Skip to content
This repository has been archived by the owner on Mar 19, 2024. It is now read-only.

Require ReferencePolicy for certificateRef in other namespace #154

Merged
merged 10 commits into from
May 27, 2022
Merged

Require ReferencePolicy for certificateRef in other namespace #154

merged 10 commits into from
May 27, 2022

Conversation

nathancoleman
Copy link
Member

@nathancoleman nathancoleman commented Apr 20, 2022
edited
Loading

Changes proposed in this PR:

When a listener on a Gateway contains a certificateRef from a different namespace, require applicable ReferencePolicy. The expectations for the listener status in the scenario are described here.

Example 
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  name: example-gateway
  namespace: default
spec:
  gatewayClassName: consul-api-gateway
  listeners:
  - protocol: HTTPS
    port: 8443
    name: https
    allowedRoutes:
      namespaces:
        from: Same
    tls:
      certificateRefs:
        - name: consul-server-cert
          namespace: consul
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferencePolicy
metadata:
  name: secret-reference-policy
  namespace: consul
spec:
  from:
    - group: gateway.networking.k8s.io
      kind: Gateway
      namespace: default
  to:
    - group: ""
      kind: Secret

How I've tested this PR:

Deployed the API Gateway using this build and added certificateRefs across namespaces and within the same namespaces, both with and without an applicable ReferencePolicy in place.

How I expect reviewers to test this PR:

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use imperative present tense (e.g. Add support for...)

@nathancoleman nathancoleman marked this pull request as ready for review April 21, 2022 19:12
nathancoleman
nathancoleman commented Apr 21, 2022
View reviewed changes
Copy link
Member Author

@nathancoleman nathancoleman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personal Review

internal/k8s/reconciler/listener_test.go
// protocols
listener := NewK8sListener(&gw.Gateway{}, gw.Listener{}, K8sListenerConfig{
Logger: hclog.NewNullLogger(),
t.Run("Unsupported protocol", func(t *testing.T) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes in this file are an attempt at breaking up the test into subtests so that it's easier to understand what's happening where. The only new test logic is in the subtests whose name mentions "cross-namespace" secret refs.

.changelog/154.txt Show resolved Hide resolved
internal/k8s/reconciler/utils.go
//
// For example, a Gateway in namespace "foo" may only reference a Secret in namespace "bar"
// if a ReferencePolicy in namespace "bar" allows references from namespace "foo".
func referenceAllowed(ctx context.Context, fromGK metav1.GroupKind, fromNamespace string, toGK metav1.GroupKind, toNamespace, toName string, c gatewayclient.Client) (bool, error) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The diff here is kinda hard to read, but this function just contains the shared logic for checking existence of an applicable ReferencePolicy that we already had for xRoute->Backend.

internal/k8s/reconciler/utils.go
serviceID := fmt.Sprintf("%s/%s", name, parentNamespace)
// getNamespacedName returns types.NamespacedName defaulted to a parent
// namespace in the case where the provided namespace is nil.
func getNamespacedName(name gw.ObjectName, namespace *gw.Namespace, parentNamespace string) types.NamespacedName {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I needed a log-friendly name for secrets and generalized this function rather than duplicating it

@nathancoleman nathancoleman marked this pull request as draft April 26, 2022 15:57
@nathancoleman
Copy link
Member Author

Holding for inclusion in our v0.3.0 release

@nathancoleman nathancoleman marked this pull request as ready for review April 28, 2022 15:44
mikemorris
mikemorris suggested changes May 13, 2022
View reviewed changes
Copy link
Contributor

@mikemorris mikemorris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's a minor logic error in the refPolicy.Spec.To loop in referenceAllowed, aside from that LGTM.

.changelog/154.txt Outdated Show resolved Hide resolved
internal/k8s/reconciler/listener_test.go Outdated Show resolved Hide resolved
internal/k8s/reconciler/utils.go Outdated Show resolved Hide resolved
internal/k8s/reconciler/utils.go
route.GroupVersionKind().Kind == string(from.Kind) &&
route.GetNamespace() == string(from.Namespace) {
validFrom = true
if fromGK.Group == string(from.Group) && fromGK.Kind == string(from.Kind) && fromNamespace == string(from.Namespace) {
Copy link
Contributor

@mikemorris mikemorris May 13, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know the gateway certificate and route functions wrapping this set the appropriate default Kind already, but it might be good to implement the common logic for converting from Group "" to core/v1 here (and inrefPolicy.Spec.To loop) to correctly match if it's specified explicitly anywhere?

@nathancoleman @mikemorris
Apply suggestions from code review
1c5856b 
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
@nathancoleman nathancoleman merged commit adc42cd into main May 27, 2022
@nathancoleman nathancoleman deleted the secret-reference-policy branch May 27, 2022 20:45
This pull request was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mikemorris mikemorris mikemorris approved these changes

@sarahalsmiller sarahalsmiller Awaiting requested review from sarahalsmiller

@andrewstucki andrewstucki Awaiting requested review from andrewstucki

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nathancoleman @mikemorris