kubernetes-sigs · k8s-ci-robot · Oct 19, 2022 · Oct 17, 2022 · Oct 18, 2022 · Oct 18, 2022
diff --git a/apis/v1alpha2/validation/gateway.go b/apis/v1alpha2/validation/gateway.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	gatewayv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gatewayvalidationv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1/validation"
 )
 
 var (
@@ -36,6 +37,11 @@ var (
 		gatewayv1a2.UDPProtocolType:  {},
 		gatewayv1a2.TCPProtocolType:  {},
 	}
+
+	// ValidateTLSCertificateRefs validates the certificateRefs
+	// must be set and not empty when tls config is set and
+	// TLSModeType is terminate
+	validateTLSCertificateRefs = gatewayvalidationv1b1.ValidateTLSCertificateRefs
 )
 
 // ValidateGateway validates gw according to the Gateway API specification.
@@ -62,6 +68,7 @@ func validateGatewayListeners(listeners []gatewayv1a2.Listener, path *field.Path
 	var errs field.ErrorList
 	errs = append(errs, validateListenerTLSConfig(listeners, path)...)
 	errs = append(errs, validateListenerHostname(listeners, path)...)
+	errs = append(errs, validateTLSCertificateRefs(listeners, path)...)
 	return errs
 }
 

diff --git a/apis/v1beta1/validation/gateway.go b/apis/v1beta1/validation/gateway.go
@@ -62,6 +62,7 @@ func validateGatewayListeners(listeners []gatewayv1b1.Listener, path *field.Path
 	var errs field.ErrorList
 	errs = append(errs, validateListenerTLSConfig(listeners, path)...)
 	errs = append(errs, validateListenerHostname(listeners, path)...)
+	errs = append(errs, ValidateTLSCertificateRefs(listeners, path)...)
 	return errs
 }
 
@@ -91,3 +92,18 @@ func validateListenerHostname(listeners []gatewayv1b1.Listener, path *field.Path
 	}
 	return errs
 }
+
+// ValidateTLSCertificateRefs validates the certificateRefs
+// must be set and not empty when tls config is set and
+// TLSModeType is terminate
+func ValidateTLSCertificateRefs(listeners []gatewayv1b1.Listener, path *field.Path) field.ErrorList {
+	var errs field.ErrorList
+	for i, c := range listeners {
+		if c.Protocol == gatewayv1b1.HTTPSProtocolType && c.TLS != nil {
+			if *c.TLS.Mode == gatewayv1b1.TLSModeTerminate && len(c.TLS.CertificateRefs) == 0 {
+				errs = append(errs, field.Forbidden(path.Index(i).Child("tls").Child("certificateRefs"), fmt.Sprintln("should be set and not empty when TLSModeType is Terminate")))
+			}
+		}
+	}
+	return errs
+}
diff --git a/apis/v1beta1/validation/gateway_test.go b/apis/v1beta1/validation/gateway_test.go
@@ -82,6 +82,17 @@ func TestValidateGateway(t *testing.T) {
 			},
 			expectErrsOnFields: []string{"spec.listeners[0].hostname"},
 		},
+		"certificatedRefs not set with TLS terminate mode": {
+			mutate: func(gw *gatewayv1b1.Gateway) {
+				hostname := gatewayv1b1.Hostname("foo.bar.com")
+				tlsMode := gatewayv1b1.TLSModeType("Terminate")
+				gw.Spec.Listeners[0].Protocol = gatewayv1b1.HTTPSProtocolType
+				gw.Spec.Listeners[0].Hostname = &hostname
+				gw.Spec.Listeners[0].TLS = &tlsConfig
+				gw.Spec.Listeners[0].TLS.Mode = &tlsMode
+			},
+			expectErrsOnFields: []string{"spec.listeners[0].tls.certificateRefs"},
+		},
 	}
 
 	for name, tc := range testCases {