Skip to content

[feat] GWAPI: introduce insecure_skip_verify to ServerTLSSettings #3727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
krinkinmu wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[feat] GWAPI: introduce insecure_skip_verify to ServerTLSSettings #3727

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5b4c8a4
[WIP] Adding support for GWAPI AllowInsecureFallback
krinkinmu Jun 15, 2026
ff2457a
[feat] GWAPI: introduce insecure_skip_verify to ServerTLSSettings
krinkinmu Jun 18, 2026
7e729bf
Add release notes
krinkinmu Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions kubernetes/customresourcedefinitions.gen.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

42 changes: 31 additions & 11 deletions networking/v1alpha3/gateway.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions networking/v1alpha3/gateway.pb.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions networking/v1alpha3/gateway.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,7 @@ syntax = "proto3";
package istio.networking.v1alpha3;

import "google/api/field_behavior.proto";
import "google/protobuf/wrappers.proto";

option go_package = "istio.io/api/networking/v1alpha3";

Expand Down Expand Up @@ -577,4 +578,13 @@ message ServerTLSSettings {
// * `AES256-SHA`
// * `DES-CBC3-SHA`
repeated string cipher_suites = 9;

// Optional: If set to true, the proxy will try to validate the certificate, but even if the
// validation fails, it will allow the connection through.
//
// It's needed to implement Gateway API AllowInsecureFallback feature. The different between
// AllowInsecureFallback and not verifying client certificate at all is that Gateway is able
// to pass the client certificate to the backend in the x-forwarded-client-cert HTTP header and
// backend can verify the certificate.
google.protobuf.BoolValue insecure_skip_verify = 17;
}
8 changes: 8 additions & 0 deletions releasenotes/notes/3727.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: release-notes/v2
kind: feature
area: security
releaseNotes:
- |
**Added** `insecure_skip_verify` field to `ServerTLSSettings`. When set to `true`, this will tell the gateway to allow the
incoming connection even if the client certificate does not pass the checks. It will be used to implement Gateway API
`AllowInsecureFallback` feature in Istio.