adding support for secrets for backendtlspolicy (#3084)

The proposed changes here adds the support for Secrets to be used according to the BackednTLSPolicy Custom Resource. This helps further the implementation of nginx-gateway-fabric to support the Gateway API more.
Problem

Currently BackendTLSPolicy only supports readying in tls certifications and ca certifications via a config map. This does not work when you are using cert-manager for instance since it puts this information into a kubernetes secret rather then a config map.
Solution

The Solution here is to hook into the existing Configuration structure that builds the dataplane nginx configuration that is served in the pod. Allowing for secrets and configmaps to be read into this array of CertBundles.

Author: porthorian

.github/workflows/build.yml

@@ -103,8 +103,8 @@ jobs:
         with:
           context: ${{ inputs.tag != '' && 'git' || 'workflow' }}
           images: |
-            name=ghcr.io/nginx/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && github.event_name != 'pull_request' }}
-            name=ghcr.io/nginx/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
             name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}

internal/mode/static/state/change_processor_test.go

@@ -424,6 +424,7 @@ var _ = Describe("ChangeProcessor", func() {
 			var (
 				gcUpdated                                                  *v1.GatewayClass
 				diffNsTLSSecret, sameNsTLSSecret                           *apiv1.Secret
+				diffNsTLSCert, sameNsTLSCert                               *graph.CertificateBundle
 				hr1, hr1Updated, hr2                                       *v1.HTTPRoute
 				gr1, gr1Updated, gr2                                       *v1.GRPCRoute
 				tr1, tr1Updated, tr2                                       *v1alpha2.TLSRoute
@@ -594,8 +595,19 @@ var _ = Describe("ChangeProcessor", func() {
 						apiv1.TLSPrivateKeyKey: key,
 					},
 				}
+				sameNsTLSCert = graph.NewCertificateBundle(
+					types.NamespacedName{Namespace: sameNsTLSSecret.Namespace, Name: sameNsTLSSecret.Name},
+					"Secret",
+					&graph.Certificate{
+						TLSCert:       cert,
+						TLSPrivateKey: key,
+					},
+				)
 
 				diffNsTLSSecret = &apiv1.Secret{
+					TypeMeta: metav1.TypeMeta{
+						Kind: "Secret",
+					},
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "different-ns-tls-secret",
 						Namespace: "cert-ns",
@@ -607,6 +619,15 @@ var _ = Describe("ChangeProcessor", func() {
 					},
 				}
 
+				diffNsTLSCert = graph.NewCertificateBundle(
+					types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
+					"Secret",
+					&graph.Certificate{
+						TLSCert:       cert,
+						TLSPrivateKey: key,
+					},
+				)
+
 				gw1 = createGateway(
 					"gateway-1",
 					createHTTPListener(),
@@ -1157,6 +1178,14 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
 						Source: diffNsTLSSecret,
+						CertBundle: graph.NewCertificateBundle(
+							types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
+							"Secret",
+							&graph.Certificate{
+								TLSCert:       cert,
+								TLSPrivateKey: key,
+							},
+						),
 					}
 
