add support for secrets for backendtlspolicy

Author: porthorian

.github/workflows/build.yml

@@ -103,8 +103,8 @@ jobs:
         with:
           context: ${{ inputs.tag != '' && 'git' || 'workflow' }}
           images: |
-            name=ghcr.io/nginxinc/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && github.event_name != 'pull_request' }}
-            name=ghcr.io/nginxinc/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
             name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}

internal/mode/static/state/change_processor_test.go

@@ -422,6 +422,7 @@ var _ = Describe("ChangeProcessor", func() {
 			var (
 				gcUpdated                                                  *v1.GatewayClass
 				diffNsTLSSecret, sameNsTLSSecret                           *apiv1.Secret
+				diffNsTLSCert, sameNsTLSCert                               *graph.CertificateBundle
 				hr1, hr1Updated, hr2                                       *v1.HTTPRoute
 				gr1, gr1Updated, gr2                                       *v1.GRPCRoute
 				tr1, tr1Updated, tr2                                       *v1alpha2.TLSRoute
@@ -592,8 +593,19 @@ var _ = Describe("ChangeProcessor", func() {
 						apiv1.TLSPrivateKeyKey: key,
 					},
 				}
+				sameNsTLSCert = graph.NewCertificateBundle(
+					types.NamespacedName{Namespace: sameNsTLSSecret.Namespace, Name: sameNsTLSSecret.Name},
+					"Secret",
+					&graph.Certificate{
+						TLSCert:       cert,
+						TLSPrivateKey: key,
+					},
+				)
 
 				diffNsTLSSecret = &apiv1.Secret{
+					TypeMeta: metav1.TypeMeta{
+						Kind: "Secret",
+					},
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "different-ns-tls-secret",
 						Namespace: "cert-ns",
@@ -605,6 +617,15 @@ var _ = Describe("ChangeProcessor", func() {
 					},
 				}
 
+				diffNsTLSCert = graph.NewCertificateBundle(
+					types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
+					"Secret",
+					&graph.Certificate{
+						TLSCert:       cert,
+						TLSPrivateKey: key,
+					},
+				)
+
 				gw1 = createGateway(
 					"gateway-1",
 					createHTTPListener(),
@@ -1155,6 +1176,14 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
 						Source: diffNsTLSSecret,
+						CertBundle: graph.NewCertificateBundle(
+							types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
+							"Secret",
+							&graph.Certificate{
+								TLSCert:       cert,
+								TLSPrivateKey: key,
+							},
+						),
 					}
 
 					expGraph.ReferencedServices = nil
@@ -1189,6 +1218,14 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
 						Source: diffNsTLSSecret,
+						CertBundle: graph.NewCertificateBundle(
+							types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
+							"Secret",
+							&graph.Certificate{
+								TLSCert:       cert,
+								TLSPrivateKey: key,
+							},
+						),
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1209,6 +1246,14 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
 						Source: diffNsTLSSecret,
+						CertBundle: graph.NewCertificateBundle(
+							types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
+							"Secret",
+							&graph.Certificate{
+								TLSCert:       cert,
+								TLSPrivateKey: key,
+							},
+						),
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1219,7 +1264,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(trServiceRefGrant)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1230,7 +1276,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(gatewayAPICRDUpdated)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					expGraph.GatewayClass.Conditions = conditions.NewGatewayClassSupportedVersionBestEffort(
@@ -1247,7 +1294,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(gatewayAPICRDSameVersion)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					expGraph.GatewayClass.Conditions = conditions.NewGatewayClassSupportedVersionBestEffort(
@@ -1266,7 +1314,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(gatewayAPICRD)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1282,7 +1331,8 @@ var _ = Describe("ChangeProcessor", func() {
 					listener80 := getListenerByName(expGraph.Gateway, httpListenerName)
 					listener80.Routes[httpRouteKey1].Source.SetGeneration(hr1Updated.Generation)
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1299,7 +1349,8 @@ var _ = Describe("ChangeProcessor", func() {
 					listener80 := getListenerByName(expGraph.Gateway, httpListenerName)
 					listener80.Routes[grpcRouteKey1].Source.SetGeneration(gr1Updated.Generation)
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1313,7 +1364,8 @@ var _ = Describe("ChangeProcessor", func() {
 					tlsListener.L4Routes[trKey1].Source.SetGeneration(tr1Updated.Generation)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1325,7 +1377,8 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.Gateway.Source.Generation = gw1Updated.Generation
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1337,7 +1390,8 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.GatewayClass.Source.Generation = gcUpdated.Generation
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1348,7 +1402,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(diffNsTLSSecret)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1357,7 +1412,8 @@ var _ = Describe("ChangeProcessor", func() {
 			When("no changes are captured", func() {
 				It("returns nil graph", func() {
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					changed, graphCfg := processor.Process()
@@ -1371,7 +1427,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(sameNsTLSSecret)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					changed, graphCfg := processor.Process()
@@ -1388,7 +1445,8 @@ var _ = Describe("ChangeProcessor", func() {
 						{Namespace: "test", Name: "gateway-2"}: gw2,
 					}
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1411,7 +1469,8 @@ var _ = Describe("ChangeProcessor", func() {
 						FailedCondition:   staticConds.NewRouteNotAcceptedGatewayIgnored(),
 					}
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1445,7 +1504,8 @@ var _ = Describe("ChangeProcessor", func() {
 					}
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1485,7 +1545,8 @@ var _ = Describe("ChangeProcessor", func() {
 					}
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1532,7 +1593,8 @@ var _ = Describe("ChangeProcessor", func() {
 					sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
 					listener443.ResolvedSecret = sameNsTLSSecretRef
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
-						Source: sameNsTLSSecret,
+						Source:     sameNsTLSSecret,
+						CertBundle: sameNsTLSCert,
 					}
 
