TLS_PASSTHROUGH document

aws · Jun 11, 2024 · 946a64f · 946a64f
1 parent d3fa856
commit 946a64f
Show file tree

Hide file tree

Showing 18 changed files with 1,422 additions and 81 deletions.
diff --git a/.github/workflows/publish-doc.yaml b/.github/workflows/publish-doc.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - 'release-v*.*.*'
 jobs:
   publish-docs:
     runs-on: ubuntu-latest
@@ -24,10 +25,14 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install mkdocs-material mike
-      - name: Build
+      - name: Deploy to Mike
         run: |
-          mike deploy 1.0.5 latest --update-aliases --push
-          mike set-default latest --allow-empty --push
-          
-          
-
+          if [[ ${{ github.ref }} == refs/heads/main ]]; then 
+            # Deploy to the mike doc version `dev` and update the `latest` alias for the main branch new git commits
+            mike deploy dev latest --update-aliases --push
+          elif [[ ${{ github.ref }} == refs/heads/release-v* ]]; then
+            # Deploy to the mike doc version `vx.x.x` for the new git branches `release-vx.x.x`
+            branch_name=${{ github.ref }}
+            version=${branch_name##refs/heads/release-} 
+            mike deploy $version --push
+          fi
diff --git a/.gitignore b/.gitignore
@@ -16,7 +16,7 @@ go.work*
 
 # gomock generated prog.go
 pkg/aws/services/gomock_reflect_*
-
+mocks/controller-runtime/client/gomock_reflect_*
 pkg/**/prog.*
 
 # Image build tarballed bundles

diff --git a/docs/api-types/target-group-policy.md b/docs/api-types/target-group-policy.md
@@ -3,35 +3,39 @@
 ## Introduction
 
 By default, AWS Gateway API Controller assumes plaintext HTTP/1 traffic for backend Kubernetes resources.
-TargetGroupPolicy is a CRD that can be attached to a Service, which allows the users to define protocol and
-health check configurations of those backend resources.
+TargetGroupPolicy is a CRD that can be attached to Service or ServiceExport, which allows the users to define protocol, protocol version and
+health check configurations of those backend resources. 
 
 When attaching a policy to a resource, the following restrictions apply:
 
-- A policy can be only attached to `Service` resources.
-- The attached resource can only be `backendRef` of `HTTPRoute` and `GRPCRoute`.
+- A policy can be attached to `Service` that being `backendRef` of `HTTPRoute`, `GRPCRoute` and `TLSRoute`.
+- A policy can be attached to `ServiceExport`.
 - The attached resource should exist in the same namespace as the policy resource.
 
 The policy will not take effect if:
-
 - The resource does not exist
 - The resource is not referenced by any route
 - The resource is referenced by a route of unsupported type
+- The ProtocolVersion is non-empty if the TargetGroupPolicy protocol is TCP
+
+Please check the TargetGroupPolicy API Reference for more details. [TargetGroupPolicy API Reference](../api-reference.md#application-networking.k8s.aws/v1alpha1.TargetGroupPolicy)
+
 
 These restrictions are not forced; for example, users may create a policy that targets a service that is not created yet.
 However, the policy will not take effect unless the target is valid.
 
+
+
 ### Limitations and Considerations
 
-- Attaching TargetGroupPolicy to a resource that is already referenced by a route will result in a replacement
+- Attaching TargetGroupPolicy to a Service that is already referenced by a route  will result in a replacement
   of VPC Lattice TargetGroup resource, except for health check updates.
+- Attaching TargetGroupPolicy to a ServiceExport will result in a replacement of VPC Lattice TargetGroup resource, except for health check updates.
 - Removing TargetGroupPolicy of a resource will roll back protocol configuration to default setting. (HTTP1/HTTP plaintext)
 
 ## Example Configuration
 
-This will enable TLS traffic between the gateway and Kubernetes service, with customized health check configuration.
-
-Note that the TLS traffic is always terminated at the gateway, so it will be re-encrypted in this case. The gateway does not perform any certificate validations to the certificate on targets.
+This will enable HTTPS traffic between the gateway and Kubernetes service, with customized health check configuration.
 
 ```
 apiVersion: application-networking.k8s.aws/v1alpha1

diff --git a/docs/api-types/tls-route.md b/docs/api-types/tls-route.md
@@ -0,0 +1,62 @@
+# TLSRoute API Reference
+
+## Introduction
+
+With integration of the Gateway API, AWS Gateway API Controller supports `TLSRoute`.
+This allows you to define and manage end-to-end TLS encrypted traffic routing to your Kubernetes clusters.
+
+### TLSRoute Key Features & Limitations
+
+**Features**:
+
+- **Routing Traffic**: Enables routing end-to-end TLS encrypted traffic from your client workload to server workload.
+
+
+**Limitations**:
+
+- **Listener Protocol**: The `TLSRoute` sectionName must refer to an TLS protocol listener with mode: Passthrough in the parent `Gateway`.
+
+- `TLSRoute` only supports to have one rule.
+- `TLSRoute` don't support `matches` field in the rule.
+- The `hostnames` field with exactly one host name is required. This domain name is used as a vpc lattice's Service Name Indication (SNI) match.
+
+
+## Example Configuration
+
+Here is a sample configuration that demonstrates how to set up  a `TLSRoute` resource to route end-to-end TLS encrypted traffic to a nginx service:
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: nginx-tls-route
+spec:
+  hostnames:
+    - nginx-test.my-test.com
+  parentRefs:
+    - name: my-hotel-tls-passthrough
+      sectionName: tls
+  rules:
+    - backendRefs:
+        - name: nginx-tls
+          kind: Service
+          port: 443
+```
+
+In this example:
+
+- The `TLSRoute` is named ` nginx-tls-route` and is associated with a parent gateway named `my-hotel-tls-passthrough` that has
+  a listener section named `tls`:
+```
+    - name: tls
+      protocol: TLS
+      port: 443
+      tls:
+        mode: Passthrough
+```
+- The `TLSRoute` is configured to route traffic to a k8s service named `nginx-tls` on port 443.
+- The `hostnames` field is set to `nginx-test.my-test.com`. The customer must use this domain name to send traffic to the nginx service.
+
+This `TLSRoute` documentation provides a detailed introduction, feature set, and a basic example of how to configure
+and use the resource within AWS Gateway API Controller project. For in-depth details and specifications, you can refer to the
+official [Gateway API documentation](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute).