Support for Gateway FrontendTLS

internal/controller/nginx/config/http/config.go

@@ -123,8 +123,11 @@ type Return struct {
 type SSL struct {
 	Protocols           string
 	Ciphers             string
+	ClientCertificate   string
+	VerifyClient        string
 	Certificates        []string
 	CertificateKeys     []string
+	RequireVerifiedCert bool
 	PreferServerCiphers bool
 }
 

internal/controller/nginx/config/servers.go

@@ -222,18 +222,32 @@ func buildHTTPSSL(ssl *dataplane.SSL) *http.SSL {
 	certs := make([]string, 0, len(ssl.KeyPairIDs))
 	keys := make([]string, 0, len(ssl.KeyPairIDs))
 
+	var sslCertificateID string
+	var sslVerifyClient string
+
 	for _, id := range ssl.KeyPairIDs {
 		pemFile := generatePEMFileName(id)
 		certs = append(certs, pemFile)
 		keys = append(keys, pemFile)
 	}
 
+	if ssl.ClientCertBundleID != "" {
+		sslCertificateID = generateCertBundleFileName(ssl.ClientCertBundleID)
+	}
+
+	if ssl.VerifyClient != "" {
+		sslVerifyClient = ssl.VerifyClient
+	}
+
 	return &http.SSL{
 		Certificates:        certs,
 		CertificateKeys:     keys,
 		Protocols:           ssl.Protocols,
 		Ciphers:             ssl.Ciphers,
 		PreferServerCiphers: ssl.PreferServerCiphers,
+		ClientCertificate:   sslCertificateID,
+		VerifyClient:        sslVerifyClient,
+		RequireVerifiedCert: ssl.RequireVerifiedCert,
 	}
 }
 

internal/controller/nginx/config/servers_template.go

@@ -87,6 +87,18 @@ server {
           {{- if $s.SSL.PreferServerCiphers }}
     ssl_prefer_server_ciphers on;
           {{- end }}
+          {{- if $s.SSL.ClientCertificate }}
+    ssl_client_certificate {{ $s.SSL.ClientCertificate }};
+          {{- end }}
+          {{- if $s.SSL.VerifyClient }}
+    ssl_verify_client {{ $s.SSL.VerifyClient }};
+          {{- end }}
+          {{- if $s.SSL.RequireVerifiedCert }}
+    error_page 495 496 = @frontend_tls_verify_failed;
+    if ($ssl_client_verify != SUCCESS) {
+        return 444;
+    }
+          {{- end }}
 
           {{- if $s.MisdirectedRequestVars }}
     if ({{ $s.MisdirectedRequestVars.SNIVar }} != {{ $s.MisdirectedRequestVars.HostVar }}) {
@@ -244,6 +256,12 @@ server {
     }
         {{- end }}
 
+        {{- if and $s.SSL $s.SSL.RequireVerifiedCert }}
+    location @frontend_tls_verify_failed {
+        return 444;
+    }
+        {{- end }}
+
         {{- if $s.GRPC }}
         include /etc/nginx/grpc-error-locations.conf;
         {{- end }}

