Skip to content

Commit c617cf7

Browse files
porthorianporthorian
authored
adding support for secrets for backendtlspolicy (#3084)
The proposed changes here adds the support for Secrets to be used according to the BackednTLSPolicy Custom Resource. This helps further the implementation of nginx-gateway-fabric to support the Gateway API more. Problem Currently BackendTLSPolicy only supports readying in tls certifications and ca certifications via a config map. This does not work when you are using cert-manager for instance since it puts this information into a kubernetes secret rather then a config map. Solution The Solution here is to hook into the existing Configuration structure that builds the dataplane nginx configuration that is served in the pod. Allowing for secrets and configmaps to be read into this array of CertBundles.
1 parent 31ef5cc commit c617cf7

File tree

14 files changed

+555
-167
lines changed

14 files changed

+555
-167
lines changed

.github/workflows/build.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -103,8 +103,8 @@ jobs:
103103
with:
104104
context: ${{ inputs.tag != '' && 'git' || 'workflow' }}
105105
images: |
106-
name=ghcr.io/nginx/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && github.event_name != 'pull_request' }}
107-
name=ghcr.io/nginx/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
106+
name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && github.event_name != 'pull_request' }}
107+
name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
108108
name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
109109
name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
110110
name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}

internal/mode/static/state/change_processor_test.go

Lines changed: 85 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -424,6 +424,7 @@ var _ = Describe("ChangeProcessor", func() {
424424
var (
425425
gcUpdated *v1.GatewayClass
426426
diffNsTLSSecret, sameNsTLSSecret *apiv1.Secret
427+
diffNsTLSCert, sameNsTLSCert *graph.CertificateBundle
427428
hr1, hr1Updated, hr2 *v1.HTTPRoute
428429
gr1, gr1Updated, gr2 *v1.GRPCRoute
429430
tr1, tr1Updated, tr2 *v1alpha2.TLSRoute
@@ -594,8 +595,19 @@ var _ = Describe("ChangeProcessor", func() {
594595
apiv1.TLSPrivateKeyKey: key,
595596
},
596597
}
598+
sameNsTLSCert = graph.NewCertificateBundle(
599+
types.NamespacedName{Namespace: sameNsTLSSecret.Namespace, Name: sameNsTLSSecret.Name},
600+
"Secret",
601+
&graph.Certificate{
602+
TLSCert: cert,
603+
TLSPrivateKey: key,
604+
},
605+
)
597606

598607
diffNsTLSSecret = &apiv1.Secret{
608+
TypeMeta: metav1.TypeMeta{
609+
Kind: "Secret",
610+
},
599611
ObjectMeta: metav1.ObjectMeta{
600612
Name: "different-ns-tls-secret",
601613
Namespace: "cert-ns",
@@ -607,6 +619,15 @@ var _ = Describe("ChangeProcessor", func() {
607619
},
608620
}
609621

622+
diffNsTLSCert = graph.NewCertificateBundle(
623+
types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
624+
"Secret",
625+
&graph.Certificate{
626+
TLSCert: cert,
627+
TLSPrivateKey: key,
628+
},
629+
)
630+
610631
gw1 = createGateway(
611632
"gateway-1",
612633
createHTTPListener(),
@@ -1157,6 +1178,14 @@ var _ = Describe("ChangeProcessor", func() {
11571178

11581179
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
11591180
Source: diffNsTLSSecret,
1181+
CertBundle: graph.NewCertificateBundle(
1182+
types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
1183+
"Secret",
1184+
&graph.Certificate{
1185+
TLSCert: cert,
1186+
TLSPrivateKey: key,
1187+
},
1188+
),
11601189
}
11611190

11621191
expGraph.ReferencedServices = nil
@@ -1191,6 +1220,14 @@ var _ = Describe("ChangeProcessor", func() {
11911220

11921221
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
11931222
Source: diffNsTLSSecret,
1223+
CertBundle: graph.NewCertificateBundle(
1224+
types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
1225+
"Secret",
1226+
&graph.Certificate{
1227+
TLSCert: cert,
1228+
TLSPrivateKey: key,
1229+
},
1230+
),
11941231
}
11951232

11961233
processAndValidateGraph(expGraph)
@@ -1211,6 +1248,14 @@ var _ = Describe("ChangeProcessor", func() {
12111248