 					delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1583,7 +1645,8 @@ var _ = Describe("ChangeProcessor", func() {
 					sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
 					listener443.ResolvedSecret = sameNsTLSSecretRef
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
-						Source: sameNsTLSSecret,
+						Source:     sameNsTLSSecret,
+						CertBundle: sameNsTLSCert,
 					}
 
 					delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1627,7 +1690,8 @@ var _ = Describe("ChangeProcessor", func() {
 					sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
 					listener443.ResolvedSecret = sameNsTLSSecretRef
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
-						Source: sameNsTLSSecret,
+						Source:     sameNsTLSSecret,
+						CertBundle: sameNsTLSCert,
 					}
 
 					delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1668,7 +1732,8 @@ var _ = Describe("ChangeProcessor", func() {
 					sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
 					listener443.ResolvedSecret = sameNsTLSSecretRef
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
-						Source: sameNsTLSSecret,
+						Source:     sameNsTLSSecret,
+						CertBundle: sameNsTLSCert,
 					}
 
 					expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName = types.NamespacedName{}

internal/mode/static/state/dataplane/configuration.go

@@ -58,12 +58,14 @@ func BuildConfiguration(
 		BackendGroups:         backendGroups,
 		SSLKeyPairs:           buildSSLKeyPairs(g.ReferencedSecrets, g.Gateway.Listeners),
 		Version:               configVersion,
-		CertBundles:           buildCertBundles(g.ReferencedCaCertConfigMaps, backendGroups),
-		Telemetry:             buildTelemetry(g),
-		BaseHTTPConfig:        baseHTTPConfig,
-		Logging:               buildLogging(g),
-		MainSnippets:          buildSnippetsForContext(g.SnippetsFilters, ngfAPI.NginxContextMain),
-		AuxiliarySecrets:      buildAuxiliarySecrets(g.PlusSecrets),
+		CertBundles: buildCertBundles(
+			buildRefCertificateBundles(g.ReferencedSecrets, g.ReferencedCaCertConfigMaps),
+			backendGroups),
+		Telemetry:        buildTelemetry(g),
+		BaseHTTPConfig:   baseHTTPConfig,
+		Logging:          buildLogging(g),
+		MainSnippets:     buildSnippetsForContext(g.SnippetsFilters, ngfAPI.NginxContextMain),
+		AuxiliarySecrets: buildAuxiliarySecrets(g.PlusSecrets),
 	}
 
 	return config
@@ -224,8 +226,28 @@ func buildSSLKeyPairs(
 	return keyPairs
 }
 
+func buildRefCertificateBundles(
+	secrets map[types.NamespacedName]*graph.Secret,
+	configMaps map[types.NamespacedName]*graph.CaCertConfigMap) []graph.CertificateBundle {
+	bundles := []graph.CertificateBundle{}
+
+	for _, secret := range secrets {
+		if secret.CertBundle != nil {
+			bundles = append(bundles, *secret.CertBundle)
+		}
+	}
+
+	for _, configMap := range configMaps {
+		if configMap.CertBundle != nil {
+			bundles = append(bundles, *configMap.CertBundle)
+		}
+	}
+
+	return bundles
+}
+
 func buildCertBundles(
-	caCertConfigMaps map[types.NamespacedName]*graph.CaCertConfigMap,
+	refCertBundles []graph.CertificateBundle,
 	backendGroups []BackendGroup,
 ) map[CertBundleID]CertBundle {
 	bundles := make(map[CertBundleID]CertBundle)
@@ -247,18 +269,16 @@ func buildCertBundles(
 		}
 	}
 
-	for cmName, cm := range caCertConfigMaps {
-		id := generateCertBundleID(cmName)
+	for _, bundle := range refCertBundles {
+		id := generateCertBundleID(bundle.Name)
 		if _, exists := refByBG[id]; exists {
-			if cm.CACert != nil || len(cm.CACert) > 0 {
-				// the cert could be base64 encoded or plaintext
-				data := make([]byte, base64.StdEncoding.DecodedLen(len(cm.CACert)))
-				_, err := base64.StdEncoding.Decode(data, cm.CACert)
-				if err != nil {
-					data = cm.CACert
-				}
-				bundles[id] = data
+			// the cert could be base64 encoded or plaintext
+			data := make([]byte, base64.StdEncoding.DecodedLen(len(bundle.Cert.CACert)))
+			_, err := base64.StdEncoding.Decode(data, bundle.Cert.CACert)
+			if err != nil {
+				data = bundle.Cert.CACert
 			}
+			bundles[id] = data
 		}
 	}
 
@@ -766,11 +786,11 @@ func generateSSLKeyPairID(secret types.NamespacedName) SSLKeyPairID {
 	return SSLKeyPairID(fmt.Sprintf("ssl_keypair_%s_%s", secret.Namespace, secret.Name))
 }
 
-// generateCertBundleID generates an ID for the certificate bundle based on the ConfigMap namespaced name.
+// generateCertBundleID generates an ID for the certificate bundle based on the ConfigMap/Secret namespaced name.
 // It is guaranteed to be unique per unique namespaced name.
 // The ID is safe to use as a file name.
-func generateCertBundleID(configMap types.NamespacedName) CertBundleID {
-	return CertBundleID(fmt.Sprintf("cert_bundle_%s_%s", configMap.Namespace, configMap.Name))
+func generateCertBundleID(caCertRef types.NamespacedName) CertBundleID {
+	return CertBundleID(fmt.Sprintf("cert_bundle_%s_%s", caCertRef.Namespace, caCertRef.Name))
 }
 
 // buildTelemetry generates the Otel configuration.