 					expGraph.ReferencedServices = nil
@@ -1191,6 +1220,14 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
 						Source: diffNsTLSSecret,
+						CertBundle: graph.NewCertificateBundle(
+							types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
+							"Secret",
+							&graph.Certificate{
+								TLSCert:       cert,
+								TLSPrivateKey: key,
+							},
+						),
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1211,6 +1248,14 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
 						Source: diffNsTLSSecret,
+						CertBundle: graph.NewCertificateBundle(
+							types.NamespacedName{Namespace: diffNsTLSSecret.Namespace, Name: diffNsTLSSecret.Name},
+							"Secret",
+							&graph.Certificate{
+								TLSCert:       cert,
+								TLSPrivateKey: key,
+							},
+						),
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1221,7 +1266,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(trServiceRefGrant)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1232,7 +1278,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(gatewayAPICRDUpdated)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					expGraph.GatewayClass.Conditions = conditions.NewGatewayClassSupportedVersionBestEffort(
@@ -1249,7 +1296,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(gatewayAPICRDSameVersion)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					expGraph.GatewayClass.Conditions = conditions.NewGatewayClassSupportedVersionBestEffort(
@@ -1268,7 +1316,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(gatewayAPICRD)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1284,7 +1333,8 @@ var _ = Describe("ChangeProcessor", func() {
 					listener80 := getListenerByName(expGraph.Gateway, httpListenerName)
 					listener80.Routes[httpRouteKey1].Source.SetGeneration(hr1Updated.Generation)
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1301,7 +1351,8 @@ var _ = Describe("ChangeProcessor", func() {
 					listener80 := getListenerByName(expGraph.Gateway, httpListenerName)
 					listener80.Routes[grpcRouteKey1].Source.SetGeneration(gr1Updated.Generation)
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1315,7 +1366,8 @@ var _ = Describe("ChangeProcessor", func() {
 					tlsListener.L4Routes[trKey1].Source.SetGeneration(tr1Updated.Generation)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1327,7 +1379,8 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.Gateway.Source.Generation = gw1Updated.Generation
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1339,7 +1392,8 @@ var _ = Describe("ChangeProcessor", func() {
 
 					expGraph.GatewayClass.Source.Generation = gcUpdated.Generation
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1350,7 +1404,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(diffNsTLSSecret)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1359,7 +1414,8 @@ var _ = Describe("ChangeProcessor", func() {
 			When("no changes are captured", func() {
 				It("returns nil graph", func() {
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					changed, graphCfg := processor.Process()
@@ -1373,7 +1429,8 @@ var _ = Describe("ChangeProcessor", func() {
 					processor.CaptureUpsertChange(sameNsTLSSecret)
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					changed, graphCfg := processor.Process()
@@ -1390,7 +1447,8 @@ var _ = Describe("ChangeProcessor", func() {
 						{Namespace: "test", Name: "gateway-2"}: gw2,
 					}
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1413,7 +1471,8 @@ var _ = Describe("ChangeProcessor", func() {
 						FailedCondition:   staticConds.NewRouteNotAcceptedGatewayIgnored(),
 					}
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1447,7 +1506,8 @@ var _ = Describe("ChangeProcessor", func() {
 					}
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1487,7 +1547,8 @@ var _ = Describe("ChangeProcessor", func() {
 					}
 
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(diffNsTLSSecret)] = &graph.Secret{
-						Source: diffNsTLSSecret,
+						Source:     diffNsTLSSecret,
+						CertBundle: diffNsTLSCert,
 					}
 
 					processAndValidateGraph(expGraph)
@@ -1534,7 +1595,8 @@ var _ = Describe("ChangeProcessor", func() {
 					sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
 					listener443.ResolvedSecret = sameNsTLSSecretRef
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
-						Source: sameNsTLSSecret,
+						Source:     sameNsTLSSecret,
+						CertBundle: sameNsTLSCert,
 					}
 
 					delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1585,7 +1647,8 @@ var _ = Describe("ChangeProcessor", func() {
 					sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
 					listener443.ResolvedSecret = sameNsTLSSecretRef
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
-						Source: sameNsTLSSecret,
+						Source:     sameNsTLSSecret,
+						CertBundle: sameNsTLSCert,
 					}
 
 					delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1629,7 +1692,8 @@ var _ = Describe("ChangeProcessor", func() {
 					sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
 					listener443.ResolvedSecret = sameNsTLSSecretRef
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
-						Source: sameNsTLSSecret,
+						Source:     sameNsTLSSecret,
+						CertBundle: sameNsTLSCert,
 					}
 
 					delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
@@ -1670,7 +1734,8 @@ var _ = Describe("ChangeProcessor", func() {
 					sameNsTLSSecretRef := helpers.GetPointer(client.ObjectKeyFromObject(sameNsTLSSecret))
 					listener443.ResolvedSecret = sameNsTLSSecretRef
 					expGraph.ReferencedSecrets[client.ObjectKeyFromObject(sameNsTLSSecret)] = &graph.Secret{
-						Source: sameNsTLSSecret,
+						Source:     sameNsTLSSecret,
+						CertBundle: sameNsTLSCert,
 					}
 
 					expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName = types.NamespacedName{}