Skip to content

Commit

Permalink
Support gateway api BackendTLSPolicy (projectcontour#6119)
Browse files Browse the repository at this point in the history
The BackendTLSPolicy will allow a user to connect an httproute to a
backend service with TLS.

- Only implements BackendTLSPolicy for HTTPRoute
- Only allows Services for spec.targetRef
- Allows ConfigMap or Secret for spec.TLS.CACertRefs
- Adds backendtlspolicies to the ClusterRole for Contour
- Adds configmaps to the ClusterRole for Contour
- Controller reconciles on BackendTLSPolicy and ConfigMaps now
- BackendTLSPolicy spec.targetRef can specify SectionName to be port
  name of a service to target a particular section of the service.

Signed-off-by: Edwin Xie <[email protected]>
Signed-off-by: Christian Ang <[email protected]>
Co-authored-by: Christian Ang <[email protected]>
  • Loading branch information
flawedmatrix and christianang authored Feb 1, 2024
1 parent 62f81db commit 943d5e2
Show file tree
Hide file tree
Showing 42 changed files with 4,355 additions and 1,746 deletions.
9 changes: 9 additions & 0 deletions changelogs/unreleased/6119-flawedmatrix-major.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
## Support for Gateway API BackendTLSPolicy

The BackendTLSPolicy CRD can now be used with HTTPRoute to configure a Contour gateway to connect to a backend Service with TLS. This will give users the ability to use Gateway API to configure their routes to securely connect to backends that use TLS with Contour.

The BackendTLSPolicy spec requires you to specify a `targetRef`, which can currently only be a Kubernetes Service within the same namespace as the BackendTLSPolicy. The targetRef is what Service should be watched to apply the BackendTLSPolicy to. A `SectionName` can also be configured to the port name of a Service to reference a specific section of the Service.

The spec also requires you to specify `caCertRefs`, which can either be a ConfigMap or Secret with a `ca.crt` key in the data map containing a PEM-encoded TLS certificate. The CA certificates referenced will be configured to be used by the gateway to perform TLS to the backend Service. You will also need to specify a `Hostname`, which will be used to configure the SNI the gateway will use for the connection.

See Gateway API's [GEP-1897](https://gateway-api.sigs.k8s.io/geps/gep-1897) for the proposal for BackendTLSPolicy.
44 changes: 40 additions & 4 deletions cmd/contour/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ func registerServe(app *kingpin.Application) (*kingpin.CmdClause, *serveContext)
serve.Flag("debug", "Enable debug logging.").Short('d').BoolVar(&ctx.Config.Debug)
serve.Flag("debug-http-address", "Address the debug http endpoint will bind to.").PlaceHolder("<ipaddr>").StringVar(&ctx.debugAddr)
serve.Flag("debug-http-port", "Port the debug http endpoint will bind to.").PlaceHolder("<port>").IntVar(&ctx.debugPort)
serve.Flag("disable-feature", "Do not start an informer for the specified resources.").PlaceHolder("<extensionservices,tlsroutes,grpcroutes,tcproutes>").EnumsVar(&ctx.disabledFeatures, "extensionservices", "tlsroutes", "grpcroutes", "tcproutes")
serve.Flag("disable-feature", "Do not start an informer for the specified resources.").PlaceHolder("<extensionservices,tlsroutes,grpcroutes,tcproutes,backendtlspolicies>").EnumsVar(&ctx.disabledFeatures, "extensionservices", "tlsroutes", "grpcroutes", "tcproutes", "backendtlspolicies")
serve.Flag("disable-leader-election", "Disable leader election mechanism.").BoolVar(&ctx.LeaderElection.Disable)

serve.Flag("envoy-http-access-log", "Envoy HTTP access log.").PlaceHolder("/path/to/file").StringVar(&ctx.httpAccessLog)
Expand Down Expand Up @@ -260,6 +260,28 @@ func NewServer(log logrus.FieldLogger, ctx *serveContext) (*Server, error) {
return secret, nil
},
},
&corev1.ConfigMap{}: {
Transform: func(obj any) (any, error) {
configMap, ok := obj.(*corev1.ConfigMap)
// TransformFunc should handle the tombstone of type cache.DeletedFinalStateUnknown
if !ok {
return obj, nil
}

