Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: convert BackendTLSPolicies into service annotations #6753

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat: convert BackendTLSPolicies into service annotations #6753

wants to merge 12 commits into from
+1,195 −250

Conversation

mlavacca
Copy link
Member

@mlavacca mlavacca commented Dec 2, 2024
edited by pmalek
Loading

What this PR does / why we need it:

This PR completes the logic needed to implement BackendTLSPolicy. The following 3 main parts have been implemented:

  • completed the BackendTLSPolicy controller by validating the policy and setting the Accepted condition accordingly.
  • completed the dataplane part, where all the BackendTLSPolicy features have been converted into the proper set of service annotations.
  • implemented the configMap controller, as the CACertificates referenced by the policies need to be set in configMaps by the specification.

Which issue this PR fixes:

Part of #6631

Special notes for your reviewer:

Integration and env tests are still missing as the PR size is already big enough. The next PR will be the last one, where I'll implement such tests and close #6631.

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

  • the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

@mlavacca mlavacca force-pushed the backendtlspolicy-customize-services branch from 03b4d14 to 9d8d427 Compare December 2, 2024 17:06
@mlavacca mlavacca changed the title feat: convert BackendTLSPolicies into service anns feat: convert BackendTLSPolicies into service annotations Dec 2, 2024
@codecov Codecov
Copy link

codecov bot commented Dec 2, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 46.30435% with 247 lines in your changes missing coverage. Please review.

Project coverage is 79.4%. Comparing base (f343327) to head (cc5ad38).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
internal/dataplane/translator/ingressrules.go 20.0% 54 Missing and 2 partials ⚠️
.../controllers/configuration/configmap_controller.go 35.0% 45 Missing and 5 partials ⚠️
...rnal/controllers/gateway/backendtlspolicy_utils.go 51.8% 36 Missing and 2 partials ⚠️
internal/controllers/reference/reference.go 46.1% 25 Missing and 3 partials ⚠️
internal/store/store.go 39.1% 25 Missing and 3 partials ⚠️
...controllers/gateway/backendtlspolicy_controller.go 11.1% 24 Missing ⚠️
internal/annotations/annotations.go 34.7% 15 Missing ⚠️
internal/store/fake_store.go 42.8% 3 Missing and 1 partial ⚠️
internal/dataplane/translator/translate_cacerts.go 91.1% 2 Missing and 1 partial ⚠️
internal/controllers/gateway/gateway_controller.go 87.5% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##            main   #6753     +/-   ##
=======================================
+ Coverage   77.7%   79.4%   +1.7%     
=======================================
  Files        207     208      +1     
  Lines      24681   25051    +370     
=======================================
+ Hits       19181   19911    +730     
+ Misses      4523    4130    -393     
- Partials     977    1010     +33

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pull-request-size pull-request-size bot added size/L and removed size/M labels Dec 5, 2024
@mlavacca mlavacca force-pushed the backendtlspolicy-customize-services branch from 250d107 to 343d922 Compare December 5, 2024 10:59
@pull-request-size pull-request-size bot added size/XL and removed size/L labels Dec 5, 2024
@mlavacca mlavacca force-pushed the backendtlspolicy-customize-services branch from c74c408 to 7800ee4 Compare December 5, 2024 11:23
@mlavacca mlavacca force-pushed the backendtlspolicy-customize-services branch 7 times, most recently from de488b5 to c095f6b Compare December 6, 2024 15:51
@mlavacca mlavacca marked this pull request as ready for review December 6, 2024 16:26
@mlavacca mlavacca requested a review from a team as a code owner December 6, 2024 16:26
@mlavacca
Copy link
Member Author

mlavacca commented Dec 6, 2024
edited
Loading

Note for the reviewers: take a look at the PR description where I've put some notes about what has been implemented and what's still missing.

@mlavacca mlavacca force-pushed the backendtlspolicy-customize-services branch from 7453d19 to ef08584 Compare December 9, 2024 11:32
@mlavacca mlavacca mentioned this pull request Dec 9, 2024
Draft
1 task
randmonkey
randmonkey reviewed Dec 10, 2024
View reviewed changes
internal/controllers/configuration/configmap_controller.go Outdated
CacheSyncTimeout: r.CacheSyncTimeout,
}).
Watches(&corev1.ConfigMap{},
&handler.EnqueueRequestForObject{},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add an explicit limit on ConfigMaps to watch by labels to prevent potential excessive memory consumption to look at all ConfigMaps, or provide an option to add such filter, as Jintao did for Secrets?
The total number of ConfigMaps could be very large and most of them would not be relevant.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, I'll add it 👍

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7cb9153

internal/controllers/gateway/backendtlspolicy_utils.go Outdated Show resolved Hide resolved
internal/controllers/reference/reference.go Outdated Show resolved Hide resolved
@mlavacca
feat: convert BackendTLSPolicies into service anns
f2d83d6 
All the BackendTLSPolicies are converted into a set of annotations that
are already supported by KIC.

