Support gateway api BackendTLSPolicy (#6119)

The BackendTLSPolicy will allow a user to connect an httproute to a backend service with TLS. - Only implements BackendTLSPolicy for HTTPRoute - Only allows Services for spec.targetRef - Allows ConfigMap or Secret for spec.TLS.CACertRefs - Adds backendtlspolicies to the ClusterRole for Contour - Adds configmaps to the ClusterRole for Contour - Controller reconciles on BackendTLSPolicy and ConfigMaps now - BackendTLSPolicy spec.targetRef can specify SectionName to be port name of a service to target a particular section of the service. Signed-off-by: Edwin Xie <edwin.xie@broadcom.com> Signed-off-by: Christian Ang <christian.ang@broadcom.com> Co-authored-by: Christian Ang <christian.ang@broadcom.com>
projectcontour · Feb 1, 2024 · 943d5e2 · 943d5e2
1 parent 62f81db
commit 943d5e2
Show file tree

Hide file tree

Showing 42 changed files with 4,355 additions and 1,746 deletions.
diff --git a/changelogs/unreleased/6119-flawedmatrix-major.md b/changelogs/unreleased/6119-flawedmatrix-major.md
@@ -0,0 +1,9 @@
+## Support for Gateway API BackendTLSPolicy
+
+The BackendTLSPolicy CRD can now be used with HTTPRoute to configure a Contour gateway to connect to a backend Service with TLS. This will give users the ability to use Gateway API to configure their routes to securely connect to backends that use TLS with Contour.
+
+The BackendTLSPolicy spec requires you to specify a `targetRef`, which can currently only be a Kubernetes Service within the same namespace as the BackendTLSPolicy. The targetRef is what Service should be watched to apply the BackendTLSPolicy to. A `SectionName` can also be configured to the port name of a Service to reference a specific section of the Service.
+
+The spec also requires you to specify `caCertRefs`, which can either be a ConfigMap or Secret with a `ca.crt` key in the data map containing a PEM-encoded TLS certificate. The CA certificates referenced will be configured to be used by the gateway to perform TLS to the backend Service. You will also need to specify a `Hostname`, which will be used to configure the SNI the gateway will use for the connection.
+
+See Gateway API's [GEP-1897](https://gateway-api.sigs.k8s.io/geps/gep-1897) for the proposal for BackendTLSPolicy.
diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go
@@ -133,7 +133,7 @@ func registerServe(app *kingpin.Application) (*kingpin.CmdClause, *serveContext)
 	serve.Flag("debug", "Enable debug logging.").Short('d').BoolVar(&ctx.Config.Debug)
 	serve.Flag("debug-http-address", "Address the debug http endpoint will bind to.").PlaceHolder("<ipaddr>").StringVar(&ctx.debugAddr)
 	serve.Flag("debug-http-port", "Port the debug http endpoint will bind to.").PlaceHolder("<port>").IntVar(&ctx.debugPort)
-	serve.Flag("disable-feature", "Do not start an informer for the specified resources.").PlaceHolder("<extensionservices,tlsroutes,grpcroutes,tcproutes>").EnumsVar(&ctx.disabledFeatures, "extensionservices", "tlsroutes", "grpcroutes", "tcproutes")
+	serve.Flag("disable-feature", "Do not start an informer for the specified resources.").PlaceHolder("<extensionservices,tlsroutes,grpcroutes,tcproutes,backendtlspolicies>").EnumsVar(&ctx.disabledFeatures, "extensionservices", "tlsroutes", "grpcroutes", "tcproutes", "backendtlspolicies")
 	serve.Flag("disable-leader-election", "Disable leader election mechanism.").BoolVar(&ctx.LeaderElection.Disable)
 
