Merge pull request #14 from puertomontt/backend-tls

backend tls

Author: puertomontt

pkg/i2gw/implementations/kgateway/README.md

@@ -84,6 +84,12 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/auth-type`: Must be set to `"basic"` to enable basic authentication. Maps to `TrafficPolicy.spec.basicAuth`.
 - `nginx.ingress.kubernetes.io/auth-secret`: Specifies the secret containing basic auth credentials in `namespace/name` format (or just `name` if in the same namespace). Maps to `TrafficPolicy.spec.basicAuth.secretRef.name`.
 
+### Backend TLS
+
+- `nginx.ingress.kubernetes.io/proxy-ssl-secret`: Maps to `BackendConfigPolicy.spec.tls.secretRef`
+- `nginx.ingress.kubernetes.io/proxy-ssl-verify`: Maps to `BackendConfigPolicy.spec.tls.insecureSkipVerify` (inverted: `"on"` = `false`, `"off"` = `true`)
+- `nginx.ingress.kubernetes.io/proxy-ssl-name`: Maps to `BackendConfigPolicy.spec.tls.sni` (automatically enables SNI)
+
 ### Access Logging
 
 - `nginx.ingress.kubernetes.io/enable-access-log`: If enabled, will create an HTTPListenerPolicy that will configure a basic policy for envoy access logging. Maps to `HTTPListenerPolicy.spec.accessLog[].fileSink`. This can be further customized as needed, see [docs](https://kgateway.dev/docs/envoy/2.0.x/security/access-logging/).

pkg/i2gw/implementations/kgateway/backend_tls.go

@@ -0,0 +1,139 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"strings"
+
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1/kgateway"
+	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1/shared"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// applyBackendTLSPolicy projects the BackendTLS IR policy into one or more
+// Kgateway BackendConfigPolicies.
+//
+// Semantics:
+//   - We create at most one BackendConfigPolicy per Service.
+//   - That policy's Spec.TLS is configured with client certificates, CA certificates,
+//     SNI hostname, and verification settings from the Policy.BackendTLS.
+//   - TargetRefs are populated with all core Service backends that this Policy covers
+//     (based on RuleBackendSources).
+func applyBackendTLSPolicy(
+	pol intermediate.Policy,
+	httpRouteKey types.NamespacedName,
+	httpRouteCtx intermediate.HTTPRouteContext,
+	backendCfg map[types.NamespacedName]*kgateway.BackendConfigPolicy,
+) bool {
+	if pol.BackendTLS == nil {
+		return false
+	}
+
+	backendTLS := pol.BackendTLS
+
+	// Parse secret name (format: "namespace/secretName" or just "secretName")
+	// Note: LocalObjectReference doesn't support namespace, so the secret
+	// must be in the same namespace as the BackendConfigPolicy
+	secretName := backendTLS.SecretName
+	if parts := strings.SplitN(backendTLS.SecretName, "/", 2); len(parts) == 2 {
+		// If namespace is specified but different from policy namespace, use just the secret name
+		// and assume it's in the same namespace as the policy
+		secretName = parts[1]
+	}
+
+	for _, idx := range pol.RuleBackendSources {
+		if idx.Rule >= len(httpRouteCtx.Spec.Rules) {
+			continue
+		}
+		rule := httpRouteCtx.Spec.Rules[idx.Rule]
+		if idx.Backend >= len(rule.BackendRefs) {
+			continue
+		}
+
+		br := rule.BackendRefs[idx.Backend]
+
+		if br.BackendRef.Group != nil && *br.BackendRef.Group != "" {
+			continue
+		}
+		if br.BackendRef.Kind != nil && *br.BackendRef.Kind != "Service" {
+			continue
+		}
+
+		svcName := string(br.BackendRef.Name)
+		if svcName == "" {
+			continue
+		}
+
+		svcKey := types.NamespacedName{
+			Namespace: httpRouteKey.Namespace,
+			Name:      svcName,
+		}
+
+		// Create or reuse BackendConfigPolicy per Service
+		bcp, exists := backendCfg[svcKey]
+		if !exists {
+			// Use a generic name that works for all backend config features
+			policyName := svcName + "-backend-config"
+			bcp = &kgateway.BackendConfigPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      policyName,
+					Namespace: httpRouteKey.Namespace,
+				},
+				Spec: kgateway.BackendConfigPolicySpec{
+					TargetRefs: []shared.LocalPolicyTargetReference{
+						{
+							Group: "",
+							Kind:  "Service",
+							Name:  gwv1.ObjectName(svcName),
+						},
+					},
+				},
+			}
+			bcp.SetGroupVersionKind(BackendConfigPolicyGVK)
+			backendCfg[svcKey] = bcp
+		}
+
+		// Configure TLS settings
+		if bcp.Spec.TLS == nil {
+			bcp.Spec.TLS = &kgateway.TLS{}
+		}
+
+		// Set SNI hostname if specified
+		if backendTLS.Hostname != "" {
+			bcp.Spec.TLS.Sni = ptr.To(backendTLS.Hostname)
+		}
+
+		// Set verification: InsecureSkipVerify is false when verify is on, true when verify is off
+		if !backendTLS.Verify {
+			bcp.Spec.TLS.InsecureSkipVerify = ptr.To(true)
+		} else if secretName != "" {
+			// Set secret reference (contains tls.crt, tls.key, and optionally ca.crt)
+			bcp.Spec.TLS.SecretRef = &corev1.LocalObjectReference{
+				Name: secretName,
+			}
+			// Note: LocalObjectReference doesn't support namespace, so the secret
+			// must be in the same namespace as the BackendConfigPolicy
+		}
+	}
+
+	return true
+}

