feat: support GWAPI frontend validation (#16739)

Signed-off-by: Sergei Nikolaev <kinolaev@gmail.com>
2025-09-01 23:50:26 +04:00 · 2025-09-01 23:50:26 +04:00 · 9baf3739f5
parent a8847f37a9
commit 9baf3739f5
2 changed files with 11 additions and 8 deletions
--- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
@ -543,10 +543,7 @@ EOF
 {{< tab name="Gateway API" category-value="gateway-api" >}}
-Because the Kubernetes Gateway API does not currently support mutual TLS termination in a
+Add a reference to a ConfigMap or a Secret with `ca.crt` or `cacert` key that holds CA certificates.
 [Gateway](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.Gateway),
 we use an Istio-specific option, `gateway.istio.io/tls-terminate-mode: MUTUAL`,
 to configure it:
 {{< text bash >}}
 $ cat <<EOF | kubectl apply -f -
@ -566,8 +563,11 @@ spec:
      mode: Terminate
      certificateRefs:
      - name: httpbin-credential
-      options:
+      frontendValidation:
-        gateway.istio.io/tls-terminate-mode: MUTUAL
+        caCertificateRefs:
        - group: ""
          kind: Secret
          name: httpbin-credential
    allowedRoutes:
      namespaces:
        from: Selector
--- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
@ -441,8 +441,11 @@ spec:
      mode: Terminate
      certificateRefs:
      - name: httpbin-credential
-      options:
+      frontendValidation:
-        gateway.istio.io/tls-terminate-mode: MUTUAL
+        caCertificateRefs:
        - group: ""
          kind: Secret
          name: httpbin-credential
    allowedRoutes:
      namespaces:
        from: Selector