Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Secret kind in BackendTLSPolicy's spec.validation.caCertificateRefs[*].kind #6834

Closed
1 task
pmalek opened this issue Dec 13, 2024 · 0 comments · Fixed by #6853
Closed
1 task

Add support for Secret kind in BackendTLSPolicy's spec.validation.caCertificateRefs[*].kind #6834

pmalek opened this issue Dec 13, 2024 · 0 comments · Fixed by #6853
Assignees
@mlavacca
Labels
area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API
Milestone
KIC v3.4.x

Comments

@pmalek
Copy link
Member

pmalek commented Dec 13, 2024

Problem statement

Support for BackendTLSPolicy in 3.4 introduced support for ConfigMap kind in spec.valiadation.caCertificateRefs.

This introduces a gap in implementation between using BackendTLSPolicy and using konghq.com/ca-certificates-secret or konghq.com/ca-certificates-configmap annotations on Service.

ℹ️ Only ConfigMap kind is considered Core as per the Gateway API spec: https://github.com/kubernetes-sigs/gateway-api/blob/26051f587ccaf54823ccfd7eca5cbf2013aa8177/apis/v1alpha3/backendtlspolicy_types.go#L115-L119

Proposed solution

Extend the code in

kubernetes-ingress-controller/internal/controllers/gateway/backendtlspolicy_controller.go

Lines 304 to 317 in 9f0ded8

// Update references to ConfigMaps in the dataplane cache.
referredConfigMapNames := listConfigMapNamesReferredByBackendTLSPolicy(backendTLSPolicy)
if err := ctrlref.UpdateReferencesToSecretOrConfigMap(
ctx,
r.Client,
r.ReferenceIndexers,
r.DataplaneClient,
backendTLSPolicy,
referredConfigMapNames,
&corev1.ConfigMap{}); err != nil {
if apierrors.IsNotFound(err) {
return ctrl.Result{Requeue: true}, nil
}
}
to also handle Secrets

Acceptance criteria

  • As a user I can use Secret in BackendTLSPolicy's spec.validation.caCertificateRefs[*].kind with KIC.
@pmalek pmalek added the area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API label Dec 13, 2024
@pmalek pmalek added this to the KIC v3.5.x milestone Dec 13, 2024
@pmalek pmalek mentioned this issue Dec 13, 2024
Merged
2 tasks
@mlavacca mlavacca self-assigned this Dec 16, 2024
@mlavacca mlavacca modified the milestones: KIC v3.5.x, KIC v3.4.x Dec 16, 2024
@mlavacca mlavacca mentioned this issue Dec 17, 2024
Merged
1 task
@randmonkey randmonkey mentioned this issue Dec 17, 2024
Closed
34 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mlavacca mlavacca

Labels
area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API
Projects
None yet
Milestone
KIC v3.4.x
Development

Successfully merging a pull request may close this issue.

feat: allow Secrets as BackendTLSPolicy CACertificateRefs Kong/kubernetes-ingress-controller
2 participants
@pmalek @mlavacca