fix: reload Connect API and UI TLS certificate when rotated

[markgoddard]

By using SDS to define the certificate secrets, Envoy will watch the
directory for changes, and reload when certificates are rotated.

Note that the SDS resources cannot be in static_resources, which is why
we use a separate file as a dynamic SDS configuration source. See
example 3 in [1].

[1] https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret#key-rotation

Fixes: https://github.com/cofide/cofide-connect/issues/1383

[gemini-code-assist]

Summary of Changes

Hello @markgoddard, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses the critical need for automatic TLS certificate rotation within the Connect API and UI services. By transitioning Envoy's TLS configuration from static definitions to a dynamic Secret Discovery Service (SDS) approach, the system can now automatically detect and reload updated certificates and private keys from the filesystem. This enhancement significantly improves operational security and reduces manual intervention for certificate management.

Highlights

• Dynamic TLS Certificate Rotation: Implemented Secret Discovery Service (SDS) for Envoy proxies in both the Connect API and UI to enable automatic reloading of TLS certificates upon rotation.
• Envoy Configuration Update: Modified Envoy configurations to replace static tls_certificates with dynamic tls_certificate_sds_secret_configs, pointing to new envoy-sds.yaml files.
• New SDS Configuration Files: Introduced envoy-sds.yaml files for both the Connect API and UI, which serve as dynamic SDS configuration sources to watch for certificate and key changes on the filesystem.
• Helm Chart Version Bumps: Incremented the chart versions for cofide-connect-ui from 0.1.4 to 0.1.5 and cofide-connect from 0.11.4 to 0.11.5.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• charts/cofide-connect-ui/Chart.yaml
  • Incremented chart version to 0.1.5.
• charts/cofide-connect-ui/templates/configmap-envoy.yaml
  • Switched Envoy UI listener TLS certificate configuration from static tls_certificates to dynamic tls_certificate_sds_secret_configs.
  • Introduced envoy-sds.yaml as a dynamic SDS configuration source for the UI's TLS certificate, enabling filesystem watching for rotation.
  • Added comments to clarify the purpose of envoy.yaml and envoy-sds.yaml.
• charts/cofide-connect/Chart.yaml
  • Incremented chart version to 0.11.5.
• charts/cofide-connect/templates/configmap-envoy.yaml
  • Switched Envoy API listener TLS certificate configuration from static tls_certificates to dynamic tls_certificate_sds_secret_configs.
  • Introduced envoy-sds.yaml as a dynamic SDS configuration source for the API's TLS certificate, enabling filesystem watching for rotation.
  • Added a static secrets definition for connect_api_tls_cert within the main Envoy configuration.
  • Added comments to clarify the purpose of envoy.yaml and envoy-sds.yaml.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly updates the Envoy configuration to use the Secret Discovery Service (SDS) for TLS certificates, enabling automatic reloading when they are rotated. However, it introduces a security-sensitive flaw by including a redundant static secret definition in the Connect API's Envoy configuration (charts/cofide-connect/templates/configmap-envoy.yaml). This redundancy will likely prevent the dynamic rotation from functioning as intended for the API component, undermining the PR's objective. Removing this static definition is crucial to ensure Envoy correctly utilizes the dynamic SDS source and the certificate rotation works as intended.

[yoctozepto]

LGTM otherwise