Configure Mutual TLS Termination in a Gateway

[frankbu]

What would you like to be added:

GatewayTLSConfig should support 3 variants of Terminate mode:

1. Simple TLS
2. Mutual (mTLS)
3. Mesh (Terminate mTLS managed by a mesh) - GAMMA only

Why this is needed:

The required certificateRef depends on which of the above Terminate modes is used.

This can currently be supported using an implementation-specific option. Istio, for example, has:

    tls:
      mode: Terminate
      certificateRefs:
      - name: example-credential
      options:
        gateway.istio.io/tls-terminate-mode: MUTUAL

Providing a standard API for this would be much better.

[robscott]

I think this is at least partially addressed by #2080.

/cc @arkodg

[arkodg]

yes 2. should be addressed by #2080, which should also enable the capability for 3. (mTLS for Gateways in a mesh)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[frankbu]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[robscott]

@frankbu I think this issue may need to be split up into smaller pieces. We're definitely making progress towards what I'd call "manually-configured frontend and backend mTLS" with both Arko's GEP (#2080) and BackendTLSPolicy. It's possible that some automation could be built on top of that as well. I think what you're really focused on here is some kind of standardized way to sign up for the UX that is common among Service meshes - automatic mTLS everywhere. If that's the case, I'd recommend a separate issue focused on just that part.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten