[Epic] kgateway TLS feature gaps #12932
Description
Tracking epic for the various feature gaps in TLS functionality for kgateway.
Relevant areas of Gateway API
(implemented) gateway.listener[].tls - ListenerTLSConfig
- mode (Terminate/Passthrough)
- certificateRefs
- options
- kgateway.dev/alpn-protocols
- kgateway.dev/per-connection-buffer-limit
- with feat: gateway tls extensions #12917
- kgateway.dev/verify-subject-alt-names
- kgateway.dev/cipher-suites
- kgateway.dev/ecdh-curves
- kgateway.dev/min-tls-version
- kgateway.dev/max-tls-version
- kgateway.dev/verify-subject-alt-names
- with Support validating TLS certificates by hash values #12942 (maybe)
- kgateway.dev/verify-certificate-hash?
(implemented - 1.4.0 version only) BackendTLSPolicy
- targetRefs
- validation - https://gateway-api.sigs.k8s.io/reference/1.4/spec/#backendtlspolicyvalidation
- caCertificateRefs
- wellKnownCACertificates
- hostname
- subjectAltNames
- options (none/field not currently processed)
(not implemented/experimental) gateway.tls - GatewayTLSConfig
- backend GatewayBackendTLS
- clientCertificateRef
- frontend FrontendTLSConfig
- default TLSConfig
- validation FrontendTLSValidation
- caCertificateRefs
- mode - (AllowValidOnly, AllowInsecureFallback)
- validation FrontendTLSValidation
- perPort TLSPortConfig
- port
- tls TLSConfig
- validation FrontendTLSValidation
- caCertificateRefs
- mode - (AllowValidOnly, AllowInsecureFallback)
- default TLSConfig