Remove check for whether TLS mode is nil and add certificateRefs vali…

…dation to v1alpha2 Signed-off-by: Huang Xin <[email protected]>
kubernetes-sigs · Oct 18, 2022 · f705a8d · f705a8d
1 parent 66a3cc4
commit f705a8d
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 4 deletions.
diff --git a/apis/v1alpha2/validation/gateway.go b/apis/v1alpha2/validation/gateway.go
@@ -62,6 +62,7 @@ func validateGatewayListeners(listeners []gatewayv1a2.Listener, path *field.Path
 	var errs field.ErrorList
 	errs = append(errs, validateListenerTLSConfig(listeners, path)...)
 	errs = append(errs, validateListenerHostname(listeners, path)...)
+	errs = append(errs, validateTLSCertificateRefs(listeners, path)...)
 	return errs
 }
 
@@ -91,3 +92,18 @@ func validateListenerHostname(listeners []gatewayv1a2.Listener, path *field.Path
 	}
 	return errs
 }
+
+// validateTLSCertificateRefs validates the certificateRefs
+// must be set when tls config is set and TLSModeType is
+// terminate
+func validateTLSCertificateRefs(listeners []gatewayv1a2.Listener, path *field.Path) field.ErrorList {
+	var errs field.ErrorList
+	for i, c := range listeners {
+		if c.Protocol == gatewayv1a2.HTTPSProtocolType && c.TLS != nil {
+			if *c.TLS.Mode == gatewayv1a2.TLSModeTerminate && c.TLS.CertificateRefs == nil {
+				errs = append(errs, field.Forbidden(path.Index(i).Child("tls").Child("certificateRefs"), fmt.Sprintln("should be set and not empty when TLSModeType is Terminate")))
+			}
+		}
+	}
+	return errs
+}
diff --git a/apis/v1alpha2/validation/gateway_test.go b/apis/v1alpha2/validation/gateway_test.go
@@ -82,6 +82,17 @@ func TestValidateGateway(t *testing.T) {
 			},
 			expectErrsOnFields: []string{"spec.listeners[0].hostname"},
 		},
+		"certificatedRefs not set with TLS terminate mode": {
+			mutate: func(gw *gatewayv1a2.Gateway) {
+				hostname := gatewayv1a2.Hostname("foo.bar.com")
+				tlsMode := gatewayv1a2.TLSModeType("Terminate")
+				gw.Spec.Listeners[0].Protocol = gatewayv1a2.HTTPSProtocolType
+				gw.Spec.Listeners[0].Hostname = &hostname
+				gw.Spec.Listeners[0].TLS = &tlsConfig
+				gw.Spec.Listeners[0].TLS.Mode = &tlsMode
+			},
+			expectErrsOnFields: []string{"spec.listeners[0].tls.certificateRefs"},
+		},
 	}
 
 	for name, tc := range testCases {

diff --git a/apis/v1beta1/validation/gateway.go b/apis/v1beta1/validation/gateway.go
@@ -98,10 +98,10 @@ func validateListenerHostname(listeners []gatewayv1b1.Listener, path *field.Path
 // terminate
 func validateTLSCertificateRefs(listeners []gatewayv1b1.Listener, path *field.Path) field.ErrorList {
 	var errs field.ErrorList
-	for i, h := range listeners {
-		if h.TLS != nil {
-			if h.TLS.Mode != nil && *h.TLS.Mode == "Terminate" && h.TLS.CertificateRefs == nil {
-				errs = append(errs, field.Forbidden(path.Index(i).Child("tls").Child("certificateRefs"), fmt.Sprintln("should be set when TLSModeType is Terminate")))
+	for i, c := range listeners {
+		if c.Protocol == gatewayv1b1.HTTPSProtocolType && c.TLS != nil {
+			if *c.TLS.Mode == gatewayv1b1.TLSModeTerminate && c.TLS.CertificateRefs == nil {
+				errs = append(errs, field.Forbidden(path.Index(i).Child("tls").Child("certificateRefs"), fmt.Sprintln("should be set and not empty when TLSModeType is Terminate")))
 			}
 		}
 	}

diff --git a/apis/v1beta1/validation/gateway_test.go b/apis/v1beta1/validation/gateway_test.go
@@ -86,6 +86,7 @@ func TestValidateGateway(t *testing.T) {
 			mutate: func(gw *gatewayv1b1.Gateway) {
 				hostname := gatewayv1b1.Hostname("foo.bar.com")
 				tlsMode := gatewayv1b1.TLSModeType("Terminate")
+				gw.Spec.Listeners[0].Protocol = gatewayv1b1.HTTPSProtocolType
 				gw.Spec.Listeners[0].Hostname = &hostname
 				gw.Spec.Listeners[0].TLS = &tlsConfig
 				gw.Spec.Listeners[0].TLS.Mode = &tlsMode