Allowing CACertificateRef to be loaded from a secret

[asger-noer]

Is your enhancement request related to a problem? Please describe.
When running CockroachDB in secure mode with Cert-Manager acting as CA. This will produce a CA in a secret instead of in the currently supported ConfigMap. I don't see anything in the API that would prevent the certificate ref being a secret.

What would you like to be added:
The option to provide a secret ref in the spec.validation. caCertificateRefs[*].kind

Why this is needed:
For supporting different ways of storing CAs.

Additional context
This is the status of the create BackendTLSPolicy when created referencing a Secret instead of a ConfigMap

apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
  creationTimestamp: "2024-09-30T22:32:27Z"
  generation: 1
  labels:
    kustomize.toolkit.fluxcd.io/name: tools-controllers
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: cockroach-tls
  namespace: cockroach
  resourceVersion: "3860621"
  uid: 84a3e868-9dfc-4bdd-8938-492e88877254
spec:
  targetRefs:
  - group: ""
    kind: Service
    name: cockroach-cockroachdb-public
  validation:
    caCertificateRefs:
    - group: ""
      kind: Secret
      name: cockroach-ca
    hostname: cockroach-cockroachdb-public.cockroach
status:
  ancestors:
  - ancestorRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: shared-gateway
      namespace: nginx-gateway
    conditions:
    - lastTransitionTime: "2024-09-30T22:40:28Z"
      message: 'invalid CACertificateRef: tls.cacertrefs[0[].kind: Unsupported value:
        "Secret": supported values: "ConfigMap"'
      observedGeneration: 1
      reason: Invalid
      status: "False"
      type: Accepted
    controllerName: gateway.nginx.org/nginx-gateway-controller

Versions

nginx-gateway-fabric version: v1.4.0
api-gw-crd bundle version: v1.1.0
api-gw-crd channel: experimental
k8s revision: v1.31.1

[mpstefan]

Thanks for reporting this @asger-noer! We initially only implementing ConfigMap support as that is the only object that is specifically listed as "core" support under the Gateway API, but as you say, there's no explicit reason why it should be limited to ConfigMaps only.

We should be able to look at this in the future, and I'll update this issue as it goes through the process.

Otherwise, we are open to PRs on this issue in the meantime!

[bozho]

Hi,

I'd like to add a 👍 for this. We'd like to use NGF as a reverse proxy to an Elasticsearch cluster. ES nodes use TLS for intra-node communication, so the reverse proxy must trust the self-signed root cert.

ECK operator creates a Secret with public certs, which is a JSON document, and the root cert is under data."ca.cert", so support to reference a field inside a secret would be needed in our scenario.

[porthorian]

I would like to +1 this as well. Since cert-manager creates certificates as secrets

[porthorian]

I’ve started this #2976, very nifty how this stuff is setup. Now getting into the bit of actually adding the ca bundle to the configuration.