API for Wasm code source TLS configuration

zhaohuabing · zhaohuabing · commit 259e0724f668 · 2024-10-21T07:43:53.000Z
Signed-off-by: Huabing Zhao &lt;zhaohuabing@gmail.com&gt;
diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go
@@ -115,6 +115,11 @@ type HTTPWasmCodeSource struct {
 	// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
 	// +optional
 	SHA256 *string `json:"sha256"`
+
+	// TLS configuration when connecting to the Wasm code source.
+	// +optional
+	// +notImplementedHide
+	TLS *WasmCodeSourceTLSConfig `json:"tls,omitempty"`
 }
 
 // ImageWasmCodeSource defines the OCI image containing the Wasm code.
@@ -137,6 +142,11 @@ type ImageWasmCodeSource struct {
 	// +kubebuilder:validation:XValidation:message="only support Secret kind.",rule="self.kind == 'Secret'"
 	// +optional
 	PullSecretRef *gwapiv1.SecretObjectReference `json:"pullSecretRef,omitempty"`
+
+	// TLS configuration when connecting to the Wasm code source.
+	// +optional
+	// +notImplementedHide
+	TLS *WasmCodeSourceTLSConfig `json:"tls,omitempty"`
 }
 
 // ImagePullPolicy defines the policy to use when pulling an OIC image.
@@ -151,3 +161,14 @@ const (
 	// Note: EG does not update the Wasm module every time an Envoy proxy requests the Wasm module.
 	ImagePullPolicyAlways ImagePullPolicy = "Always"
 )
+
+// WasmCodeSourceTLSConfig defines the TLS configuration when connecting to the Wasm code source.
+type WasmCodeSourceTLSConfig struct {
+	// CACertificateRef contains a references to
+	// Kubernetes objects that contain TLS certificates of
+	// the Certificate Authorities that can be used
+	// as a trust anchor to validate the certificates presented by the Wasm code source.
+	//
+	// Kubernetes ConfigMap and Kubernetes Secret are supported.
+	CACertificateRef gwapiv1.SecretObjectReference `json:"caCertificateRef"`
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -1115,6 +1115,61 @@ spec:
                                 If not specified, Envoy Gateway will not verify the downloaded Wasm code.
                                 kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
                               type: string
+                            tls:
+                              description: TLS configuration when connecting to the
+                                Wasm code source.
+                              properties:
+                                caCertificateRef:
+                                  description: |-
+                                    CACertificateRef contains a references to
+                                    Kubernetes objects that contain TLS certificates of
+                                    the Certificate Authorities that can be used
+                                    as a trust anchor to validate the certificates presented by the Wasm code source.
+
+                                    Kubernetes ConfigMap and Kubernetes Secret are supported.
+                                  properties:
+                                    group:
+                                      default: ""
+                                      description: |-
+                                        Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                                        When unspecified or empty string, core API group is inferred.
+                                      maxLength: 253
+                                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                      type: string
+                                    kind:
+                                      default: Secret
+                                      description: Kind is kind of the referent. For
+                                        example "Secret".
+                                      maxLength: 63
+                                      minLength: 1
+                                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                      type: string
+                                    name:
+                                      description: Name is the name of the referent.
+                                      maxLength: 253
+                                      minLength: 1
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace is the namespace of the referenced object. When unspecified, the local
+                                        namespace is inferred.
+
+                                        Note that when a namespace different than the local namespace is specified,
+                                        a ReferenceGrant object is required in the referent namespace to allow that
+                                        namespace's owner to accept the reference. See the ReferenceGrant
+                                        documentation for details.
+
+                                        Support: Core
+                                      maxLength: 63
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - caCertificateRef
+                              type: object
                             url:
                               description: URL is the URL containing the Wasm code.
                               pattern: ^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*
@@ -1184,6 +1239,61 @@ spec:
                                 If not specified, Envoy Gateway will not verify the downloaded OCI image.
                                 kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
                               type: string
+                            tls:
+                              description: TLS configuration when connecting to the
+                                Wasm code source.
+                              properties:
+                                caCertificateRef:
+                                  description: |-
+                                    CACertificateRef contains a references to
+                                    Kubernetes objects that contain TLS certificates of
+                                    the Certificate Authorities that can be used
+                                    as a trust anchor to validate the certificates presented by the Wasm code source.
+
+                                    Kubernetes ConfigMap and Kubernetes Secret are supported.
+                                  properties:
+                                    group:
+                                      default: ""
+                                      description: |-
+                                        Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                                        When unspecified or empty string, core API group is inferred.
+                                      maxLength: 253
+                                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                      type: string
+                                    kind:
+                                      default: Secret
+                                      description: Kind is kind of the referent. For
+                                        example "Secret".
+                                      maxLength: 63
+                                      minLength: 1
+                                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                      type: string
+                                    name:
+                                      description: Name is the name of the referent.
+                                      maxLength: 253
+                                      minLength: 1
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace is the namespace of the referenced object. When unspecified, the local
+                                        namespace is inferred.
+
+                                        Note that when a namespace different than the local namespace is specified,
+                                        a ReferenceGrant object is required in the referent namespace to allow that
+                                        namespace's owner to accept the reference. See the ReferenceGrant
+                                        documentation for details.
+
+                                        Support: Core
+                                      maxLength: 63
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - caCertificateRef
+                              type: object
                             url:
                               description: |-
                                 URL is the URL of the OCI image.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -4118,6 +4118,21 @@ _Appears in:_
 | `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ |  false  | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.<br />This field is only applicable when the SHA256 field is not set.<br /><br />If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.<br /><br />Note: EG does not update the Wasm module every time an Envoy proxy requests<br />the Wasm module even if the pull policy is set to Always.<br />It only updates the Wasm module when the EnvoyExtension resource version changes. |
 
 
+#### WasmCodeSourceTLSConfig
+
+
+
+WasmCodeSourceTLSConfig defines the TLS configuration when connecting to the Wasm code source.
+
+_Appears in:_
+- [HTTPWasmCodeSource](#httpwasmcodesource)
+- [ImageWasmCodeSource](#imagewasmcodesource)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `caCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  true  | CACertificateRef contains a references to<br />Kubernetes objects that contain TLS certificates of<br />the Certificate Authorities that can be used<br />as a trust anchor to validate the certificates presented by the Wasm code source.<br /><br />Kubernetes ConfigMap and Kubernetes Secret are supported. |
+
+
 #### WasmCodeSourceType
 
 _Underlying type:_ _string_
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
@@ -4118,6 +4118,21 @@ _Appears in:_
 | `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ |  false  | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.<br />This field is only applicable when the SHA256 field is not set.<br /><br />If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.<br /><br />Note: EG does not update the Wasm module every time an Envoy proxy requests<br />the Wasm module even if the pull policy is set to Always.<br />It only updates the Wasm module when the EnvoyExtension resource version changes. |
 
 
+#### WasmCodeSourceTLSConfig
+
+
+
+WasmCodeSourceTLSConfig defines the TLS configuration when connecting to the Wasm code source.
+
+_Appears in:_
+- [HTTPWasmCodeSource](#httpwasmcodesource)
+- [ImageWasmCodeSource](#imagewasmcodesource)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `caCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  true  | CACertificateRef contains a references to<br />Kubernetes objects that contain TLS certificates of<br />the Certificate Authorities that can be used<br />as a trust anchor to validate the certificates presented by the Wasm code source.<br /><br />Kubernetes ConfigMap and Kubernetes Secret are supported. |
+
+
 #### WasmCodeSourceType
 
 _Underlying type:_ _string_