internal/controller/nginx/config/servers_test.go

@@ -6783,3 +6783,52 @@ func TestExistingExactPathSet(t *testing.T) {
 		})
 	}
 }
+
+func TestBuildHTTPSSLFrontendTLS(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name                      string
+		ssl                       *dataplane.SSL
+		expectedClientCertificate string
+		expectedVerifyClient      string
+		expectedRequireVerified   bool
+	}{
+		{
+			name: "frontend TLS disabled by default",
+			ssl: &dataplane.SSL{
+				KeyPairIDs: []dataplane.SSLKeyPairID{"test-keypair"},
+			},
+			expectedClientCertificate: "",
+			expectedVerifyClient:      "",
+			expectedRequireVerified:   false,
+		},
+		{
+			name: "frontend TLS client certificate verification enabled",
+			ssl: &dataplane.SSL{
+				KeyPairIDs:          []dataplane.SSLKeyPairID{"test-keypair"},
+				ClientCertBundleID:  dataplane.CertBundleID("test-ca-bundle"),
+				VerifyClient:        "optional_no_ca",
+				RequireVerifiedCert: true,
+			},
+			expectedClientCertificate: generateCertBundleFileName(dataplane.CertBundleID("test-ca-bundle")),
+			expectedVerifyClient:      "optional_no_ca",
+			expectedRequireVerified:   true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+
+			result := buildHTTPSSL(test.ssl)
+
+			g.Expect(result.ClientCertificate).To(Equal(test.expectedClientCertificate))
+			g.Expect(result.VerifyClient).To(Equal(test.expectedVerifyClient))
+			g.Expect(result.RequireVerifiedCert).To(Equal(test.expectedRequireVerified))
+			g.Expect(result.Certificates).To(Equal([]string{generatePEMFileName(dataplane.SSLKeyPairID("test-keypair"))}))
+			g.Expect(result.CertificateKeys).To(Equal([]string{generatePEMFileName(dataplane.SSLKeyPairID("test-keypair"))}))
+		})
+	}
+}

internal/controller/state/conditions/conditions.go

@@ -571,10 +571,14 @@ func NewRouteResolvedRefsInvalidFilter(msg string) Condition {
 // the NoConflicts condition is excluded to avoid conflicting condition states.
 func NewDefaultListenerConditions(existingConditions []Condition) []Condition {
 	defaultConds := []Condition{
-		NewListenerAccepted(),
 		NewListenerProgrammed(),
 	}
 
+	// Only add Accepted=true if there are no existing Accepted=false conditions.
+	if !hasNotAcceptedListener(existingConditions) {
+		defaultConds = append(defaultConds, NewListenerAccepted())
+	}
+
 	// Only add ResolvedRefs=true if there are no existing ResolvedRefs conditions
 	if !hasResolvedRefsConditions(existingConditions) {
 		defaultConds = append(defaultConds, NewListenerResolvedRefs())
@@ -588,10 +592,20 @@ func NewDefaultListenerConditions(existingConditions []Condition) []Condition {
 	return defaultConds
 }
 
-// hasResolvedRefsConditions checks if there are any existing ResolvedRefs conditions.
+// hasNotAcceptedListener checks if the Listener has an Accepted=False condition.
+func hasNotAcceptedListener(conditions []Condition) bool {
+	for _, cond := range conditions {
+		if cond.Type == string(v1.ListenerConditionAccepted) && cond.Status == metav1.ConditionFalse {
+			return true
+		}
+	}
+	return false
+}
+
+// hasResolvedRefsConditions checks if the Listener has any ResolvedRefs=False conditions.
 func hasResolvedRefsConditions(conditions []Condition) bool {
 	for _, cond := range conditions {
-		if cond.Type == string(v1.ListenerConditionResolvedRefs) {
+		if cond.Type == string(v1.ListenerConditionResolvedRefs) && cond.Status == metav1.ConditionFalse {
 			return true
 		}
 	}
@@ -1005,6 +1019,54 @@ func NewGatewayNotProgrammedInvalid(msg string) Condition {
 	}
 }
 
