//
+// Policies targeting the same resource may have different effects depending on the
+// ancestors of those resources. For example, different Gateways targeting the same
+// Service may have different capabilities, especially if they have different underlying
+// implementations.
 //
 // For example, in BackendTLSPolicy, the Policy attaches to a Service that is
 // used as a backend in a HTTPRoute that is itself attached to a Gateway.
@@ -142,9 +150,12 @@ const (
 //
 // Note that a parent is also an ancestor, so for objects where the parent is the
 // relevant object for status, this struct SHOULD still be used.
+//
+// This struct is intended to be used in a slice that's effectively a map,
+// with a composite key made up of the AncestorRef and the ControllerName.
 type PolicyAncestorStatus struct {
 	// AncestorRef corresponds with a ParentRef in the spec that this
-	// RouteParentStatus struct describes the status of.
+	// PolicyAncestorStatus struct describes the status of.
 	AncestorRef ParentReference `json:"ancestorRef"`
 
 	// ControllerName is a domain/path string that indicates the name of the
@@ -175,24 +186,28 @@ type PolicyAncestorStatus struct {
 // their status.
 type PolicyStatus struct {
 	// Ancestors is a list of ancestor resources (usually Gateways) that are
-	// associated with the route, and the status of the route with respect to
-	// each ancestor. When this route attaches to a parent, the controller that
+	// associated with the policy, and the status of the policy with respect to
+	// each ancestor. When this policy attaches to a parent, the controller that
 	// manages the parent and the ancestors MUST add an entry to this list when
-	// the controller first sees the route and SHOULD update the entry as
+	// the controller first sees the policy and SHOULD update the entry as
 	// appropriate when the relevant ancestor is modified.
 	//
 	// Note that choosing the relevant ancestor is left to the Policy designers;
 	// an important part of Policy design is designing the right object level at
 	// which to namespace this status.
 	//
-	// Note also that parent references that cannot be resolved by an implementation
-	// of this API will not be added to this list. Implementations of this API
-	// can only populate ancestor status for the parent resources they are
-	// responsible for.
+	// Note also that implementations MUST ONLY populate ancestor status for
+	// the Ancestor resources they are responsible for. Implementations MUST
+	// use the ControllerName field to uniquely identify the entries in this list
+	// that they are responsible for.
+	//
+	// Note that to achieve this, the list of PolicyAncestorStatus structs
+	// MUST be treated as a map with a composite key, made up of the AncestorRef
+	// and ControllerName fields combined.
 	//
-	// A maximum of 32 ancestors will be represented in this list. An empty list
+	// A maximum of 8 ancestors will be represented in this list. An empty list
 	// means the Policy is not relevant for any ancestors.
 	//
-	// +kubebuilder:validation:MaxItems=32
+	// +kubebuilder:validation:MaxItems=8
 	Ancestors []PolicyAncestorStatus `json:"ancestors"`
-}
+}