Skip to content

Commit a2973d0

Browse files
porthorianporthorian
committed
adding support for secrets for backendtlspolicy
1 parent e553ce1 commit a2973d0

File tree

4 files changed

+53
-18
lines changed

4 files changed

+53
-18
lines changed

internal/mode/static/state/dataplane/configuration.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -766,11 +766,11 @@ func generateSSLKeyPairID(secret types.NamespacedName) SSLKeyPairID {
766766
return SSLKeyPairID(fmt.Sprintf("ssl_keypair_%s_%s", secret.Namespace, secret.Name))
767767
}
768768

769-
// generateCertBundleID generates an ID for the certificate bundle based on the ConfigMap namespaced name.
769+
// generateCertBundleID generates an ID for the certificate bundle based on the ConfigMap/Secret namespaced name.
770770
// It is guaranteed to be unique per unique namespaced name.
771771
// The ID is safe to use as a file name.
772-
func generateCertBundleID(configMap types.NamespacedName) CertBundleID {
773-
return CertBundleID(fmt.Sprintf("cert_bundle_%s_%s", configMap.Namespace, configMap.Name))
772+
func generateCertBundleID(caCertRef types.NamespacedName) CertBundleID {
773+
return CertBundleID(fmt.Sprintf("cert_bundle_%s_%s", caCertRef.Namespace, caCertRef.Name))
774774
}
775775

776776
// buildTelemetry generates the Otel configuration.

internal/mode/static/state/graph/backend_tls_policy.go

Lines changed: 28 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,11 @@ package graph
22

33
import (
44
"fmt"
5+
"slices"
56

67
"k8s.io/apimachinery/pkg/types"
78
"k8s.io/apimachinery/pkg/util/validation/field"
9+
v1 "sigs.k8s.io/gateway-api/apis/v1"
810
"sigs.k8s.io/gateway-api/apis/v1alpha3"
911

1012
"github.com/nginxinc/nginx-gateway-fabric/internal/framework/conditions"
@@ -31,6 +33,7 @@ type BackendTLSPolicy struct {
3133
func processBackendTLSPolicies(
3234
backendTLSPolicies map[types.NamespacedName]*v1alpha3.BackendTLSPolicy,
3335
configMapResolver *configMapResolver,
36+
secretResolver *secretResolver,
3437
ctlrName string,
3538
gateway *Gateway,
3639
) map[types.NamespacedName]*BackendTLSPolicy {
@@ -42,7 +45,7 @@ func processBackendTLSPolicies(
4245
for nsname, backendTLSPolicy := range backendTLSPolicies {
4346
var caCertRef types.NamespacedName
4447

45-
valid, ignored, conds := validateBackendTLSPolicy(backendTLSPolicy, configMapResolver, ctlrName)
48+
valid, ignored, conds := validateBackendTLSPolicy(backendTLSPolicy, configMapResolver, secretResolver, ctlrName)
4649

4750
if valid && !ignored && backendTLSPolicy.Spec.Validation.CACertificateRefs != nil {
4851
caCertRef = types.NamespacedName{
@@ -68,6 +71,7 @@ func processBackendTLSPolicies(
6871
func validateBackendTLSPolicy(
6972
backendTLSPolicy *v1alpha3.BackendTLSPolicy,
7073
configMapResolver *configMapResolver,
74+
secretResolver *secretResolver,
7175
ctlrName string,
7276
) (valid, ignored bool, conds []conditions.Condition) {
7377
valid = true
@@ -93,7 +97,7 @@ func validateBackendTLSPolicy(
9397
conds = append(conds, staticConds.NewPolicyInvalid(msg))
9498

9599
case len(caCertRefs) > 0:
96-
if err := validateBackendTLSCACertRef(backendTLSPolicy, configMapResolver); err != nil {
100+
if err := validateBackendTLSCACertRef(backendTLSPolicy, configMapResolver, secretResolver); err != nil {
97101
valid = false
98102
conds = append(conds, staticConds.NewPolicyInvalid(
99103
fmt.Sprintf("invalid CACertificateRef: %s", err.Error())))
@@ -124,30 +128,42 @@ func validateBackendTLSHostname(btp *v1alpha3.BackendTLSPolicy) error {
124128
return nil
125129
}
126130

