change api

Signed-off-by: Guy Daich <[email protected]>

api/v1alpha1/tls_types.go

@@ -19,16 +19,15 @@ type ClientTLSSettings struct {
 	// SessionTimeout determines the maximum lifetime of a TLS session.
 	// https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_DEFAULT_SESSION_TIMEOUT
 	// Default: 7200s
+	// +notImplementedHide
 	// +optional
 	SessionTimeout *gwapiv1.Duration `json:"sessionTimeout,omitempty"`
 
-	// StatelessSessionResumption defines setting for stateless (session-ticket based) session resumption
-	// +optional
-	StatelessSessionResumption *StatelessSessionResumptionSettings `json:"statelessSessionResumption,omitempty"`
-
-	// StatefulSessionResumption defines setting for stateful (session-id based) session resumption
-	// +optional
-	StatefulSessionResumption *StatefulSessionResumptionSettings `json:"statefulSessionResumptionSettings,omitempty"`
+	// SessionResumptionSettings determine the proxy's supported TLS session resumption option.
+	// By default, Envoy Gateway does not support session resumption. Users can enable stateful
+	// and stateless session resumption by including them in the sessionResumption list.
+	// +notImplementedHide
+	SessionResumptionSettings []SessionResumptionSettings `json:"sessionResumption,omitempty"`
 }
 
 // +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == '1.3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3"
@@ -148,35 +147,30 @@ type ClientValidationContext struct {
 	CACertificateRefs []gwapiv1.SecretObjectReference `json:"caCertificateRefs,omitempty"`
 }
 
-// StatelessSessionResumptionSettings defines setting for stateless (session-ticket based) session resumption
-// +kubebuilder:validation:XValidation:rule="(self.enabled == false && self.sessionTicketKeysRef.size() > 0)",message="sessionTicketKeysRef can only be set when enabled is true"
-type StatelessSessionResumptionSettings struct {
-	// Enabled determines if stateless session resumption is supported. When Envoy Proxy is deployed with more than
-	// one replica, session ticket encryption keys are not synchronized between instances, possibly leading to resumption
-	// failures. Users can synchronize session ticket encryption keys be storing them in a secret and using the
-	// sessionTicketKeysRef option.
-	// Note that improper handling of session ticket encryption keys may result in loss of secrecy.
-	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
-	// Default: true
-	Enabled *bool `json:"enabled,omitempty"`
 
-	// SessionTicketKeysRef is a reference to the secret containing the keys to use for encryption and decryption
-	// of session tickets. The first keys is used for encryption and all keys are candidate for decryption.
-	// Users are responsible for securely generating, storing and rotating keys.
-	// If empty, each Envoy Proxy instance will use local in-memory keys.
-	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
-	// +kubebuilder:validation:MaxItems=16
-	// +optional
-	SessionTicketKeysRef []gwapiv1.SecretObjectReference `json:"sessionTicketKeysRef,omitempty"`
-}
+// TLSSessionResumptionType defines the type of TLS session resumption
+type TLSSessionResumptionType string
 
-// StatefulSessionResumptionSettings defines setting for stateful (session-id based) session resumption
-type StatefulSessionResumptionSettings struct {
-	// Enabled determines if stateful session resumption is supported. When Envoy Proxy is deployed with more than
-	// one replica, session caches are not synchronized between instances, possibly leading to resumption failures.
-	// Note that envoy does not re-validate client certificates upon session resumption.
+const (
+	// StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption.
+	// Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized
+	// between instances, possibly leading to resumption failures.
+	// Envoy does not re-validate client certificates upon session resumption.
 	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions
-	// Default: true
-	// +optional
-	Enabled *bool `json:"enabled,omitempty"`
+	StatefulTLSSessionResumption TLSSessionResumptionType = "Stateful"
+
+	// StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption.
+	// Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not
+	// synchronized between instances, possibly leading to resumption failures.
+	// In-memory session ticket encryption keys are rotated every 48 hours.
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
+	// https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets
+	StatelessTLSSessionResumption TLSSessionResumptionType = "Stateless"
+)
+
+// SessionResumptionSettings defines supported tls session resumption methods and their associated configuration.
+type SessionResumptionSettings struct {
+	// +kubebuilder:validation:Enum=Stateful;Stateless
+	// +kubebuilder:validation:Required
+	Type TLSSessionResumptionType `json:"type"`
 }