pkg/i2gw/implementations/kgateway/emitter.go

@@ -141,6 +141,15 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 				backendCfg,
 			)
 
+			// Apply backend TLS via BackendConfigPolicy.
+			// Note: "touched" is not updated here, as this does not affect TrafficPolicy.
+			applyBackendTLSPolicy(
+				pol,
+				httpRouteKey,
+				httpRouteContext,
+				backendCfg,
+			)
+
 			// Apply enable-access-log via HTTPListenerPolicy.
 			applyAccessLogPolicy(
 				pol,

pkg/i2gw/implementations/kgateway/emitter_integration_test.go

@@ -215,6 +215,15 @@ func TestKgatewayIngressNginxIntegration_Golden(t *testing.T) {
 				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "load_balance.yaml",
 			),
 		},
+		{
+			name: "backend_tls",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "backend_tls.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "backend_tls.yaml",
+			),
+		},
 		{
 			name: "external_auth",
 			inputRel: filepath.Join(

pkg/i2gw/implementations/kgateway/testing/testdata/input/backend_tls.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: default/base-certificate-tls
+    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on"
+    nginx.ingress.kubernetes.io/proxy-ssl-name: "tls.example.com"
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+  name: ingress-backendtls
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: tls.example.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: httpbin2
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: default/base-certificate-tls
+    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on"
+    nginx.ingress.kubernetes.io/proxy-ssl-name: "tls.example.com"
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
+  name: ingress-backendtls-verify-off
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: insecure-tls.example.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: httpbin-insecure
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

pkg/i2gw/implementations/kgateway/testing/testdata/input/golden.yaml

@@ -109,3 +109,29 @@ spec:
               number: 80
         path: /
         pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: default/base-certificate-tls
+    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on"
+    nginx.ingress.kubernetes.io/proxy-ssl-name: "tls.example.com"
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+  name: ingress-backendtls
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: tls.example.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: httpbin2
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

pkg/i2gw/implementations/kgateway/testing/testdata/output/backend_tls.yaml

@@ -0,0 +1,98 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: nginx
+  namespace: default
+spec:
+  gatewayClassName: kgateway
+  listeners:
+  - hostname: insecure-tls.example.org
+    name: insecure-tls-example-org-http
+    port: 80
+    protocol: HTTP
+  - hostname: tls.example.org
+    name: tls-example-org-http
+    port: 80
+    protocol: HTTP
+status: {}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-backendtls-tls-example-org
+  namespace: default
+spec:
+  hostnames:
+  - tls.example.org
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: httpbin2
+      port: 80
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-backendtls-verify-off-insecure-tls-example-org
+  namespace: default
+spec:
+  hostnames:
+  - insecure-tls.example.org
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: httpbin-insecure
+      port: 80
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: BackendConfigPolicy
+metadata:
+  name: httpbin-insecure-backend-config
+  namespace: default
+spec:
+  targetRefs:
+  - group: ""
+    kind: Service
+    name: httpbin-insecure
+  tls:
+    insecureSkipVerify: true
+    sni: tls.example.com
+status:
+  ancestors: null
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: BackendConfigPolicy
+metadata:
+  name: httpbin2-backend-config
+  namespace: default
+spec:
+  targetRefs:
+  - group: ""
+    kind: Service
+    name: httpbin2
+  tls:
+    secretRef:
+      name: base-certificate-tls
+    sni: tls.example.com
+status:
+  ancestors: null