127-
func validateBackendTLSCACertRef(btp *v1alpha3.BackendTLSPolicy, configMapResolver *configMapResolver) error {
131+
func validateBackendTLSCACertRef(btp *v1alpha3.BackendTLSPolicy, configMapResolver *configMapResolver, secretResolver *secretResolver) error {
128132
if len(btp.Spec.Validation.CACertificateRefs) != 1 {
129133
path := field.NewPath("tls.cacertrefs")
130134
valErr := field.TooMany(path, len(btp.Spec.Validation.CACertificateRefs), 1)
131135
return valErr
132136
}
133-
if btp.Spec.Validation.CACertificateRefs[0].Kind != "ConfigMap" {
137+
138+
selectedCertRef := btp.Spec.Validation.CACertificateRefs[0]
139+
allowedCaCertKinds := []v1.Kind{"ConfigMap", "Secret"}
140+
141+
if slices.Contains(allowedCaCertKinds, selectedCertRef.Kind) {
134142
path := field.NewPath("tls.cacertrefs[0].kind")
135-
valErr := field.NotSupported(path, btp.Spec.Validation.CACertificateRefs[0].Kind, []string{"ConfigMap"})
143+
valErr := field.NotSupported(path, btp.Spec.Validation.CACertificateRefs[0].Kind, allowedCaCertKinds)
136144
return valErr
137145
}
138-
if btp.Spec.Validation.CACertificateRefs[0].Group != "" &&
139-
btp.Spec.Validation.CACertificateRefs[0].Group != "core" {
146+
if selectedCertRef.Group != "" &&
147+
selectedCertRef.Group != "core" {
140148
path := field.NewPath("tls.cacertrefs[0].group")
141-
valErr := field.NotSupported(path, btp.Spec.Validation.CACertificateRefs[0].Group, []string{"", "core"})
149+
valErr := field.NotSupported(path, selectedCertRef.Group, []string{"", "core"})
142150
return valErr
143151
}
144152
nsName := types.NamespacedName{
145153
Namespace: btp.Namespace,
146-
Name: string(btp.Spec.Validation.CACertificateRefs[0].Name),
154+
Name: string(selectedCertRef.Name),
147155
}
148-
if err := configMapResolver.resolve(nsName); err != nil {
149-
path := field.NewPath("tls.cacertrefs[0]")
150-
return field.Invalid(path, btp.Spec.Validation.CACertificateRefs[0], err.Error())
156+
157+
if selectedCertRef.Kind == "ConfigMap" {
158+
if err := configMapResolver.resolve(nsName); err != nil {
159+
path := field.NewPath("tls.cacertrefs[0]")
160+
return field.Invalid(path, selectedCertRef, err.Error())
161+
}
162+
} else if selectedCertRef.Kind == "Secret" {
163+
if err := secretResolver.resolve(nsName); err != nil {
164+
path := field.NewPath("tls.cacertrefs[0]")
165+
return field.Invalid(path, selectedCertRef, err.Error())
166+
}
151167
}
152168
return nil
153169
}

internal/mode/static/state/graph/backend_tls_policy_test.go

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ func TestProcessBackendTLSPoliciesEmpty(t *testing.T) {
7575
t.Parallel()
7676
g := NewWithT(t)
7777

78-
processed := processBackendTLSPolicies(test.backendTLSPolicies, nil, "test", test.gateway)
78+
processed := processBackendTLSPolicies(test.backendTLSPolicies, nil, nil, "test", test.gateway)
7979

8080
g.Expect(processed).To(Equal(test.expected))
8181
})
@@ -404,13 +404,31 @@ func TestValidateBackendTLSPolicy(t *testing.T) {
404404
},
405405
}
406406

407+
secretMaps := map[types.NamespacedName]*v1.Secret{
408+
{Namespace: "test", Name: "test-secret"}: {
409+
ObjectMeta: metav1.ObjectMeta{
410+
Name: "test-secret",
411+
Namespace: "test",
412+
},
413+
// FILL IN
414+
},
415+
{Namespace: "test", Name: "invalid-secret"}: {
416+
ObjectMeta: metav1.ObjectMeta{
417+
Name: "invalid-secret",
418+
Namespace: "test",
419+
},
420+
},
421+
// FILL IN
422+
}
423+
407424
configMapResolver := newConfigMapResolver(configMaps)
425+
secretMapResolver := newSecretResolver(secretMaps)
408426

409427
for _, test := range tests {
410428
t.Run(test.name, func(t *testing.T) {
411429
g := NewWithT(t)
412430

413-
valid, ignored, conds := validateBackendTLSPolicy(test.tlsPolicy, configMapResolver, "test")
431+
valid, ignored, conds := validateBackendTLSPolicy(test.tlsPolicy, configMapResolver, secretMapResolver, "test")
414432

415433
g.Expect(valid).To(Equal(test.isValid))
416434
g.Expect(ignored).To(Equal(test.ignored))

internal/mode/static/state/graph/graph.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ type Graph struct {
5959
Routes map[RouteKey]*L7Route
6060
// L4Routes hold L4Route resources.
6161
L4Routes map[L4RouteKey]*L4Route
62-
// ReferencedSecrets includes Secrets referenced by Gateway Listeners, including invalid ones.
62+
// ReferencedSecrets includes Secrets referenced by Gateway Listeners or BackendTLSPolicies, including invalid ones.
6363
// It is different from the other maps, because it includes entries for Secrets that do not exist
6464
// in the cluster. We need such entries so that we can query the Graph to determine if a Secret is referenced
6565
// by the Gateway, including the case when the Secret is newly created.
@@ -230,6 +230,7 @@ func BuildGraph(
230230
processedBackendTLSPolicies := processBackendTLSPolicies(
231231
state.BackendTLSPolicies,
232232
configMapResolver,
233+
secretResolver,
233234
controllerName,
234235
gw,
235236
)

0 commit comments

Comments
 (0)