From aa3240483f70c8f92237efc976db41b64dc692c6 Mon Sep 17 00:00:00 2001
From: Paul Banks <pbanks@hashicorp.com>
Date: Wed, 25 Aug 2021 17:29:06 +0100
Subject: [PATCH] Add changelog; Add API package support for new fields.

---
 .changelog/10903.txt              |  3 +++
 api/config_entry_gateways.go      | 19 +++++++++++++++++++
 api/config_entry_gateways_test.go | 18 ++++++++++++++++++
 3 files changed, 40 insertions(+)
 create mode 100644 .changelog/10903.txt

diff --git a/.changelog/10903.txt b/.changelog/10903.txt
new file mode 100644
index 000000000..49f6d5931
--- /dev/null
+++ b/.changelog/10903.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Add low-level feature to allow an Ingress to retrieve TLS certificates from SDS.
+```
diff --git a/api/config_entry_gateways.go b/api/config_entry_gateways.go
index 737b814d4..e1364b45e 100644
--- a/api/config_entry_gateways.go
+++ b/api/config_entry_gateways.go
@@ -40,6 +40,19 @@ type IngressGatewayConfigEntry struct {
 type GatewayTLSConfig struct {
 	// Indicates that TLS should be enabled for this gateway service.
 	Enabled bool
+
+	// SDS allows configuring TLS certificate from an SDS service.
+	SDS *GatewayTLSSDSConfig `json:",omitempty"`
+}
+
+type GatewayServiceTLSConfig struct {
+	// SDS allows configuring TLS certificate from an SDS service.
+	SDS *GatewayTLSSDSConfig `json:",omitempty"`
+}
+
+type GatewayTLSSDSConfig struct {
+	ClusterName  string `json:",omitempty" alias:"cluster_name"`
+	CertResource string `json:",omitempty" alias:"cert_resource"`
 }
 
 // IngressListener manages the configuration for a listener on a specific port.
@@ -59,6 +72,9 @@ type IngressListener struct {
 	// For "tcp" protocol listeners, only a single service is allowed.
 	// For "http" listeners, multiple services can be declared.
 	Services []IngressService
+
+	// TLS allows specifying some TLS configuration per listener.
+	TLS *GatewayTLSConfig
 }
 
 // IngressService manages configuration for services that are exposed to
@@ -93,6 +109,9 @@ type IngressService struct {
 	// Namespacing is a Consul Enterprise feature.
 	Namespace string `json:",omitempty"`
 
+	// TLS allows specifying some TLS configuration per listener.
+	TLS *GatewayServiceTLSConfig
+
 	// Allow HTTP header manipulation to be configured.
 	RequestHeaders  *HTTPHeaderModifiers `json:",omitempty" alias:"request_headers"`
 	ResponseHeaders *HTTPHeaderModifiers `json:",omitempty" alias:"response_headers"`
diff --git a/api/config_entry_gateways_test.go b/api/config_entry_gateways_test.go
index 22b15259b..bc8d6d0e4 100644
--- a/api/config_entry_gateways_test.go
+++ b/api/config_entry_gateways_test.go
@@ -86,8 +86,26 @@ func TestAPI_ConfigEntries_IngressGateway(t *testing.T) {
 					ResponseHeaders: &HTTPHeaderModifiers{
 						Remove: []string{"x-foo"},
 					},
+					TLS: &GatewayServiceTLSConfig{
+						SDS: &GatewayTLSSDSConfig{
+							ClusterName:  "foo",
+							CertResource: "bar",
+						},
+					},
 				},
 			},
+			TLS: &GatewayTLSConfig{
+				SDS: &GatewayTLSSDSConfig{
+					ClusterName:  "baz",
+					CertResource: "qux",
+				},
+			},
+		},
+	}
+	ingress1.TLS = GatewayTLSConfig{
+		SDS: &GatewayTLSSDSConfig{
+			ClusterName:  "qux",
+			CertResource: "bug",
 		},
 	}