Skip to content

feat: Add BackendTLS Policy support #1487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Feb 15, 2024
Merged

feat: Add BackendTLS Policy support #1487

merged 13 commits into from
Feb 15, 2024

Conversation

@ciarams87
Copy link
Contributor

@ciarams87 ciarams87 commented Jan 18, 2024
edited
Loading

Proposed changes

Problem: As a user of NGF
I want NGF to implement the BackendTLSPolicy
So that NGF can securely connect to my pods using TLS.

Solution:

  • Add support for BackendTLSPolicy as outlined in the spec.
  • Add a new experimental features flag, so that the experimental APIs are not required by default.
  • Extend conformance tests to support installing and running against the experimental APIs

Testing: Manual testing, unit testing, conformance testing with and without experimental features enabled (NOTE: no conformance test for Backend TLS policy currently exists - that work is tracked here)

Note: When running the conformance tests with the experimental APIs installed, an unrelated test failed (HTTPRouteInvalidParentRefNotMatchingSectionName). Looks like we have been missing this failure because of a bug in the Gateway API - see https://github.com/nginxinc/nginx-gateway-fabric/actions/runs/7574208095/job/20628086048#step:17:672 for the example output. The fix is to move the check for the existence of a listener for a HTTPRoute above where we check for a port in the ParentRef.

Closes #1262

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@ciarams87 ciarams87 requested review from a team as code owners January 18, 2024 19:41
@github-actions github-actions bot added documentation Improvements or additions to documentation enhancement New feature or request helm-chart Relates to helm chart labels Jan 18, 2024
pleshakov
pleshakov reviewed Jan 19, 2024
View reviewed changes
Copy link
Contributor

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see my comments, requests and suggestions. I haven't reviewed some unit tests code because of the anticipation they might changed because of the changes to the code they test.

@ciarams87 ciarams87 marked this pull request as draft January 19, 2024 17:49
@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch from c0f4672 to ca31db4 Compare January 19, 2024 19:43
ADubhlaoich
ADubhlaoich approved these changes Jan 22, 2024
View reviewed changes
Copy link
Member

@ADubhlaoich ADubhlaoich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM: specific issues I would have mentioned were already flagged by @pleshakov, so I will avoid redundancy.

Is there a desire for the example to become a documentation how-to use case?

@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch 3 times, most recently from 64cae3f to 077a917 Compare January 31, 2024 16:55
@ciarams87 ciarams87 marked this pull request as ready for review January 31, 2024 17:04
@ciarams87 ciarams87 requested review from a team and pleshakov January 31, 2024 17:04
sjberman
sjberman reviewed Jan 31, 2024
View reviewed changes
@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch from 907b0f1 to a3dcd42 Compare February 1, 2024 16:31
sjberman
sjberman reviewed Feb 1, 2024
View reviewed changes
@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch from 65fc3cf to 1bb09fb Compare February 2, 2024 12:11
sjberman
sjberman reviewed Feb 2, 2024
View reviewed changes
@sjberman
Copy link
Collaborator

sjberman commented Feb 2, 2024

@ADubhlaoich will probably want to re-review the new guide that was added.

pleshakov
pleshakov reviewed Feb 3, 2024
View reviewed changes
bjee19
bjee19 reviewed Feb 5, 2024
View reviewed changes
@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch 2 times, most recently from b331dc4 to e7dc901 Compare February 7, 2024 22:22
@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch from e7dc901 to 2b8cbf6 Compare February 8, 2024 10:52
@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch from c7a9fdd to fb1ac8c Compare February 13, 2024 08:50
pleshakov
pleshakov reviewed Feb 13, 2024
View reviewed changes
Copy link
Contributor

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ciarams87

I added a few suggestions and requests in places where readability could be improved.
I also noticed a bug (panic)
otherwise, this looks good to me

kate-osborn
kate-osborn reviewed Feb 13, 2024
View reviewed changes
@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch from bf86b9c to facbe81 Compare February 14, 2024 12:10
@ciarams87 ciarams87 mentioned this pull request Feb 14, 2024
Open
kate-osborn
kate-osborn approved these changes Feb 14, 2024
View reviewed changes
Copy link
Contributor

@kate-osborn kate-osborn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@pleshakov pleshakov mentioned this pull request Feb 14, 2024
Merged
6 tasks
@ciarams87 ciarams87 force-pushed the feat/backend-tls-policy branch from c3df833 to 244391d Compare February 15, 2024 09:01
@ciarams87 ciarams87 merged commit 7596bf7 into nginx:main Feb 15, 2024
@ciarams87 ciarams87 deleted the feat/backend-tls-policy branch February 15, 2024 11:38
miledxz added a commit to miledxz/nginx-gateway-fabric that referenced this pull request Jan 14, 2025
@miledxz
feat: Add BackendTLS Policy support (nginx#1487)
b5315a9 
* Add BackendTLS Policy support
@alex-ivascu
Copy link

alex-ivascu commented Oct 16, 2025

Any idea when this functionality will be supported officially and not through experimental features?

@bjee19
Copy link
Contributor

bjee19 commented Oct 16, 2025

Hey @alex-ivascu, as you may know, BackendTLSPolicy support was promoted to the standard release channel in Gateway api v1.4.0. We have an issue tracking our upgrade to Gateway api v1.4.0, which will go out in our 2.3 release sometime early januaray.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjberman sjberman sjberman approved these changes

@ADubhlaoich ADubhlaoich ADubhlaoich approved these changes

@bjee19 bjee19 bjee19 approved these changes

+2 more reviewers

@pleshakov pleshakov pleshakov approved these changes

@kate-osborn kate-osborn kate-osborn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation enhancement New feature or request helm-chart Relates to helm chart

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BackendTLSPolicy

7 participants

@ciarams87 @sjberman @alex-ivascu @bjee19 @pleshakov @ADubhlaoich @kate-osborn