[1.16] Warn on missing TLS secret (#9974)

changelog/v1.16.20/missing-tls-secret.yaml

@@ -0,0 +1,18 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo/issues/6957
+    resolvesIssue: false
+    description: >-
+      Fix for issue where a missing TLS secret was treated by validation as an error,
+      potentially bringing down the entire HTTPS gateway if the gloo pod restarts while 
+      in this bad state. This is a breaking change in the default behavior of validation.
+      To enable this behavior, use the helm setting `gateway.validation.warnMissingTlsSecret=true`
+      or the same field on the Settings CR. This field has no effect if allowWarnings is false or 
+      acceptAllResources is true.
+  - type: HELM
+    issueLink: https://github.com/solo-io/gloo/issues/6957
+    resolvesIssue: false
+    description: >-
+      New field gateway.validation.warnMissingTlsSecret controls whether missing TLS secrets referenced
+      in SslConfig and UpstreamSslConfig will be treated as a warning instead of an error during validation.
+      Defaults to false. This field has no effect if allowWarnings is false or acceptAllResources is true.

docs/content/reference/values.txt

@@ -363,6 +363,7 @@
 |gateway.validation.enabled|bool|true|enable Gloo Edge API Gateway validation hook (default true)|
 |gateway.validation.alwaysAcceptResources|bool|true|unless this is set this to false in order to ensure validation webhook rejects invalid resources. by default, validation webhook will only log and report metrics for invalid resource admission without rejecting them outright.|
 |gateway.validation.allowWarnings|bool|true|set this to false in order to ensure validation webhook rejects resources that would have warning status or rejected status, rather than just rejected.|
+|gateway.validation.warnMissingTlsSecret|bool|false|set this to true in order to treat missing tls secret references as warnings, causing validation to allow this state. This supports eventually consistent workflows where TLS secrets may not yet be present when VirtualServices that reference them are created. This field has no effect if allowWarnings is false or acceptAllResources is true.|
 |gateway.validation.serverEnabled|bool|true|By providing the validation field (parent of this object) the user is implicitly opting into validation. This field allows the user to opt out of the validation server, while still configuring pre-existing fields such as warn_route_short_circuiting and disable_transformation_validation.|
 |gateway.validation.disableTransformationValidation|bool|false|set this to true to disable transformation validation. This may bring signifigant performance benefits if using many transformations, at the cost of possibly incorrect transformations being sent to Envoy. When using this value make sure to pre-validate transformations.|
 |gateway.validation.warnRouteShortCircuiting|bool|false|Write a warning to route resources if validation produced a route ordering warning (defaults to false). By setting to true, this means that Gloo Edge will start assigning warnings to resources that would result in route short-circuiting within a virtual host.|

install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml

@@ -544,6 +544,9 @@ spec:
                         type: string
                       validationWebhookTlsKey:
                         type: string
+                      warnMissingTlsSecret:
+                        nullable: true
+                        type: boolean
                       warnRouteShortCircuiting:
                         nullable: true
                         type: boolean

