[X.509] Happy Path — Tier 1 (Gateway API v1.5 Frontend Validation)

[averevki]

Summary

Test X.509 client certificate authentication via AuthPolicy using Gateway API v1.5's spec.tls.frontend.default.validation for mTLS termination at the gateway level.

Note: Requires Gateway API v1.5+. Not runnable on current GA OpenShift 4.21 which ships with Gateway API v1.3. Should be gated by a pytest marker (e.g. @pytest.mark.required_capabilities(gateway_api_v1_5)).

Setup

• Gateway with spec.tls.frontend.default.validation configured
• CA certificate ConfigMap for gateway validation (referenced by caCertificateRefs)
• CA certificate Secret(s) with labels for Authorino validation
• AuthPolicy with x509.source.header: "X-Forwarded-Client-Cert" (default)
• HTTPRoute bound to AuthPolicy

Tests

• Client with valid certificate → 200 OK
• Client without certificate → 401 Unauthorized (rejected at TLS layer)
• Client with certificate signed by wrong CA → 401 Unauthorized (rejected at gateway or Authorino)

References

• Parent issue: E2E tests for X.509 Client Certificate Authentication in AuthPolicy (XFCC header) #885
• RFC 0015