adding support for secrets for backendtlspolicy

[porthorian]

Proposed changes

The proposed changes here adds the support for Secrets to be used according to the BackednTLSPolicy Custom Resource. This helps further the implementation of nginx-gateway-fabric to support the Gateway API more.

Problem

Currently BackendTLSPolicy only supports readying in tls certifications and ca certifications via a config map. This does not work when you are using cert-manager for instance since it puts this information into a kubernetes secret rather then a config map.

Solution

The Solution here is to hook into the existing Configuration structure that builds the dataplane nginx configuration that is served in the pod. Allowing for secrets and configmaps to be read into this array of CertBundles.

Testing

Did some end to end testing here and built 2 packages that can be used with this code.

https://github.com/porthorian/nginx-gateway-fabric/pkgs/container/nginx-gateway-fabric%2Fnginx
https://github.com/porthorian/nginx-gateway-fabric/pkgs/container/nginx-gateway-fabric

These were then deployed and made a BackendTLSPolicy with the secret that was created with cert-manager.

apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
  name: tls-upstream-unifi
spec:
  targetRefs:
    - kind: Service
      name: unifi
      group: ""
  validation:
    caCertificateRefs:
      - name: unifi-signed-cert
        group: ''
        kind: Secret
    hostname: {your-domain-name}

—

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: self-signed-svc-cert
spec:
  dnsNames:
    - {your-domain-name}
  secretName: unifi-signed-cert
  commonName: unifi
  issuerRef:
    name: self-signed-ca-issuer
    kind: ClusterIssuer
    group: cert-manager.io
  keystores:
    jks:
      alias: unifi
      create: true
      passwordSecretRef:
        name: unifi-keystore
        key: password

Reviewer Focus

Since this is a working draft here - places that should be focused on is making sure I am inline with the current standards and everyone is statisified with how this was structurally laid out before moving onto polishing it up and writing some additional tests.

Issues

Closes #2629

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

* Adds support for secrets to be used in BackendTLSPolicy Gateway API for tls certificates and ca certificates.

[sjberman]

Overall I think the approach looks good here! Haven't yet tested it myself, but will get around to that. Thanks for this.

[sjberman]

Suggested change

	CertBundles: buildCertBundles(
	buildRefCertificateBundles(g.ReferencedSecrets, g.ReferencedCaCertConfigMaps),
	backendGroups),
	CertBundles: buildCertBundles(
	buildRefCertificateBundles(g.ReferencedSecrets, g.ReferencedCaCertConfigMaps),
	backendGroups,
	),

nit: style

[sjberman]

Suggested change

	func buildRefCertificateBundles(
	secrets map[types.NamespacedName]*graph.Secret,
	configMaps map[types.NamespacedName]*graph.CaCertConfigMap) []graph.CertificateBundle {
	func buildRefCertificateBundles(
	secrets map[types.NamespacedName]*graph.Secret,
	configMaps map[types.NamespacedName]*graph.CaCertConfigMap,
	) []graph.CertificateBundle {

nit: style

[sjberman]

Let's do a switch statement on the Kinds

[sjberman]

Suggested change

	return fmt.Errorf("`%s` invalid certificate reference supported", selectedCertRef.Kind)
	return fmt.Errorf("invalid certificate reference %q", selectedCertRef.Kind)

[sjberman]

Suggested change

	return fmt.Errorf("the data field %s must hold a valid CERTIFICATE PEM block", CAKey)
	return fmt.Errorf("the data field %q must hold a valid CERTIFICATE PEM block", CAKey)

%q will wrap the string in quotes so it's easier to spot in the message.

(I know this was just copied here, but figured we might as well fix it)

[sjberman]

Suggested change

	return fmt.Errorf("the data field %s must hold a valid CERTIFICATE PEM block, but got '%s'", CAKey, block.Type)
	return fmt.Errorf("the data field %q must hold a valid CERTIFICATE PEM block, but got %q", CAKey, block.Type)