install/helm/gloo/generate/values.go

@@ -399,6 +399,7 @@ type GatewayValidation struct {
 	Enabled                          *bool    `json:"enabled,omitempty" desc:"enable Gloo Edge API Gateway validation hook (default true)"`
 	AlwaysAcceptResources            *bool    `json:"alwaysAcceptResources,omitempty" desc:"unless this is set this to false in order to ensure validation webhook rejects invalid resources. by default, validation webhook will only log and report metrics for invalid resource admission without rejecting them outright."`
 	AllowWarnings                    *bool    `json:"allowWarnings,omitempty" desc:"set this to false in order to ensure validation webhook rejects resources that would have warning status or rejected status, rather than just rejected."`
+	WarnMissingTlsSecret             *bool    `json:"warnMissingTlsSecret,omitempty" desc:"set this to true in order to treat missing tls secret references as warnings, causing validation to allow this state. This supports eventually consistent workflows where TLS secrets may not yet be present when VirtualServices that reference them are created. This field has no effect if allowWarnings is false or acceptAllResources is true."`
 	ServerEnabled                    *bool    `json:"serverEnabled,omitempty" desc:"By providing the validation field (parent of this object) the user is implicitly opting into validation. This field allows the user to opt out of the validation server, while still configuring pre-existing fields such as warn_route_short_circuiting and disable_transformation_validation."`
 	DisableTransformationValidation  *bool    `json:"disableTransformationValidation,omitempty" desc:"set this to true to disable transformation validation. This may bring signifigant performance benefits if using many transformations, at the cost of possibly incorrect transformations being sent to Envoy. When using this value make sure to pre-validate transformations."`
 	WarnRouteShortCircuiting         *bool    `json:"warnRouteShortCircuiting,omitempty" desc:"Write a warning to route resources if validation produced a route ordering warning (defaults to false). By setting to true, this means that Gloo Edge will start assigning warnings to resources that would result in route short-circuiting within a virtual host."`

install/helm/gloo/templates/18-settings.yaml

@@ -127,6 +127,7 @@ spec:
 {{- /* need to do this weird if/else because Helm cannot differentiate between 'false' and 'unset' */}}
       alwaysAccept: {{ .Values.gateway.validation.alwaysAcceptResources }}
       allowWarnings: {{ .Values.gateway.validation.allowWarnings }}
+      warnMissingTlsSecret: {{ .Values.gateway.validation.warnMissingTlsSecret }}
       serverEnabled: {{ .Values.gateway.validation.serverEnabled }}
       disableTransformationValidation: {{ .Values.gateway.validation.disableTransformationValidation }}
       warnRouteShortCircuiting: {{ .Values.gateway.validation.warnRouteShortCircuiting }}

install/helm/gloo/values-template.yaml

@@ -75,6 +75,10 @@ gateway:
     secretName: gateway-validation-certs
     alwaysAcceptResources: true
     allowWarnings: true
+    # Explicitly defaulting this setting to false in order to emphasize the opt-in 
+    # nature of this behavior in this version. The default value for this field 
+    # is changed to true in 1.18, making the behavior opt-out.
+    warnMissingTlsSecret: false
     serverEnabled: true
     disableTransformationValidation: false
     warnRouteShortCircuiting: false

install/test/fixtures/settings/compressed_proxy_spec.yaml

@@ -7,29 +7,29 @@ metadata:
   name: default
   namespace: {{ . }}
 spec:
- discovery:
-   fdsMode: WHITELIST
- gateway:
-   readGatewaysFromAllNamespaces: false
-   compressedProxySpec: true
-   enableGatewayController: true
-   isolateVirtualHostsBySslConfig: false
- gloo:
-   regexMaxProgramSize: 1024
-   enableRestEds: false
-   xdsBindAddr: 0.0.0.0:9977
-   restXdsBindAddr: 0.0.0.0:9976
-   proxyDebugBindAddr: 0.0.0.0:9966
-   disableKubernetesDestinations: false
-   disableProxyGarbageCollection: false
-   invalidConfigPolicy:
-     invalidRouteResponseBody: Gloo Gateway has invalid configuration. Administrators should run `glooctl check` to find and fix config errors.
-     invalidRouteResponseCode: 404
-     replaceInvalidRoutes: false
-   istioOptions:
-     appendXForwardedHost: true
- kubernetesArtifactSource: {}
- kubernetesConfigSource: {}
- kubernetesSecretSource: {}
- refreshRate: 60s
- discoveryNamespace: {{ . }}
+  discovery:
+    fdsMode: WHITELIST
+  gateway:
+    readGatewaysFromAllNamespaces: false
+    compressedProxySpec: true
+    enableGatewayController: true
+    isolateVirtualHostsBySslConfig: false
+  gloo:
+    regexMaxProgramSize: 1024
+    enableRestEds: false
+    xdsBindAddr: 0.0.0.0:9977
+    restXdsBindAddr: 0.0.0.0:9976
+    proxyDebugBindAddr: 0.0.0.0:9966
+    disableKubernetesDestinations: false
+    disableProxyGarbageCollection: false
+    invalidConfigPolicy:
+      invalidRouteResponseBody: Gloo Gateway has invalid configuration. Administrators should run `glooctl check` to find and fix config errors.
+      invalidRouteResponseCode: 404
+      replaceInvalidRoutes: false
+    istioOptions:
+      appendXForwardedHost: true
+  kubernetesArtifactSource: {}
+  kubernetesConfigSource: {}
+  kubernetesSecretSource: {}
+  refreshRate: 60s
+  discoveryNamespace: {{ . }}

