route to https backends using ingress

[asoorm]

By default, we have hardcoded Tyk's Ingress controller to only route to http backends. This is standard practice for K8s ingress.

api.Spec.Proxy.TargetURL = fmt.Sprintf("http://%s.%s.svc.cluster.local:%d", p.Backend.ServiceName, namespacedName.Namespace, p.Backend.ServicePort.IntValue())

If Tyk is providing ingress to a service mesh, such as OSM, or ISTIO - it may be necessary to have the ingress route to a https backend. example:

https://github.com/openservicemesh/osm/blob/main/docs/patterns/ingress.md#exposing-an-http-or-https-service-using-ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: bookstore-v1
  namespace: bookstore-ns
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_ssl_name "bookstore-v1.bookstore-ns.svc.cluster.local";
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "osm-system/osm-ca-bundle"
    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on" # optional
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
spec:
  rules:
  - host: bookstore-v1.bookstore-ns.svc.cluster.local
    http:
      paths:
      - path: /books-bought
        backend:
          serviceName: bookstore-v1
          servicePort: 80

Given that we cannot specify https backend protocol with Ingress, and the Tyk - and the API Definition resource doesn't support specifying the protocol separately, only expecting TargetURL - we cannot enable routing to https backends.

API Definition Controller:

We might be able to get around this by implementing #180 and adding a protocol field to the k8s_service object.

proxy:
  k8s_service:
    namespace: default
    name: httpbin
    protocol: https <-------- here
    port:
      number: 8443

When the Api Definition reconciler sees protocol: https it will know how to reconstruct the URL for the upstream service.

ApiDefinition Ingress Template:

When the Ingress Controller generates the API Definition object, it will do so based on the ingress template. And the ingress template will be as per:

So using the backend object from the ingress, plus the optional protocol from the ingress template - we should be able to safely determine the upstream protocol and then leave it to the ApiDefinition controller to reconstruct the URL.

---

The next step would be how can we dynamically load the root certificate of the service mesh into Tyk's certificate manager, and use this as a trusted certificate for the upstream.

Any thoughts @buger @excieve @gernest