12121249
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
12131250
Source: diffNsTLSSecret,
1251+
CertBundle: graph.NewCertificateBundle(
1252+
types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
1253+
"Secret",
1254+
&graph.Certificate{
1255+
TLSCert: cert,
1256+
TLSPrivateKey: key,
1257+
},
1258+
),
12141259
}
12151260

12161261
processAndValidateGraph(expGraph)
@@ -1221,7 +1266,8 @@ var _ = Describe("ChangeProcessor", func() {
12211266
processor.CaptureUpsertChange(trServiceRefGrant)
12221267

12231268
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1224-
Source: diffNsTLSSecret,
1269+
Source: diffNsTLSSecret,
1270+
CertBundle: diffNsTLSCert,
12251271
}
12261272

12271273
processAndValidateGraph(expGraph)
@@ -1232,7 +1278,8 @@ var _ = Describe("ChangeProcessor", func() {
12321278
processor.CaptureUpsertChange(gatewayAPICRDUpdated)
12331279

12341280
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1235-
Source: diffNsTLSSecret,
1281+
Source: diffNsTLSSecret,
1282+
CertBundle: diffNsTLSCert,
12361283
}
12371284

12381285
expGraph.GatewayClass.Conditions = conditions.NewGatewayClassSupportedVersionBestEffort(
@@ -1249,7 +1296,8 @@ var _ = Describe("ChangeProcessor", func() {
12491296
processor.CaptureUpsertChange(gatewayAPICRDSameVersion)
12501297

12511298
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1252-
Source: diffNsTLSSecret,
1299+
Source: diffNsTLSSecret,
1300+
CertBundle: diffNsTLSCert,
12531301
}
12541302

12551303
expGraph.GatewayClass.Conditions = conditions.NewGatewayClassSupportedVersionBestEffort(
@@ -1268,7 +1316,8 @@ var _ = Describe("ChangeProcessor", func() {
12681316
processor.CaptureUpsertChange(gatewayAPICRD)
12691317

12701318
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1271-
Source: diffNsTLSSecret,
1319+
Source: diffNsTLSSecret,
1320+
CertBundle: diffNsTLSCert,
12721321
}
12731322

12741323
processAndValidateGraph(expGraph)
@@ -1284,7 +1333,8 @@ var _ = Describe("ChangeProcessor", func() {
12841333
listener80 := getListenerByName(expGraph.Gateway, httpListenerName)
12851334
listener80.Routes[httpRouteKey1].Source.SetGeneration(hr1Updated.Generation)
12861335
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1287-
Source: diffNsTLSSecret,
1336+
Source: diffNsTLSSecret,
1337+
CertBundle: diffNsTLSCert,
12881338
}
12891339

12901340
processAndValidateGraph(expGraph)
@@ -1301,7 +1351,8 @@ var _ = Describe("ChangeProcessor", func() {
13011351
listener80 := getListenerByName(expGraph.Gateway, httpListenerName)
13021352
listener80.Routes[grpcRouteKey1].Source.SetGeneration(gr1Updated.Generation)
13031353
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1304-
Source: diffNsTLSSecret,
1354+
Source: diffNsTLSSecret,
1355+
CertBundle: diffNsTLSCert,
13051356
}
13061357

13071358
processAndValidateGraph(expGraph)
@@ -1315,7 +1366,8 @@ var _ = Describe("ChangeProcessor", func() {
13151366
tlsListener.L4Routes[trKey1].Source.SetGeneration(tr1Updated.Generation)
13161367

13171368
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1318-
Source: diffNsTLSSecret,
1369+
Source: diffNsTLSSecret,
1370+
CertBundle: diffNsTLSCert,
13191371
}
13201372

13211373
processAndValidateGraph(expGraph)
@@ -1327,7 +1379,8 @@ var _ = Describe("ChangeProcessor", func() {
13271379

13281380
expGraph.Gateway.Source.Generation = gw1Updated.Generation
13291381
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1330-
Source: diffNsTLSSecret,
1382+
Source: diffNsTLSSecret,
1383+
CertBundle: diffNsTLSCert,
13311384
}
13321385

13331386
processAndValidateGraph(expGraph)
@@ -1339,7 +1392,8 @@ var _ = Describe("ChangeProcessor", func() {
13391392

13401393
expGraph.GatewayClass.Source.Generation = gcUpdated.Generation
13411394
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1342-
Source: diffNsTLSSecret,
1395+
Source: diffNsTLSSecret,
1396+
CertBundle: diffNsTLSCert,
13431397
}
13441398