install/test/fixtures/settings/consul_config_upstream_discovery.yaml

@@ -7,43 +7,44 @@ metadata:
   name: default
   namespace: {{ . }}
 spec:
- discovery:
-   fdsMode: WHITELIST
- gateway:
-   enableGatewayController: true
-   readGatewaysFromAllNamespaces: false
-   isolateVirtualHostsBySslConfig: false
-   validation:
-     alwaysAccept: true
-     allowWarnings: true
-     serverEnabled: true
-     disableTransformationValidation: false
-     warnRouteShortCircuiting: false
-     proxyValidationServerAddr: gloo:9988
-     validationServerGrpcMaxSizeBytes: 104857600
- gloo:
-   regexMaxProgramSize: 1024
-   enableRestEds: false
-   xdsBindAddr: 0.0.0.0:9977
-   restXdsBindAddr: 0.0.0.0:9976
-   proxyDebugBindAddr: 0.0.0.0:9966
-   disableKubernetesDestinations: false
-   disableProxyGarbageCollection: false
-   invalidConfigPolicy:
-     invalidRouteResponseBody: Gloo Gateway has invalid configuration. Administrators should run `glooctl check` to find and fix config errors.
-     invalidRouteResponseCode: 404
-     replaceInvalidRoutes: false
-   istioOptions:
-     appendXForwardedHost: true
- consulDiscovery:
-   useTlsTagging: true
-   tlsTagName: tag
-   splitTlsServices: true
-   rootCa:
-     name: testName
-     namespace: testNamespace
- kubernetesArtifactSource: {}
- kubernetesConfigSource: {}
- kubernetesSecretSource: {}
- refreshRate: 60s
- discoveryNamespace: {{ . }}
+  discovery:
+    fdsMode: WHITELIST
+  gateway:
+    enableGatewayController: true
+    readGatewaysFromAllNamespaces: false
+    isolateVirtualHostsBySslConfig: false
+    validation:
+      alwaysAccept: true
+      allowWarnings: true
+      warnMissingTlsSecret: false
+      serverEnabled: true
+      disableTransformationValidation: false
+      warnRouteShortCircuiting: false
+      proxyValidationServerAddr: gloo:9988
+      validationServerGrpcMaxSizeBytes: 104857600
+  gloo:
+    regexMaxProgramSize: 1024
+    enableRestEds: false
+    xdsBindAddr: 0.0.0.0:9977
+    restXdsBindAddr: 0.0.0.0:9976
+    proxyDebugBindAddr: 0.0.0.0:9966
+    disableKubernetesDestinations: false
+    disableProxyGarbageCollection: false
+    invalidConfigPolicy:
+      invalidRouteResponseBody: Gloo Gateway has invalid configuration. Administrators should run `glooctl check` to find and fix config errors.
+      invalidRouteResponseCode: 404
+      replaceInvalidRoutes: false
+    istioOptions:
+      appendXForwardedHost: true
+  consulDiscovery:
+    useTlsTagging: true
+    tlsTagName: tag
+    splitTlsServices: true
+    rootCa:
+      name: testName
+      namespace: testNamespace
+  kubernetesArtifactSource: {}
+  kubernetesConfigSource: {}
+  kubernetesSecretSource: {}
+  refreshRate: 60s
+  discoveryNamespace: {{ . }}

