Fix handling of SSL

[ca-scribner]

This PR updates the EnvoyFilter definition to always apply auth to both http and https traffic, regardless of which is currently enabled in the Gateway. This is to prevent the possibility of these objects going out of sync (eg: Gateway allowing traffic on one port, and EnvoyFilter applying Auth on traffic through the other port), which could have occurred if the charm succeeded in updating one of those objects but failed to update the other (due to an error or incompatible settings). By always applying the EnvoyFilter to all traffic, this possibility is prevented.

This PR came from an attempt to address canonical/bundle-kubeflow#570, which showed our previously was misconfiguring the EnvoyFilter when using SSL. It was reported that we incorrectly applied the EnvoyFilter only to http traffic and not https traffic. Reproducing canonical/bundle-kubeflow#570 was a challenge, partly because the charm has gone through recent rewrites that might have fixed the issue. The specific cause of canonical/bundle-kubeflow#570 could not be confirmed. It may be fixed by this PR, but that is unclear. More discussion on this is in this thread.

Closes canonical/bundle-kubeflow#570

Testing instructions

# pack the modified charm (from this PR)
cd charms/istio-pilot
charmcraft pack

# deploy istio, dex/oidc, and the dashboard to have something to browse to.  
# For the initial deployment, do this without certs/using http
juju deploy ./istio-pilot_ubuntu-20.04-amd64.charm --trust
juju deploy istio-gateway --channel=1.15/stable --trust --config kind=ingress istio-ingressgateway
juju relate istio-pilot istio-ingressgateway

juju deploy dex-auth --channel=2.31/stable --trust --config static-username=user --config static-password=user --config public-url=http://10.64.140.43.nip.io
juju deploy oidc-gatekeeper --channel ckf-1.7/stable --config public-url=http://10.64.140.43.nip.io
juju relate istio-pilot:ingress dex-auth:ingress
juju relate dex-auth:oidc-client oidc-gatekeeper:oidc-client
juju relate istio-pilot:ingress oidc-gatekeeper:ingress
juju relate istio-pilot:ingress-auth oidc-gatekeeper:ingress-auth

juju deploy kubeflow-profiles --channel=1.7/stable --trust
juju deploy kubeflow-dashboard --channel=1.7/stable --trust
juju relate kubeflow-profiles kubeflow-dashboard
juju relate kubeflow-dashboard:ingress istio-pilot:ingress

# Check whether everything works as expected
# try to connect to 
# * http://10.64.140.43.nip.io/: redirected to dex login 
# * http://10.64.140.43.nip.io/dex/.well-known/openid-configuration: works
# * https://10.64.140.43.nip.io/: cannot be reached
# * https://10.64.140.43.nip.io/dex/.well-known/openid-configuration: cannot be reached
# http all works, https all does not, as expected

# Set up SSL by creating a self-signed cert.  Note:
# * if you used a real cert, you wouldn't have to update the oidc-gatekeeper ca-bundle. 
# * you must have a common name and SAN in the self-signed cert

openssl req -nodes -new -x509 \
 -subj "/CN=10.64.140.43.nip.io" \
 -addext "subjectAltName = DNS:10.64.140.43.nip.io" \
 -keyout server-san.key -out server-san.cert 

juju config istio-pilot ssl-crt="$(cat server-san.cert | base64 -w0)"
juju config istio-pilot ssl-key="$(cat server-san.key | base64 -w0)" 

juju config dex-auth public-url=https://10.64.140.43.nip.io

# Because oidc for 1.7 does not restart its workload if you change the ca-bundle, we remove and redeploy it
juju remove-application oidc-gatekeeper
juju deploy oidc-gatekeeper --channel ckf-1.7/stable --config public-url=https://10.64.140.43.nip.io --config ca-bundle="$(cat server-san.cert)"

# Re-relate oidc
juju relate dex-auth:oidc-client oidc-gatekeeper:oidc-client
juju relate istio-pilot:ingress oidc-gatekeeper:ingress
juju relate istio-pilot:ingress-auth oidc-gatekeeper:ingress-auth

# wait for oidc/dex-auth to do their thing...

# Check whether everything works.  Now, we should only be able to reach http urls, not https
# * http://10.64.140.43.nip.io/: cannot be reached
# * http://10.64.140.43.nip.io/dex/.well-known/openid-configuration: cannot be reached
# * https://10.64.140.43.nip.io: warning about insecure cert, then redirected to dex login
# * https://10.64.140.43.nip.io/dex/.well-known/openid-configuration: warning about insecure cert, then it works

[DnPlas]

Thanks @ca-scribner ! Some comments.

[i-chvets]

My only comment would be to move testing insructions into related issue instead of PR.

[ca-scribner]

Good call @i-chvets - I'll make an issue, add the steps, and close the issue.

edit: done -> #280

[DnPlas]

Thanks @ca-scribner, LGTM