13451399
processAndValidateGraph(expGraph)
@@ -1350,7 +1404,8 @@ var _ = Describe("ChangeProcessor", func() {
13501404
processor.CaptureUpsertChange(diffNsTLSSecret)
13511405

13521406
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1353-
Source: diffNsTLSSecret,
1407+
Source: diffNsTLSSecret,
1408+
CertBundle: diffNsTLSCert,
13541409
}
13551410

13561411
processAndValidateGraph(expGraph)
@@ -1359,7 +1414,8 @@ var _ = Describe("ChangeProcessor", func() {
13591414
When("no changes are captured", func() {
13601415
It("returns nil graph", func() {
13611416
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1362-
Source: diffNsTLSSecret,
1417+
Source: diffNsTLSSecret,
1418+
CertBundle: diffNsTLSCert,
13631419
}
13641420

13651421
changed, graphCfg := processor.Process()
@@ -1373,7 +1429,8 @@ var _ = Describe("ChangeProcessor", func() {
13731429
processor.CaptureUpsertChange(sameNsTLSSecret)
13741430

13751431
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1376-
Source: diffNsTLSSecret,
1432+
Source: diffNsTLSSecret,
1433+
CertBundle: diffNsTLSCert,
13771434
}
13781435

13791436
changed, graphCfg := processor.Process()
@@ -1390,7 +1447,8 @@ var _ = Describe("ChangeProcessor", func() {
13901447
{Namespace: "test", Name: "gateway-2"}: gw2,
13911448
}
13921449
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1393-
Source: diffNsTLSSecret,
1450+
Source: diffNsTLSSecret,
1451+
CertBundle: diffNsTLSCert,
13941452
}
13951453

13961454
processAndValidateGraph(expGraph)
@@ -1413,7 +1471,8 @@ var _ = Describe("ChangeProcessor", func() {
14131471
FailedCondition: staticConds.NewRouteNotAcceptedGatewayIgnored(),
14141472
}
14151473
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1416-
Source: diffNsTLSSecret,
1474+
Source: diffNsTLSSecret,
1475+
CertBundle: diffNsTLSCert,
14171476
}
14181477

14191478
processAndValidateGraph(expGraph)
@@ -1447,7 +1506,8 @@ var _ = Describe("ChangeProcessor", func() {
14471506
}
14481507

14491508
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1450-
Source: diffNsTLSSecret,
1509+
Source: diffNsTLSSecret,
1510+
CertBundle: diffNsTLSCert,
14511511
}
14521512

14531513
processAndValidateGraph(expGraph)
@@ -1487,7 +1547,8 @@ var _ = Describe("ChangeProcessor", func() {
14871547
}
14881548

14891549
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
1490-
Source: diffNsTLSSecret,
1550+
Source: diffNsTLSSecret,
1551+
CertBundle: diffNsTLSCert,
14911552
}
14921553

14931554
processAndValidateGraph(expGraph)
@@ -1534,7 +1595,8 @@ var _ = Describe("ChangeProcessor", func() {
15341595
sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
15351596
listener443.ResolvedSecret = sameNsTLSSecretRef
15361597
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
1537-
Source: sameNsTLSSecret,
1598+
Source: sameNsTLSSecret,
1599+
CertBundle: sameNsTLSCert,
15381600
}
15391601

15401602
delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1585,7 +1647,8 @@ var _ = Describe("ChangeProcessor", func() {
15851647
sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
15861648
listener443.ResolvedSecret = sameNsTLSSecretRef
15871649
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
1588-
Source: sameNsTLSSecret,
1650+
Source: sameNsTLSSecret,
1651+
CertBundle: sameNsTLSCert,
15891652
}
15901653

15911654
delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1629,7 +1692,8 @@ var _ = Describe("ChangeProcessor", func() {
16291692
sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
16301693
listener443.ResolvedSecret = sameNsTLSSecretRef
16311694
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
1632-
Source: sameNsTLSSecret,
1695+
Source: sameNsTLSSecret,
1696+
CertBundle: sameNsTLSCert,
16331697
}
16341698

16351699
delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1670,7 +1734,8 @@ var _ = Describe("ChangeProcessor", func() {
16701734
sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
16711735
listener443.ResolvedSecret = sameNsTLSSecretRef
16721736
expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
1673-
Source: sameNsTLSSecret,
1737+
Source: sameNsTLSSecret,
1738+
CertBundle: sameNsTLSCert,
16741739
}
16751740

16761741
expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName = types.NamespacedName{}

0 commit comments

Comments
 (0)