+// NewGatewayInsecureFrontendValidationMode returns a Condition that indicates
+// the Gateway is accepted, but is using an insecure frontend validation mode.
+func NewGatewayInsecureFrontendValidationMode(msg string) Condition {
+	return Condition{
+		Type:    string(v1.GatewayConditionInsecureFrontendValidationMode),
+		Status:  metav1.ConditionTrue,
+		Reason:  string(v1.GatewayReasonConfigurationChanged),
+		Message: msg,
+	}
+}
+
+// NewListenerInvalidCaCertificateRef returns a Condition indicating
+// that a CA CertificateRef for a Listener is invalid.
+func NewListenerInvalidCaCertificateRef(msg string) Condition {
+	return Condition{
+		Type:    string(v1.ListenerConditionResolvedRefs),
+		Status:  metav1.ConditionFalse,
+		Reason:  string(v1.ListenerReasonInvalidCACertificateRef),
+		Message: msg,
+	}
+}
+
+// NewListenerInvalidCaCertificateKind returns a Condition indicating
+// that a CA CertificateRef Kind for a Listener is invalid.
+func NewListenerInvalidCaCertificateKind(msg string) Condition {
+	return Condition{
+		Type:    string(v1.ListenerConditionResolvedRefs),
+		Status:  metav1.ConditionFalse,
+		Reason:  string(v1.ListenerReasonInvalidCACertificateKind),
+		Message: msg,
+	}
+}
+
+// NewListenerInvalidNoValidCACertificate returns Conditions indicating
+// that all CA Certificates for a Listener are invalid.
+// It marks the listener as not Accepted and not Programmed.
+func NewListenerInvalidNoValidCACertificate(msg string) []Condition {
+	return []Condition{
+		{
+			Type:    string(v1.ListenerConditionAccepted),
+			Status:  metav1.ConditionFalse,
+			Reason:  string(v1.ListenerReasonNoValidCACertificate),
+			Message: msg,
+		},
+		NewListenerNotProgrammedInvalid(msg),
+	}
+}
+
 // NewNginxGatewayValid returns a Condition that indicates that the NginxGateway config is valid.
 func NewNginxGatewayValid() Condition {
 	return Condition{

internal/controller/state/conditions/conditions_test.go

@@ -153,26 +153,74 @@ func TestNewDefaultListenerConditions(t *testing.T) {
 	tests := []struct {
 		name               string
 		existingConditions []Condition
+		expectAccepted     bool
 		expectResolvedRefs bool
+		expectNoConflicts  bool
 	}{
 		{
-			name:               "no existing conditions includes ResolvedRefs",
+			name:               "no existing conditions includes all defaults",
 			existingConditions: nil,
+			expectAccepted:     true,
 			expectResolvedRefs: true,
+			expectNoConflicts:  true,
 		},
 		{
-			name: "existing ResolvedRefs condition (InvalidCertificateRef) is preserved",
+			name: "existing ResolvedRefs=False (InvalidCertificateRef) suppresses default ResolvedRefs",
 			existingConditions: []Condition{
 				NewListenerUnresolvedCertificateRef("some cert ref error", string(v1.ListenerReasonInvalidCertificateRef)),
 			},
+			expectAccepted:     true,
 			expectResolvedRefs: false,
+			expectNoConflicts:  true,
 		},
 		{
-			name: "existing ResolvedRefs condition (RefNotPermitted) is preserved",
+			name: "existing ResolvedRefs=False (RefNotPermitted) suppresses default ResolvedRefs",
 			existingConditions: []Condition{
 				NewListenerUnresolvedCertificateRef("some ref not permitted error", string(v1.ListenerReasonRefNotPermitted)),
 			},
+			expectAccepted:     true,
 			expectResolvedRefs: false,
+			expectNoConflicts:  true,
+		},
+		{
+			name:               "existing Accepted=False suppresses default Accepted",
+			existingConditions: NewListenerInvalidNoValidCACertificate("no valid CA certificate"),
+			expectAccepted:     false,
+			expectResolvedRefs: true,
+			expectNoConflicts:  true,
+		},
+		{
+			name: "existing Conflicted condition suppresses default NoConflicts",
+			existingConditions: []Condition{
+				{
+					Type:   string(v1.ListenerConditionConflicted),
+					Status: metav1.ConditionTrue,
+					Reason: "SomeConflict",
+				},
+			},
+			expectAccepted:     true,
+			expectResolvedRefs: true,
+			expectNoConflicts:  false,
+		},
+		{
+			name: "existing OverlappingTLSConfig condition suppresses default NoConflicts",
+			existingConditions: []Condition{
+				NewListenerOverlappingTLSConfig(v1.ListenerReasonHostnameConflict, "overlapping TLS"),
+			},
+			expectAccepted:     true,
+			expectResolvedRefs: true,
+			expectNoConflicts:  false,
+		},
+		{
+			name: "multiple existing failure conditions suppress corresponding defaults",
+			existingConditions: append(
+				NewListenerInvalidNoValidCACertificate("no valid CA certificate"),
+				NewListenerInvalidCaCertificateRef("invalid CA cert ref"),
+				NewListenerOverlappingTLSConfig(v1.ListenerReasonHostnameConflict, "overlapping TLS"),
+			),
+			expectAccepted:     false,
+			expectResolvedRefs: false,
+			expectNoConflicts:  false,
 		},
 	}
 
