GEP: Allow Multiple Certificate Refs per Gateway Listener

[robscott]

What would you like to be added: The CertificateRef field in Listener TLSConfig should be replaced with a CertificateRefs field.

Why this is needed: This would help with a number of use cases, including:

• When hostname is empty on the Listener, and Routes attach multiple unique Hostnames
• Providing RSA and EC certs
• Temporarily including new and old certs during an upgrade

Relevant Slack thread: https://kubernetes.slack.com/archives/CR0H13KGA/p1629912749150800

[tokers]

Hi, there, what's the status of this GEP? I'd like to implement it :)

[tokers]

/assign

[robscott]

Reopening because we need conformance test coverage for this.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[robscott]

The only thing left here is conformance tests (and spec clarification) which has more recently been covered by https://github.com/kubernetes-sigs/gateway-api/issues/1330 and https://github.com/kubernetes-sigs/gateway-api/pull/1526, going to close this one out.