Signed-off-by: Mattia Lavacca <[email protected]>
@mlavacca
chore: CHANGELOG entry added
3862656 
Signed-off-by: Mattia Lavacca <[email protected]>
@mlavacca
address review comments
ecd4668 
Signed-off-by: Mattia Lavacca <[email protected]>
@mlavacca mlavacca force-pushed the backendtlspolicy-customize-services branch from 8e87773 to ecd4668 Compare December 10, 2024 11:43
programmer04
programmer04 reviewed Dec 10, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
CHANGELOG.md Show resolved Hide resolved
internal/controllers/gateway/backendtlspolicy_utils.go Outdated Show resolved Hide resolved
internal/controllers/gateway/backendtlspolicy_utils.go Outdated Show resolved Hide resolved
internal/controllers/reference/reference.go Outdated Show resolved Hide resolved
internal/dataplane/translator/translate_cacerts.go Outdated Show resolved Hide resolved
internal/dataplane/translator/translate_cacerts.go Outdated
Comment on lines 67 to 77
// Allow the certificate key to be named either "cert" or "ca.crt"
caCertbytes, certExists := certConfigMap.Data["cert"]
if !certExists {
caCertbytes, certExists = certConfigMap.Data["ca.crt"]
if !certExists {
relatedObjects := getPluginsAssociatedWithCACertSecret(certID, t.storer)
relatedObjects = append(relatedObjects, certConfigMap.DeepCopy())
t.registerTranslationFailure(fmt.Sprintf(`invalid configmap CA certificate %s/%s, neither "cert" nor "ca.crt" key exist`, certConfigMap.Namespace, certConfigMap.Name), relatedObjects...)
continue
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is basically the same as 37:47. Maybe it's worth having a common helper for this? WDYT?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I agree. I've refactored the function in 4ab2f38

internal/store/fake_store.go Outdated Show resolved Hide resolved
internal/store/store.go Outdated Show resolved Hide resolved
internal/store/store.go Outdated Show resolved Hide resolved
pmalek
pmalek reviewed Dec 10, 2024
View reviewed changes
internal/annotations/annotations.go Outdated Show resolved Hide resolved
internal/annotations/annotations.go Outdated Show resolved Hide resolved
internal/annotations/annotations.go Outdated Show resolved Hide resolved
examples/ingress-upstream-tls.yaml Outdated Show resolved Hide resolved
internal/annotations/annotations.go Outdated Show resolved Hide resolved
internal/controllers/reference/reference.go Outdated Show resolved Hide resolved
internal/dataplane/translator/ingressrules.go Outdated Show resolved Hide resolved
internal/controllers/reference/reference.go Outdated Show resolved Hide resolved
mlavacca and others added 3 commits December 10, 2024 15:30
@mlavacca @programmer04 @pmalek
Apply suggestions from code review
17feeb9 
Co-authored-by: Jakub Warczarek <[email protected]>
Co-authored-by: Patryk Małek <[email protected]>
@mlavacca @programmer04
Update internal/controllers/reference/reference.go
b6c8750 
Co-authored-by: Jakub Warczarek <[email protected]>
@mlavacca
address reviews comments
435c38c 
Signed-off-by: Mattia Lavacca <[email protected]>
@mlavacca mlavacca force-pushed the backendtlspolicy-customize-services branch 4 times, most recently from 6159e82 to 1a392ac Compare December 10, 2024 16:33
@mlavacca mlavacca force-pushed the backendtlspolicy-customize-services branch from 1a392ac to de81f12 Compare December 10, 2024 16:41
pmalek
pmalek reviewed Dec 10, 2024
View reviewed changes
CHANGELOG.md Show resolved Hide resolved
docs/cli-arguments.md Outdated Show resolved Hide resolved
@pmalek pmalek added this to the KIC v3.4.x milestone Dec 10, 2024
pmalek
pmalek reviewed Dec 10, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
internal/controllers/configuration/object_references.go Outdated Show resolved Hide resolved
internal/controllers/gateway/backendtlspolicy_controller.go Outdated Show resolved Hide resolved
internal/controllers/gateway/gateway_controller.go Outdated Show resolved Hide resolved
internal/controllers/reference/reference.go Outdated Show resolved Hide resolved
internal/controllers/reference/reference.go Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmalek pmalek pmalek approved these changes

@randmonkey randmonkey Awaiting requested review from randmonkey

@programmer04 programmer04 Awaiting requested review from programmer04

Assignees

@mlavacca mlavacca

Labels
size/XXL
Projects
None yet
Milestone
KIC v3.4.x
Development

Successfully merging this pull request may close these issues.

Support attaching BackendTLSPolicy to Gateway API Services
4 participants
@mlavacca @pmalek @programmer04 @randmonkey