Packages > pkg.pkl-lang.org/pkl-pantry/k8s.networking.gateway > k8s.networking.gateway.v1alpha3.BackendTLSPolicy

Validation1.0.0

Properties
Methods

class Validation

Validation contains backend TLS validation configuration.

Known subtypes in package:
Known usages in package:
All versions:

Properties

link
caCertificateRefs: Listing<CaCertificateRef>(length <= 8)?Source

CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.
If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertificateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation.

A CACertificateRef is invalid if:
- It refers to a resource that cannot be resolved (e.g., the referenced resource does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key named ca.crt). In this case, the Reason must be set to InvalidCACertificateRef and the Message of the Condition must indicate which reference is invalid and why.
- It refers to an unknown or unsupported kind of resource. In this case, the Reason must be set to InvalidKind and the Message of the Condition must explain which kind of resource is unknown or unsupported.
- It refers to a resource in another namespace. This may change in future spec updates.
Implementations MAY choose to perform further validation of the certificate content (e.g., checking expiry or enforcing specific formats). In such cases, an implementation-specific Reason and Message must be set for the invalid reference.

In all cases, the implementation MUST ensure the ResolvedRefs Condition on the BackendTLSPolicy is set to status: False, with a Reason and Message that indicate the cause of the error. Connections using an invalid CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error response. If ALL CACertificateRefs are invalid, the implementation MUST also ensure the Accepted Condition on the BackendTLSPolicy is set to status: False, with a Reason NoValidCACertificate.

A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific.

Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named ca.crt.

Support: Implementation-specific - More than one reference, other kinds of resources, or a single reference that includes multiple certificates.
link
hostname: String(length.isBetween(1, 253), matches(Regex(#"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"#)))Source

Hostname is used for two purposes in the connection between Gateways and backends:
1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
2. Hostname MUST be used for authentication and MUST match the certificate served by the matching backend, unless SubjectAltNames is specified.
3. If SubjectAltNames are specified, Hostname can be used for certificate selection but MUST NOT be used for authentication. If you want to use the value of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
Support: Core
link

subjectAltNames: Listing<SubjectAltName>(length <= 5)?Source

SubjectAltNames contains one or more Subject Alternative Names. When specified the certificate served from the backend MUST have at least one Subject Alternate Name matching one of the specified SubjectAltNames.

Support: Extended
link

wellKnownCACertificates: "System"?Source

WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.

If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an implementation does not support the WellKnownCACertificates field, or the supplied value is not recognized, the implementation MUST ensure the Accepted Condition on the BackendTLSPolicy is set to status: False, with a Reason Invalid.

Support: Implementation-specific

Methods(show inherited)

link

function

Any.getClass(): Class (pkl.base)Source

Returns the class of this.
link

function

Any.toString(): String (pkl.base)Source

Returns a string representation of this.

This method is used to convert the values of string interpolation expressions to strings.
link

function

Any.ifNonNull<Result>(transform: (NonNull) -> Result): Result? (pkl.base)Source

Returns this |> transform if this is non-null, and null otherwise.

This method is the complement of the ?? operator and the equivalent of an Option type's map and flatMap methods.
link

function

Typed.hasProperty(name: String): Boolean (pkl.base)Source

Tells if this object has a property with the given name.
link

function

Typed.getProperty(name: String): unknown (pkl.base)Source

Returns the value of the property with the given name.

Throws if a property with this name does not exist.
link

function

Typed.getPropertyOrNull(name: String): unknown? (pkl.base)Source

Returns the value of the property with the given name.

Returns null if a property with this name does not exist.
link

function

Typed.toDynamic(): Dynamic (pkl.base)Source

Converts this object to a Dynamic object.
link

function

Typed.toMap(): Map<String, unknown> (pkl.base)Source

Converts this object to a Map.