Support gateway api BackendTLSPolicy

The BackendTLSPolicy will allow a user to connect an httproute to a
backend service with TLS.

- Only implements BackendTLSPolicy for HTTPRoute
- Only allows Services for spec.targetRef
- Allows ConfigMap or Secret for spec.TLS.CACertRefs
- Adds backendtlspolicies to the ClusterRole for Contour
- Adds configmaps to the ClusterRole for Contour
- Controller reconciles on BackendTLSPolicy and ConfigMaps now
- BackendTLSPolicy spec.targetRef can specify SectionName to be port
  name of a service to target a particular section of the service.

Co-authored-by: Christian Ang <christian.ang@broadcom.com>
Signed-off-by: Edwin Xie <edwin.xie@broadcom.com>

cmd/contour/serve.go

@@ -639,6 +639,10 @@ func (s *Server) doServe() error {
 		s.log.WithError(err).WithField("resource", "secrets").Fatal("failed to create informer")
 	}
 
+	if err := s.informOnResource(&corev1.ConfigMap{}, handler); err != nil {
+		s.log.WithError(err).WithField("resource", "configmaps").Fatal("failed to create informer")
+	}
+
 	// Inform on endpoints/endpointSlices.
 	if contourConfiguration.FeatureFlags.IsEndpointSliceEnabled() {
 		if err := s.informOnResource(&discoveryv1.EndpointSlice{}, &contour.EventRecorder{
@@ -1053,9 +1057,10 @@ func (s *Server) setupGatewayAPI(contourConfiguration contour_api_v1alpha1.Conto
 
 		// Some features may be disabled.
 		features := map[string]struct{}{
-			"tlsroutes":  {},
-			"grpcroutes": {},
-			"tcproutes":  {},
+			"tlsroutes":        {},
+			"grpcroutes":       {},
+			"tcproutes":        {},
+			"backendtlspolicy": {},
 		}
 		for _, f := range s.ctx.disabledFeatures {
 			delete(features, f)
@@ -1087,6 +1092,13 @@ func (s *Server) setupGatewayAPI(contourConfiguration contour_api_v1alpha1.Conto
 			}
 		}
 
+		// Create and register the TCPRoute controller with the manager.
+		if _, enabled := features["backendtlspolicy"]; enabled {
+			if err := controller.RegisterBackendTLSPolicyController(s.log.WithField("context", "backendtlspolicy-controller"), mgr, eventHandler); err != nil {
+				s.log.WithError(err).Fatal("failed to create backendtlspolicy-controller")
+			}
+		}
+
 		// Inform on ReferenceGrants.
 		if err := s.informOnResource(&gatewayapi_v1beta1.ReferenceGrant{}, eventHandler); err != nil {
 			s.log.WithError(err).WithField("resource", "referencegrants").Fatal("failed to create informer")

examples/contour/02-role-contour.yaml

@@ -10,6 +10,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - endpoints
   - namespaces
   - secrets
@@ -29,6 +30,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
   - grpcroutes
@@ -43,6 +45,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
   - grpcroutes/status

examples/gateway-provisioner/01-roles.yaml

@@ -10,6 +10,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - endpoints
   - namespaces
   - secrets
@@ -70,15 +71,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
-  - gatewayclasses
-  - gateways
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
   - grpcroutes
@@ -93,19 +86,29 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
+  - grpcroutes/status
+  - httproutes/status
+  - tcproutes/status
+  - tlsroutes/status
   verbs:
   - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses
+  - gateways
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
   - gatewayclasses/status
   - gateways/status
-  - grpcroutes/status
-  - httproutes/status
-  - tcproutes/status
-  - tlsroutes/status
   verbs:
   - update
 - apiGroups:

examples/render/contour-deployment.yaml

@@ -8839,6 +8839,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - endpoints
   - namespaces
   - secrets
@@ -8858,6 +8859,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
   - grpcroutes
@@ -8872,6 +8874,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
   - grpcroutes/status

examples/render/contour-gateway-provisioner.yaml

@@ -19779,6 +19779,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - endpoints
   - namespaces
   - secrets
@@ -19839,15 +19840,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
-  - gatewayclasses
-  - gateways
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
   - grpcroutes
@@ -19862,19 +19855,29 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
+  - grpcroutes/status
+  - httproutes/status
+  - tcproutes/status
+  - tlsroutes/status
   verbs:
   - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses
+  - gateways
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
   - gatewayclasses/status
   - gateways/status
-  - grpcroutes/status
-  - httproutes/status
-  - tcproutes/status
-  - tlsroutes/status
   verbs:
   - update
 - apiGroups:

examples/render/contour-gateway.yaml

@@ -8842,6 +8842,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - endpoints
   - namespaces
   - secrets
@@ -8861,6 +8862,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
   - grpcroutes
@@ -8875,6 +8877,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
   - grpcroutes/status

examples/render/contour.yaml

@@ -8839,6 +8839,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - endpoints
   - namespaces
   - secrets
@@ -8858,6 +8859,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
   - grpcroutes
@@ -8872,6 +8874,7 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
   - grpcroutes/status

internal/controller/backendtlspolicy.go

@@ -0,0 +1,77 @@
+// Copyright Project Contour Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controller
+
+import (
+	"context"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/client-go/tools/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+	gatewayapi_v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+type backendTLSPolicyReconciler struct {
+	client       client.Client
+	eventHandler cache.ResourceEventHandler
+	logrus.FieldLogger
+}
+
+// RegisterBackendTLSPolicyController creates the backendtlspolicy controller from mgr. The controller will be pre-configured
+// to watch for BackendTLSPolicy objects across all namespaces.
+func RegisterBackendTLSPolicyController(log logrus.FieldLogger, mgr manager.Manager, eventHandler cache.ResourceEventHandler) error {
+	r := &backendTLSPolicyReconciler{
+		client:       mgr.GetClient(),
+		eventHandler: eventHandler,
+		FieldLogger:  log,
+	}
+	c, err := controller.NewUnmanaged("backendtlspolicy-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+	if err := mgr.Add(&noLeaderElectionController{c}); err != nil {
+		return err
+	}
+
+	return c.Watch(source.Kind(mgr.GetCache(), &gatewayapi_v1alpha2.BackendTLSPolicy{}), &handler.EnqueueRequestForObject{})
+}
+
+func (r *backendTLSPolicyReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
+
+	// Fetch the BackendTLSPolicy from the cache.
+	backendTLSPolicy := &gatewayapi_v1alpha2.BackendTLSPolicy{}
+	err := r.client.Get(ctx, request.NamespacedName, backendTLSPolicy)
+	if errors.IsNotFound(err) {
+		r.eventHandler.OnDelete(&gatewayapi_v1alpha2.BackendTLSPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      request.Name,
+				Namespace: request.Namespace,
+			},
+		})
+		return reconcile.Result{}, nil
+	}
+
+	// Pass the new changed object off to the eventHandler.
+	r.eventHandler.OnAdd(backendTLSPolicy, false)
+
+	return reconcile.Result{}, nil
+}

internal/controller/controller_test.go

@@ -45,6 +45,9 @@ func TestRegisterControllers(t *testing.T) {
 		"grpcroute controller": func(mockManager *mocks.Manager) error {
 			return controller.RegisterGRPCRouteController(fixture.NewTestLogger(t), mockManager, nil)
 		},
+		"backendtlspolicy controller": func(mockManager *mocks.Manager) error {
+			return controller.RegisterBackendTLSPolicyController(fixture.NewTestLogger(t), mockManager, nil)
+		},
 	}
 
 	for name, test := range tests {