install/test/fixtures/settings/consul_config_values.yaml

@@ -7,54 +7,55 @@ metadata:
   name: default
   namespace: {{ . }}
 spec:
- discovery:
-   fdsMode: WHITELIST
- gateway:
-   readGatewaysFromAllNamespaces: false
-   isolateVirtualHostsBySslConfig: false
-   enableGatewayController: true
-   validation:
-     alwaysAccept: true
-     allowWarnings: true
-     serverEnabled: true
-     disableTransformationValidation: false
-     warnRouteShortCircuiting: false
-     proxyValidationServerAddr: gloo:9988
-     validationServerGrpcMaxSizeBytes: 104857600
- gloo:
-   regexMaxProgramSize: 1024
-   enableRestEds: false
-   xdsBindAddr: 0.0.0.0:9977
-   restXdsBindAddr: 0.0.0.0:9976
-   proxyDebugBindAddr: 0.0.0.0:9966
-   disableKubernetesDestinations: false
-   disableProxyGarbageCollection: false
-   invalidConfigPolicy:
-     invalidRouteResponseBody: Gloo Gateway has invalid configuration. Administrators should run `glooctl check` to find and fix config errors.
-     invalidRouteResponseCode: 404
-     replaceInvalidRoutes: false
-   istioOptions:
-     appendXForwardedHost: true
- consul:
-   datacenter: datacenter
-   username: user
-   password: password
-   token: aToken
-   caFile: testCaFile
-   caPath: testCaPath
-   certFile: testCertFile
-   keyFile: testKeyFile
-   insecureSkipVerify: true
-   waitTime: 12s
-   serviceDiscovery: 
-     dataCenters:
-       - dc1
-       - dc2
-   httpAddress: 1.2.3.4
-   dnsAddress: 5.6.7.8
-   dnsPollingInterval: 5s
- kubernetesArtifactSource: {}
- kubernetesConfigSource: {}
- kubernetesSecretSource: {}
- refreshRate: 60s
- discoveryNamespace: {{ . }}
+  discovery:
+    fdsMode: WHITELIST
+  gateway:
+    readGatewaysFromAllNamespaces: false
+    isolateVirtualHostsBySslConfig: false
+    enableGatewayController: true
+    validation:
+      alwaysAccept: true
+      allowWarnings: true
+      warnMissingTlsSecret: false
+      serverEnabled: true
+      disableTransformationValidation: false
+      warnRouteShortCircuiting: false
+      proxyValidationServerAddr: gloo:9988
+      validationServerGrpcMaxSizeBytes: 104857600
+  gloo:
+    regexMaxProgramSize: 1024
+    enableRestEds: false
+    xdsBindAddr: 0.0.0.0:9977
+    restXdsBindAddr: 0.0.0.0:9976
+    proxyDebugBindAddr: 0.0.0.0:9966
+    disableKubernetesDestinations: false
+    disableProxyGarbageCollection: false
+    invalidConfigPolicy:
+      invalidRouteResponseBody: Gloo Gateway has invalid configuration. Administrators should run `glooctl check` to find and fix config errors.
+      invalidRouteResponseCode: 404
+      replaceInvalidRoutes: false
+    istioOptions:
+      appendXForwardedHost: true
+  consul:
+    datacenter: datacenter
+    username: user
+    password: password
+    token: aToken
+    caFile: testCaFile
+    caPath: testCaPath
+    certFile: testCertFile
+    keyFile: testKeyFile
+    insecureSkipVerify: true
+    waitTime: 12s
+    serviceDiscovery: 
+      dataCenters:
+        - dc1
+        - dc2
+    httpAddress: 1.2.3.4
+    dnsAddress: 5.6.7.8
+    dnsPollingInterval: 5s
+  kubernetesArtifactSource: {}
+  kubernetesConfigSource: {}
+  kubernetesSecretSource: {}
+  refreshRate: 60s
+  discoveryNamespace: {{ . }}