Package io.fabric8.kubernetes.api.model.gatewayapi.v1

Class BackendTLSPolicyValidation

java.lang.Object

io.fabric8.kubernetes.api.model.gatewayapi.v1.BackendTLSPolicyValidation

All Implemented Interfaces:

io.fabric8.kubernetes.api.builder.Editable<BackendTLSPolicyValidationBuilder>, io.fabric8.kubernetes.api.model.KubernetesResource, Serializable

@Generated("io.fabric8.kubernetes.schema.generator.model.ModelGenerator")
public class BackendTLSPolicyValidation
extends Object
implements io.fabric8.kubernetes.api.builder.Editable<BackendTLSPolicyValidationBuilder>, io.fabric8.kubernetes.api.model.KubernetesResource

BackendTLSPolicyValidation contains backend TLS validation configuration.

See Also:

Serialized Form

Constructor Summary

Constructors

Constructor	Description
BackendTLSPolicyValidation()	No args constructor for use in serialization
BackendTLSPolicyValidation(List<LocalObjectReference> caCertificateRefs, String hostname, List<SubjectAltName> subjectAltNames, String wellKnownCACertificates)

Method Summary

Modifier and Type	Method	Description
BackendTLSPolicyValidationBuilder	edit()
Map<String,Object>	getAdditionalProperties()
List<LocalObjectReference>	getCaCertificateRefs()	CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.
String	getHostname()	Hostname is used for two purposes in the connection between Gateways and backends:
List<SubjectAltName>	getSubjectAltNames()	SubjectAltNames contains one or more Subject Alternative Names.
String	getWellKnownCACertificates()	WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.
void	setAdditionalProperties(Map<String,Object> additionalProperties)
void	setAdditionalProperty(String name, Object value)
void	setCaCertificateRefs(List<LocalObjectReference> caCertificateRefs)	CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.
void	setHostname(String hostname)	Hostname is used for two purposes in the connection between Gateways and backends:
void	setSubjectAltNames(List<SubjectAltName> subjectAltNames)	SubjectAltNames contains one or more Subject Alternative Names.
void	setWellKnownCACertificates(String wellKnownCACertificates)	WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.
BackendTLSPolicyValidationBuilder	toBuilder()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

BackendTLSPolicyValidation

public BackendTLSPolicyValidation()

No args constructor for use in serialization

BackendTLSPolicyValidation

public BackendTLSPolicyValidation(List<LocalObjectReference> caCertificateRefs,
                                  String hostname,
                                  List<SubjectAltName> subjectAltNames,
                                  String wellKnownCACertificates)

Method Detail

getCaCertificateRefs

public List<LocalObjectReference> getCaCertificateRefs()

CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.

If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertificateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation.

A CACertificateRef is invalid if:

* It refers to a resource that cannot be resolved (e.g., the referenced resource

does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key

named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`

and the Message of the Condition must indicate which reference is invalid and why.

* It refers to an unknown or unsupported kind of resource. In this case, the Reason

must be set to `InvalidKind` and the Message of the Condition must explain which

kind of resource is unknown or unsupported.

* It refers to a resource in another namespace. This may change in future

spec updates.

Implementations MAY choose to perform further validation of the certificate content (e.g., checking expiry or enforcing specific formats). In such cases, an implementation-specific Reason and Message must be set for the invalid reference.

In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason and Message that indicate the cause of the error. Connections using an invalid CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error response. If ALL CACertificateRefs are invalid, the implementation MUST also ensure the `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `NoValidCACertificate`.

A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific.

Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named `ca.crt`.

Support: Implementation-specific - More than one reference, other kinds of resources, or a single reference that includes multiple certificates.

setCaCertificateRefs

public void setCaCertificateRefs(List<LocalObjectReference> caCertificateRefs)

CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.

If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertificateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation.

A CACertificateRef is invalid if:

* It refers to a resource that cannot be resolved (e.g., the referenced resource

does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key

named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`

and the Message of the Condition must indicate which reference is invalid and why.

* It refers to an unknown or unsupported kind of resource. In this case, the Reason

must be set to `InvalidKind` and the Message of the Condition must explain which

kind of resource is unknown or unsupported.

* It refers to a resource in another namespace. This may change in future

spec updates.

Implementations MAY choose to perform further validation of the certificate content (e.g., checking expiry or enforcing specific formats). In such cases, an implementation-specific Reason and Message must be set for the invalid reference.

In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason and Message that indicate the cause of the error. Connections using an invalid CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error response. If ALL CACertificateRefs are invalid, the implementation MUST also ensure the `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `NoValidCACertificate`.

A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific.

Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named `ca.crt`.

Support: Implementation-specific - More than one reference, other kinds of resources, or a single reference that includes multiple certificates.

getHostname

public String getHostname()

Hostname is used for two purposes in the connection between Gateways and backends:

1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). 2. Hostname MUST be used for authentication and MUST match the certificate

served by the matching backend, unless SubjectAltNames is specified.

3. If SubjectAltNames are specified, Hostname can be used for certificate selection

but MUST NOT be used for authentication. If you want to use the value

of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.

Support: Core

setHostname

public void setHostname(String hostname)

Hostname is used for two purposes in the connection between Gateways and backends:

1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). 2. Hostname MUST be used for authentication and MUST match the certificate

served by the matching backend, unless SubjectAltNames is specified.

3. If SubjectAltNames are specified, Hostname can be used for certificate selection

but MUST NOT be used for authentication. If you want to use the value

of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.

Support: Core

getSubjectAltNames

public List<SubjectAltName> getSubjectAltNames()

SubjectAltNames contains one or more Subject Alternative Names. When specified the certificate served from the backend MUST have at least one Subject Alternate Name matching one of the specified SubjectAltNames.

Support: Extended

setSubjectAltNames

public void setSubjectAltNames(List<SubjectAltName> subjectAltNames)

SubjectAltNames contains one or more Subject Alternative Names. When specified the certificate served from the backend MUST have at least one Subject Alternate Name matching one of the specified SubjectAltNames.

Support: Extended

getWellKnownCACertificates

public String getWellKnownCACertificates()

WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.

If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an implementation does not support the WellKnownCACertificates field, or the supplied value is not recognized, the implementation MUST ensure the `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`.

Support: Implementation-specific

setWellKnownCACertificates

public void setWellKnownCACertificates(String wellKnownCACertificates)

WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.

If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an implementation does not support the WellKnownCACertificates field, or the supplied value is not recognized, the implementation MUST ensure the `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`.

Support: Implementation-specific

edit

public BackendTLSPolicyValidationBuilder edit()

Specified by:

edit in interface io.fabric8.kubernetes.api.builder.Editable<BackendTLSPolicyValidationBuilder>

toBuilder

public BackendTLSPolicyValidationBuilder toBuilder()

getAdditionalProperties

public Map<String,Object> getAdditionalProperties()

setAdditionalProperty

public void setAdditionalProperty(String name,
                                  Object value)

setAdditionalProperties

public void setAdditionalProperties(Map<String,Object> additionalProperties)