sigs.k8s.io/gateway-api@v1.0.0/geps/gep-91.md

sigs.k8s.io/gateway-api@v1.0.0/geps/gep-91.md (about)

     1  # GEP-91: Client Certificate Validation for TLS terminating at the Gateway Listener
     2  
     3  * Issue: [#91](https://github.com/kubernetes-sigs/gateway-api/issues/91)
     4  * Status: Provisional
     5  
     6  (See definitions in [GEP Status][/contributing/gep#status].)
     7  
     8  ## TLDR
     9  
    10  This GEP proposes a way to validate the TLS certificate presented by the downstream client to the server
    11  (Gateway Listener in this case) during a [TLS Handshake Protocol][], also commonly referred to as mutual TLS (mTLS).
    12  
    13  ## Goals
    14  - Define an API field to specify the CA Certificate within the Gateway Listener configuration that can be used as a trusted anchor to validate the certificates presented by the client.
    15  
    16  ## Non-Goals
    17  - Define other fields that can be used to verify the client certificate such as the Certificate Hash or Subject Alt Name. 
    18  
    19  ## References
    20  
    21  [TLS Handshake Protocol]: https://www.rfc-editor.org/rfc/rfc5246#section-7.4
    22  [Certificate Path Validation]: https://www.rfc-editor.org/rfc/rfc5280#section-6