 	serve.Flag("envoy-http-access-log", "Envoy HTTP access log.").PlaceHolder("/path/to/file").StringVar(&ctx.httpAccessLog)
@@ -260,6 +260,28 @@ func NewServer(log logrus.FieldLogger, ctx *serveContext) (*Server, error) {
 						return secret, nil
 					},
 				},
+				&corev1.ConfigMap{}: {
+					Transform: func(obj any) (any, error) {
+						configMap, ok := obj.(*corev1.ConfigMap)
+						// TransformFunc should handle the tombstone of type cache.DeletedFinalStateUnknown
+						if !ok {
+							return obj, nil
+						}
+
+						// Keep ConfigMaps that have the ca.crt key because they may be necessary
+						if _, ok := configMap.Data[dag.CACertificateKey]; ok {
+							return obj, nil
+						}
+
+						// Other types of ConfigMaps will never be referred to, so we can remove all data.
+						// Last-applied-configuration annotation might contain a copy of the complete data.
+						configMap.Data = map[string]string{}
+						configMap.SetManagedFields(nil)
+						configMap.SetAnnotations(nil)
+
+						return configMap, nil
+					},
+				},
 			},
 			// DefaultTransform is called for objects that do not have a TransformByObject function.
 			DefaultTransform: func(obj any) (any, error) {
@@ -1060,9 +1082,10 @@ func (s *Server) setupGatewayAPI(contourConfiguration contour_api_v1alpha1.Conto
 
 		// Some features may be disabled.
 		features := map[string]struct{}{
-			"tlsroutes":  {},
-			"grpcroutes": {},
-			"tcproutes":  {},
+			"tlsroutes":          {},
+			"grpcroutes":         {},
+			"tcproutes":          {},
+			"backendtlspolicies": {},
 		}
 		for _, f := range s.ctx.disabledFeatures {
 			delete(features, f)
@@ -1094,6 +1117,18 @@ func (s *Server) setupGatewayAPI(contourConfiguration contour_api_v1alpha1.Conto
 			}
 		}
 
+		// Create and register the BackendTLSPolicy controller with the manager.
+		if _, enabled := features["backendtlspolicies"]; enabled {
+			// Inform on ConfigMap if BackendTLSPolicy is enabled
+			if err := s.informOnResource(&corev1.ConfigMap{}, eventHandler); err != nil {
+				s.log.WithError(err).WithField("resource", "configmaps").Fatal("failed to create informer")
+			}
+
+			if err := controller.RegisterBackendTLSPolicyController(s.log.WithField("context", "backendtlspolicy-controller"), mgr, eventHandler); err != nil {
+				s.log.WithError(err).Fatal("failed to create backendtlspolicy-controller")
+			}
+		}
+
 		// Inform on ReferenceGrants.
 		if err := s.informOnResource(&gatewayapi_v1beta1.ReferenceGrant{}, eventHandler); err != nil {
 			s.log.WithError(err).WithField("resource", "referencegrants").Fatal("failed to create informer")
@@ -1239,6 +1274,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder {
 			PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes,
 			SetSourceMetadataOnRoutes:     true,
 			GlobalCircuitBreakerDefaults:  dbc.globalCircuitBreakerDefaults,
+			UpstreamTLS:                   dbc.upstreamTLS,
 		})
 	}
 

diff --git a/examples/contour/02-role-contour.yaml b/examples/contour/02-role-contour.yaml
@@ -10,6 +10,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - endpoints
   - namespaces
   - secrets
@@ -29,6 +30,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
   - grpcroutes
@@ -43,6 +45,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
   - grpcroutes/status

diff --git a/examples/gateway-provisioner/01-roles.yaml b/examples/gateway-provisioner/01-roles.yaml
@@ -10,6 +10,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - endpoints
   - namespaces
   - secrets
@@ -78,15 +79,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
-  - gatewayclasses
-  - gateways
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
   - grpcroutes
@@ -101,19 +94,29 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
+  - grpcroutes/status
+  - httproutes/status
+  - tcproutes/status
+  - tlsroutes/status
   verbs:
   - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses
+  - gateways
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
   - gatewayclasses/status
   - gateways/status
-  - grpcroutes/status
-  - httproutes/status
-  - tcproutes/status
-  - tlsroutes/status
   verbs:
   - update
 - apiGroups: