feat: support to configure multiple certificates on GatewayTLSConfig

[tokers]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR uses CertificateRefs to instead CertificateRef so that multiple certificates can be configured for a Listener. With this feature, we can support things like following items:

• When hostname is empty on the Listener, and Routes attach multiple unique Hostnames
• Providing RSA and EC certs
• Temporarily including new and old certs during an upgrade

Which issue(s) this PR fixes:

Fixes #851

Does this PR introduce a user-facing change?:

Use `CertificateRefs` field to instead the `CertificateRef` in `GatewayTLSConfig`.

[k8s-ci-robot]

Welcome @tokers!

It looks like this is your first PR to kubernetes-sigs/gateway-api 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/gateway-api has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @tokers. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[howardjohn]

Can we define the behavior when there are multiple?

[robscott]

I think this one is likely sufficiently complex that we'll need a GEP first, I created #851 to track that, will try to get a GEP PR out later today. I can add some details on how multiple should be handled there.

[robscott]

Adding a hold until GEP is approved.

/hold

[tokers]

I think this one is likely sufficiently complex that we'll need a GEP first, I created #851 to track that, will try to get a GEP PR out later today. I can add some details on how multiple should be handled there.

Cool, look forward to it.

[robscott]

Update: I've opened #856 to introduce a GEP for this. Once that merges in, we can remove the hold here.

[robscott]

Are you still able to take this on @tokers? Would love to get this in in the next couple of days. If you're not able to, I'm happy to take this on.

[tokers]

Are you still able to take this on @tokers? Would love to get this in in the next couple of days. If you're not able to, I'm happy to take this on.

Yeah, I still focus on this.

[robscott]

Thanks for the work on this @tokers! This mostly LGTM, just had a few nits. I think the k8s automation will complain about merge commits in this PR - please rebase and squash your commits when you get a chance.

[robscott]

/ok-to-test

[robscott]

One more thing that's difficult to comment on in the diff - as part of this change you'll also need to update the TLS examples in the examples/v1alpha2 directory.

[tokers]

Thanks for the work on this @tokers! This mostly LGTM, just had a few nits. I think the k8s automation will complain about merge commits in this PR - please rebase and squash your commits when you get a chance.

OK, I rebased all the commits.

[robscott]

Thanks @tokers! I think you need to run make generate again, I can add a LGTM after that.

/approve

[robscott]

Nit: I think this should still be "is"

[tokers]

That's right, let me tweak it.

[tokers]

Changed.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robscott, tokers

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [robscott]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tokers]

/test pull-gateway-api-verify

[hbagdi]

@tokers Can you run make generate to fix the CI error?

[tokers]

@tokers Can you run make generate to fix the CI error?

Sorry for the delay, I will fix the CI errors today.

[tokers]

@tokers Can you run make generate to fix the CI error?

Sorry for the delay, I will fix the CI errors today.

It seems that this is due to the version of go language (the go:build flags and +build flags), I ran make generate on my local for several times but no changes happened.

[tokers]

@tokers Can you run make generate to fix the CI error?

Sorry for the delay, I will fix the CI errors today.

It seems that this is due to the version of go language (the go:build flags and +build flags), I ran make generate on my local for several times but no changes happened.

What's the go version in the CI? Maybe I can try to switch to that one and re-execute the make generate directive.

[robscott]

Thanks!

/lgtm

[robscott]

Hold was waiting for GEP to be approved, which happened ~weeks ago.

/hold cancel