Support for TLS Functionality with Gateway API via Workload Identity #306

jaiveerk · 2024-10-28T16:26:17Z

Description

This PR adds support for a managed TLS experience with the Gateway API via workload identity.

Fixes # (issue)
Feature # (details)

Type of change

Please delete options that are not relevant.

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update

How Has This Been Tested?

Unit tests. e2e tests will be added after DNS functionality has been merged.

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. Is it a breaking change which will impact consuming tool(s)?

Checklist:

My code follows the style guidelines of this project
I have performed a self-review of my code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
My changes generate no new warnings
I have added tests that prove my fix is effective or that my feature works
New and existing unit tests pass locally with my changes
Any dependent changes have been merged and published in downstream modules

pkg/controller/controller.go

pkg/controller/keyvault/gateway_kv_serviceaccount.go

pkg/controller/keyvault/gateway_secret_provider_class.go

pkg/controller/keyvault/kv_util.go

jaiveerk · 2024-11-12T19:28:02Z

/ok-to-test sha=03d8910

jaiveerk · 2024-11-12T19:59:10Z

/ok-to-test sha=0474374

jaiveerk · 2024-11-13T14:27:18Z

/ok-to-test sha=908e6c3

pkg/controller/keyvault/gateway_secret_provider_class.go

OliverMKing · 2024-11-14T15:15:03Z

pkg/controller/keyvault/gateway_secret_provider_class.go

+
+		if listenerIsKvEnabled(listener) {
+			var clientId string
+			clientId, err = retrieveClientIdFromListener(ctx, g.client, req.Namespace, listener.TLS.Options)


the client id should come from the SA.

We need some way of triggering a reconcile if the SA changes their client id too

done via sa indexer

OliverMKing · 2024-11-14T18:08:13Z

pkg/controller/keyvault/gateway_index.go

+		}
+
+		gateways := &gatewayv1.GatewayList{}
+		err := mgr.GetClient().List(context.TODO(), gateways, client.MatchingFields{serviceAccountIndexName: sa.Name})


need to consider namespaces

OliverMKing · 2024-11-14T18:08:24Z

pkg/controller/keyvault/gateway_index.go

+
+	saSet := map[string]struct{}{}
+
+	for _, listener := range gateway.Spec.Listeners {


need to consider namespaces

we consider namespaces when requeuing requests for Gateways - see line 60.

All we can do within this function is pull names from the Gateway resources - verification via the client naturally happens when we're grabbing the actual gateways tied to each serviceaccount

OliverMKing · 2024-12-10T19:19:40Z

/ok-to-test sha=2c034aa

jaiveerk added 10 commits October 17, 2024 17:26

wip

e634b35

wip

897ad49

placeholder logic

b9d37c0

wip

48b3c34

wip

0f22e2c

UTs progress

cd548cb

compiling

576ec28

uts passing, need some for placeholder pod logic

f632fe8

added uts for multi listener too

93586c0

wip

f80c8a9

jaiveerk changed the title ~~Support for TLS Functionality with Gateway API via Workload Identity~~ [Draft] Support for TLS Functionality with Gateway API via Workload Identity Oct 28, 2024