Support gateway api BackendTLSPolicy #6119
Conversation
sunjayBhatia
added
the
release-note/major
cmd/contour/serve.go
Outdated
| @@ -639,6 +639,10 @@ func (s *Server) doServe() error { | |||
| s.log.WithError(err).WithField("resource", "secrets").Fatal("failed to create informer") | |||
| } | |||
|
|
|||
| if err := s.informOnResource(&corev1.ConfigMap{}, handler); err != nil { | |||
There was a problem hiding this comment.
i think we could only start this informer if the backendtlspolicy feature is enabled, could augment the features map below to be map[string][]string so if a feature is disabled/enabled we can enable/disable any other required informers/controllers
There was a problem hiding this comment.
Not sure I follow the change for features to go from map[string]struct{} to map[string][]string. What would go into the new string array value type here? I see the serve.go currently deletes from the map if a feature is disabled. Is that not enough?
There was a problem hiding this comment.
the map key would be feature names, which currently are only resource kinds we inform on, and then the string list could be kinds that a particular feature/top level kind depends on, in this case backendtlspolicy also needs a configmap informer to work fully, so if you disable backendtlspolicy you dont need to have a configmap informer etc.
it might be overkill, tbh since we also have an if statement checking if backendtlspolicy is enabled, we can add the creation of the configmap informer in there
There was a problem hiding this comment.
Ended up moving the informOnResource line down into the feature check for backendltspolicy.
|
|
internal/dag/cache_test.go
Outdated
| @@ -1035,6 +1091,48 @@ func TestKubernetesCacheInsert(t *testing.T) { | |||
| }, | |||
| want: true, | |||
| }, | |||
| "insert backendtlspolicy referenced by gateway-api HTTPRoute": { | |||
There was a problem hiding this comment.
nit
| "insert backendtlspolicy referenced by gateway-api HTTPRoute": { | |
| "insert backendtlspolicy targeting backend Service": { |
| }, | ||
| want: false, | ||
| }, | ||
| "insert certificate configmap referenced by BackendTLSPolicy": { |
There was a problem hiding this comment.
should be able to add a case for a Secret referenced by a BackendTLSPolicy (on the remove case as well)
There was a problem hiding this comment.
Done. It should be noted that the secretRetriggerBuild function always returns true on ca certs, which is what is always provided to backendtlspolicies, so no changes to the implementation was done here, but testing it is still valuable just to provide intent in case the logic here changes.
| want: backendTLSPolicy("btp2", "backend-service-with-fallback", nil, ptr.To("https")), | ||
| wantFound: true, | ||
| }, | ||
| "finds the BackendTLSPolicy matching namespace": { |
There was a problem hiding this comment.
i think there should be some consideration of what namespace the backendtlspolicy resides in as well, at least as an initial pass let's not allow policies that live in a different namespace from the Service (for the purposes of this test, the targetRef target namespace) they reference
so we may need to always construct a targetRef with a namespace which in the processor this would be the namespace of the HTTPRoute if not specified on the backendref, otherwise the ns of the backendref
There was a problem hiding this comment.
Yeah logic here has some hidden complexity. I did a bit of a rewrite, now matching the namespace provided on the targetref to the backendtlspolicy namespace instead, then check that the backendtlspolicy namespace matches the spec.targetRef.namespace afterward. Also added some logic around default namespaces and empty namespaces e.g if spec.targetRef.namespace is empty that should be fine since that should be used for cross namespace-ing, which is unsupported. Added additional testing here as well, but could always use another look to check if anything is missed or unclear.
There was a problem hiding this comment.
i think the updated tests etc. look good, might need another eye just in case but good in my book
internal/dag/gatewayapi_processor.go
Outdated
| Group: backendRefGroup, | ||
| Kind: backendRefKind, | ||
| Name: backendRef.Name, | ||
| Namespace: backendRef.Namespace, |
There was a problem hiding this comment.
this may not be specified if no cross-ns reference is present, so likely have to make this the ns of the HTTPRoute if empty
christianang
force-pushed
the
gateway-api-backend-tls-policy
branch
from
e04d511
to
dfbf234
Compare
|
Looks like this file does not include BackendTLSPolicy: https://github.com/kubernetes-sigs/gateway-api/blob/v1.0.0/config/crd/experimental/kustomization.yaml 🙃 so we never automatically picked it up in our examples: contour/hack/generate-gateway-yaml.sh Line 17 in 9eb2838 |
we could update this instead to pull from the release artifact: https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml |
Yeah we noticed that. That is interesting that BackendTLSPolicy is in the released artifact. We figured it might make sense to just PR the kustomization.yaml, but I'm fine with switching to the released artifact if that makes more sense. |
yeah we'll have to probably switch to downloading the released artifact since the old tag won't be updated made a PR to fix this here: kubernetes-sigs/gateway-api#2736 |
christianang
force-pushed
the
gateway-api-backend-tls-policy
branch
from
dfbf234
to
8e8626b
Compare
flawedmatrix
requested review from
skriss and
sunjayBhatia
and removed request for
a team
sunjayBhatia
requested review from
a team,
izturn and
clayton-gonsalves
and removed request for
a team
christianang
force-pushed
the
gateway-api-backend-tls-policy
branch
3 times, most recently
from
1189d20
to
31a5bb2
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #6119 +/- ##
==========================================
+ Coverage 78.52% 78.58% +0.06%
==========================================
Files 140 141 +1
Lines 19911 20187 +276
==========================================
+ Hits 15635 15864 +229
- Misses 3967 4012 +45
- Partials 309 311 +2
|
|
@sunjayBhatia made some changes from your feedback and got the checks passing. I think this is ready for another review. |
There was a problem hiding this comment.