// Keep ConfigMaps that have the ca.crt key because they may be necessary
if _, ok := configMap.Data[dag.CACertificateKey]; ok {
return obj, nil
}

// Other types of ConfigMaps will never be referred to, so we can remove all data.
// Last-applied-configuration annotation might contain a copy of the complete data.
configMap.Data = map[string]string{}
configMap.SetManagedFields(nil)
configMap.SetAnnotations(nil)

return configMap, nil
},
},
},
// DefaultTransform is called for objects that do not have a TransformByObject function.
DefaultTransform: func(obj any) (any, error) {
Expand Down Expand Up @@ -1060,9 +1082,10 @@ func (s *Server) setupGatewayAPI(contourConfiguration contour_api_v1alpha1.Conto

// Some features may be disabled.
features := map[string]struct{}{
"tlsroutes": {},
"grpcroutes": {},
"tcproutes": {},
"tlsroutes": {},
"grpcroutes": {},
"tcproutes": {},
"backendtlspolicies": {},
}
for _, f := range s.ctx.disabledFeatures {
delete(features, f)
Expand Down Expand Up @@ -1094,6 +1117,18 @@ func (s *Server) setupGatewayAPI(contourConfiguration contour_api_v1alpha1.Conto
}
}

// Create and register the BackendTLSPolicy controller with the manager.
if _, enabled := features["backendtlspolicies"]; enabled {
// Inform on ConfigMap if BackendTLSPolicy is enabled
if err := s.informOnResource(&corev1.ConfigMap{}, eventHandler); err != nil {
s.log.WithError(err).WithField("resource", "configmaps").Fatal("failed to create informer")
}

if err := controller.RegisterBackendTLSPolicyController(s.log.WithField("context", "backendtlspolicy-controller"), mgr, eventHandler); err != nil {
s.log.WithError(err).Fatal("failed to create backendtlspolicy-controller")
}
}

// Inform on ReferenceGrants.
if err := s.informOnResource(&gatewayapi_v1beta1.ReferenceGrant{}, eventHandler); err != nil {
s.log.WithError(err).WithField("resource", "referencegrants").Fatal("failed to create informer")
Expand Down Expand Up @@ -1239,6 +1274,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder {
PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes,
SetSourceMetadataOnRoutes: true,
GlobalCircuitBreakerDefaults: dbc.globalCircuitBreakerDefaults,
UpstreamTLS: dbc.upstreamTLS,
})
}

Expand Down
3 changes: 3 additions & 0 deletions examples/contour/02-role-contour.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- namespaces
- secrets
Expand All @@ -29,6 +30,7 @@ rules:
- apiGroups:
- gateway.networking.k8s.io
resources:
- backendtlspolicies
- gatewayclasses
- gateways
- grpcroutes
Expand All @@ -43,6 +45,7 @@ rules:
- apiGroups:
- gateway.networking.k8s.io
resources:
- backendtlspolicies/status
- gatewayclasses/status
- gateways/status
- grpcroutes/status
Expand Down
29 changes: 16 additions & 13 deletions examples/gateway-provisioner/01-roles.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- namespaces
- secrets
Expand Down Expand Up @@ -78,15 +79,7 @@ rules:
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- backendtlspolicies
- gatewayclasses
- gateways
- grpcroutes
Expand All @@ -101,19 +94,29 @@ rules:
- apiGroups:
- gateway.networking.k8s.io
resources:
- backendtlspolicies/status
- gatewayclasses/status
- gateways/status
- grpcroutes/status
- httproutes/status
- tcproutes/status
- tlsroutes/status
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
- grpcroutes/status
- httproutes/status
- tcproutes/status
- tlsroutes/status
verbs:
- update
- apiGroups:
Expand Down
Loading

0 comments on commit 943d5e2

Please sign in to comment.