@@ -183,13 +231,62 @@ func TestNewDefaultListenerConditions(t *testing.T) {
 
 			result := NewDefaultListenerConditions(test.existingConditions)
 
+			hasAccepted := false
 			hasResolvedRefs := false
+			hasNoConflicts := false
 			for _, c := range result {
-				if c.Type == string(v1.ListenerConditionResolvedRefs) {
+				switch c.Type {
+				case string(v1.ListenerConditionAccepted):
+					hasAccepted = true
+				case string(v1.ListenerConditionResolvedRefs):
 					hasResolvedRefs = true
+				case string(v1.ListenerConditionConflicted):
+					hasNoConflicts = true
 				}
 			}
+			g.Expect(hasAccepted).To(Equal(test.expectAccepted))
 			g.Expect(hasResolvedRefs).To(Equal(test.expectResolvedRefs))
+			g.Expect(hasNoConflicts).To(Equal(test.expectNoConflicts))
 		})
 	}
 }
+
+func TestNewListenerCACertificateConditions(t *testing.T) {
+	t.Parallel()
+
+	t.Run("NewListenerInvalidCaCertificateRef", func(t *testing.T) {
+		t.Parallel()
+		g := NewWithT(t)
+
+		cond := NewListenerInvalidCaCertificateRef("invalid CA cert ref")
+		g.Expect(cond.Type).To(Equal(string(v1.ListenerConditionResolvedRefs)))
+		g.Expect(cond.Status).To(Equal(metav1.ConditionFalse))
+		g.Expect(cond.Reason).To(Equal(string(v1.ListenerReasonInvalidCACertificateRef)))
+		g.Expect(cond.Message).To(Equal("invalid CA cert ref"))
+	})
+
+	t.Run("NewListenerInvalidCaCertificateKind", func(t *testing.T) {
+		t.Parallel()
+		g := NewWithT(t)
+
+		cond := NewListenerInvalidCaCertificateKind("invalid CA cert kind")
+		g.Expect(cond.Type).To(Equal(string(v1.ListenerConditionResolvedRefs)))
+		g.Expect(cond.Status).To(Equal(metav1.ConditionFalse))
+		g.Expect(cond.Reason).To(Equal(string(v1.ListenerReasonInvalidCACertificateKind)))
+		g.Expect(cond.Message).To(Equal("invalid CA cert kind"))
+	})
+
+	t.Run("NewListenerInvalidNoValidCACertificate", func(t *testing.T) {
+		t.Parallel()
+		g := NewWithT(t)
+
+		conds := NewListenerInvalidNoValidCACertificate("all CA certs invalid")
+		g.Expect(conds).To(HaveLen(2))
+		g.Expect(conds[0].Type).To(Equal(string(v1.ListenerConditionAccepted)))
+		g.Expect(conds[0].Status).To(Equal(metav1.ConditionFalse))
+		g.Expect(conds[0].Reason).To(Equal(string(v1.ListenerReasonNoValidCACertificate)))
+		g.Expect(conds[0].Message).To(Equal("all CA certs invalid"))
+		g.Expect(conds[1].Type).To(Equal(string(v1.ListenerConditionProgrammed)))
+		g.Expect(conds[1].Status).To(Equal(metav1.ConditionFalse))
+	})
+}