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -808,6 +808,26 @@ spec:
                     - "1.2"
                     - "1.3"
                     type: string
+                  sessionResumption:
+                    description: |-
+                      SessionResumptionSettings determine the proxy's supported TLS session resumption option.
+                      By default, Envoy Gateway does not support session resumption. Users can enable stateful
+                      and stateless session resumption by including them in the sessionResumption list.
+                    items:
+                      description: SessionResumptionSettings defines supported tls
+                        session resumption methods and their associated configuration.
+                      properties:
+                        type:
+                          description: TLSSessionResumptionType defines the type of
+                            TLS session resumption
+                          enum:
+                          - Stateful
+                          - Stateless
+                          type: string
+                      required:
+                      - type
+                      type: object
+                    type: array
                   sessionTimeout:
                     description: |-
                       SessionTimeout determines the maximum lifetime of a TLS session.
@@ -822,99 +842,6 @@ spec:
                     items:
                       type: string
                     type: array
-                  statefulSessionResumptionSettings:
-                    description: StatefulSessionResumption defines setting for stateful
-                      (session-id based) session resumption
-                    properties:
-                      enabled:
-                        description: |-
-                          Enabled determines if stateful session resumption is supported. When Envoy Proxy is deployed with more than
-                          one replica, session caches are not synchronized between instances, possibly leading to resumption failures.
-                          Note that envoy does not re-validate client certificates upon session resumption.
-                          https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions
-                          Default: true
-                        type: boolean
-                    type: object
-                  statelessSessionResumption:
-                    description: StatelessSessionResumption defines setting for stateless
-                      (session-ticket based) session resumption
-                    properties:
-                      enabled:
-                        description: |-
-                          Enabled determines if stateless session resumption is supported. When Envoy Proxy is deployed with more than
-                          one replica, session ticket encryption keys are not synchronized between instances, possibly leading to resumption
-                          failures. Users can synchronize session ticket encryption keys be storing them in a secret and using the
-                          sessionTicketKeysRef option.
-                          Note that improper handling of session ticket encryption keys may result in loss of secrecy.
-                          https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
-                          Default: true
-                        type: boolean
-                      sessionTicketKeysRef:
-                        description: |-
-                          SessionTicketKeysRef is a reference to the secret containing the keys to use for encryption and decryption
-                          of session tickets. The first keys is used for encryption and all keys are candidate for decryption.
-                          Users are responsible for securely generating, storing and rotating keys.
-                          If empty, each Envoy Proxy instance will use local in-memory keys.
-                          https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
-                        items:
-                          description: |-
-                            SecretObjectReference identifies an API object including its namespace,
-                            defaulting to Secret.
-
-                            The API object must be valid in the cluster; the Group and Kind must
-                            be registered in the cluster for this reference to be valid.
-
-                            References to objects with invalid Group and Kind are not valid, and must
-                            be rejected by the implementation, with appropriate Conditions set
-                            on the containing object.
-                          properties:
-                            group:
-                              default: ""
-                              description: |-
-                                Group is the group of the referent. For example, "gateway.networking.k8s.io".
-                                When unspecified or empty string, core API group is inferred.
-                              maxLength: 253
-                              pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                              type: string
-                            kind:
-                              default: Secret
-                              description: Kind is kind of the referent. For example
-                                "Secret".
-                              maxLength: 63
-                              minLength: 1
-                              pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
-                              type: string
-                            name:
-                              description: Name is the name of the referent.
-                              maxLength: 253
-                              minLength: 1
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace is the namespace of the referenced object. When unspecified, the local
-                                namespace is inferred.
-
-                                Note that when a namespace different than the local namespace is specified,
-                                a ReferenceGrant object is required in the referent namespace to allow that
-                                namespace's owner to accept the reference. See the ReferenceGrant
-                                documentation for details.
-
-                                Support: Core
-                              maxLength: 63
-                              minLength: 1
-                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                              type: string
-                          required:
-                          - name
-                          type: object
-                        maxItems: 16
-                        type: array
-                    type: object
-                    x-kubernetes-validations:
-                    - message: sessionTicketKeysRef can only be set when enabled is
-                        true
-                      rule: (self.enabled == false && self.sessionTicketKeysRef.size()
-                        > 0)
                 type: object
                 x-kubernetes-validations:
                 - message: setting ciphers has no effect if the minimum possible TLS