Besides some v minor things I think this is basically good to go. Before merging too would be good to get some issues created for all the outstanding things for follow-ups:
- Supporting BackendTLS for GRPCRoute
- Supporting BackendTLS for TLSRoute
- Status Condition logic for BackendTLSPolicies
- Interaction between the existing Service annotation for specifying backend protocol and BackendTLSPolicy
- Handling conflict resolution if there are multiple Policies targeting a Service
- e2e testing upstream TLS settings w/ Gateway API Routes (to cover the Gateway processor being wired up properly in serve.go)
- look at cluster name generation to see if we need to include all of the ca cert secret names in the hashed name
- and any other things that we can think of
| @@ -47,8 +47,12 @@ func Clustername(cluster *dag.Cluster) string { | |||
| buf += hc.Path | |||
| } | |||
| if uv := cluster.UpstreamValidation; uv != nil { | |||
| buf += uv.CACertificate.Object.ObjectMeta.Name | |||
| buf += uv.SubjectNames[0] | |||
| if len(uv.CACertificates) > 0 { | |||
There was a problem hiding this comment.
hm i wonder if we could run into some issues here with duplicate cluster names for when the same cluster is referenced in different places that have different backend tls settings, adding as a follow up
There was a problem hiding this comment.
Broke out the follow issue to follow up: #6141
internal/dag/cache.go
Outdated
| func (kc *KubernetesCache) LookupBackendTLSPolicyByTargetRef(targetRef gatewayapi_v1alpha2.PolicyTargetReferenceWithSectionName) (*gatewayapi_v1alpha2.BackendTLSPolicy, bool) { | ||
| var fallbackBackendTLSPolicy *gatewayapi_v1alpha2.BackendTLSPolicy | ||
| for _, v := range kc.backendtlspolicies { | ||
| // Match the namespace in the targetRef to the BackendTLSPolicy namespace instead of the it's |
There was a problem hiding this comment.
| // Match the namespace in the targetRef to the BackendTLSPolicy namespace instead of the it's | |
| // Match the namespace in the targetRef to the BackendTLSPolicy namespace instead of it's |
| want: backendTLSPolicy("btp2", "some-ns", "backend-service-with-ns", nil, nil), | ||
| wantFound: true, | ||
| }, | ||
| "finds the BackendTLSPolicy in default namespace": { |
There was a problem hiding this comment.
realistically i dont think this can happen since we alway set the targetRef NS to the Route ns but worth having in case
| want: backendTLSPolicy("btp2", "backend-service-with-fallback", nil, ptr.To("https")), | ||
| wantFound: true, | ||
| }, | ||
| "finds the BackendTLSPolicy matching namespace": { |
There was a problem hiding this comment.
i think the updated tests etc. look good, might need another eye just in case but good in my book
internal/dag/builder_test.go
Outdated
| objs: []any{ | ||
| tlsService, | ||
| configMapCert1, | ||
| &gatewayapi_v1beta1.HTTPRoute{ |
There was a problem hiding this comment.
Shall we define some helper functions to create the objects?, this files is too large now
There was a problem hiding this comment.
That makes sense. Done.
Created follow up issues for the above. The only other follow up item I could think of is cross namespace certificate secrets with ReferenceGrants. Happy to add more issues as more follow up items come up. |
christianang
force-pushed
the
gateway-api-backend-tls-policy
branch
2 times, most recently
from
cd9c056
to
2ccc498
Compare
|
I addressed the latest round of feedback. |
christianang
force-pushed
the
gateway-api-backend-tls-policy
branch
from
2ccc498
to
dc66472
Compare
christianang
force-pushed
the
gateway-api-backend-tls-policy
branch
from
dc66472
to
39f89e0
Compare
|
Thanks for the review Steve. I've updated the PR to address your comments. |
|
Oops, looks like |
The BackendTLSPolicy will allow a user to connect an httproute to a backend service with TLS. - Only implements BackendTLSPolicy for HTTPRoute - Only allows Services for spec.targetRef - Allows ConfigMap or Secret for spec.TLS.CACertRefs - Adds backendtlspolicies to the ClusterRole for Contour - Adds configmaps to the ClusterRole for Contour - Controller reconciles on BackendTLSPolicy and ConfigMaps now - BackendTLSPolicy spec.targetRef can specify SectionName to be port name of a service to target a particular section of the service. Co-authored-by: Christian Ang <christian.ang@broadcom.com> Signed-off-by: Edwin Xie <edwin.xie@broadcom.com>
- to help reduce verbosity of builder test Signed-off-by: Christian Ang <christian.ang@broadcom.com>
christianang
force-pushed
the
gateway-api-backend-tls-policy
branch
from
39f89e0
to
95bfe88
Compare
|
Ah missed running those tests locally. I updated the tests to account for the ConfigMap changes. |
There was a problem hiding this comment.
LGTM, will leave in case @sunjayBhatia wanted to take another look
The BackendTLSPolicy will allow a user to connect an httproute to a backend service with TLS.
Implements #5929
In the interest of keeping this size of this change relatively small, we opted not to implement all of the GEP (https://gateway-api.sigs.k8s.io/geps/gep-1897/)
Specifically, we have not yet implemented BackendTLSPolicy for TLSRoute or GRPCRoute, precedence handling for BackendTLSPolicy (described here: https://gateway-api.sigs.k8s.io/geps/gep-713/#conflict-resolution), displaying status conditions on the BackendTLSPolicy, among others we may have missed.
We have also opted not to implement
wellKnownCACertssince it was an implementation-specific detail of the GEP (kubernetes-sigs/gateway-api#2726) and right now support for System certs was not supported anywhere in Contour.