feat: add action to handle SSL values as secrets for TLS configuration

[DnPlas]

⚠️ WARNING: This feature has been added due to #380, but will be supported only in 1.17 and 1.21 (and the versions released in between, iff any), after that, it will be removed in favour of integrating with a TLS certificates provider. Documentation will be provided for upgrades and migrations.

This commits introduces actions that allow users to configure the TLS ingress gateway for a single host directly passing the SSL cert and key to the charm.

• save-tls-secret: allows users to pass the ssl-key and ssl-crt values, which the charm saves in a juju secret (owned by the charm) and uses them to reconcile the ingress Gateway with such information.
• remove-tls-secret: a handy action that allows users to remove the TLS secret, which in turn removes the TLS configuration from the ingress Gateway.

This commit also adds unit and integration tests to increase the coverage due to the recent changes.

WARNING: please note this feature is only supported in 1.17 and 1.18, and it will be removed after releasing 1.18 in favour of the TLS provider method.

Fixes #380

Manual testing instructions

This feature requires juju 3.x

1. Deploy istio-operators from latest/edge and relate them
2. Pack the istio-pilot charm and refresh. Wait for active and idle.
3. Make sure the gateway resource is not configured for TLS:

$ kubectl get gateways -n istio-secrets istio-gateway -oyaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  creationTimestamp: "2024-03-18T13:01:38Z"
  generation: 5
  labels:
    app.juju.is/created-by: istio-pilot
    app.kubernetes.io/instance: istio-pilot-istio-secrets
    kubernetes-resource-handler-scope: gateway
  name: istio-gateway
  namespace: istio-secrets
  resourceVersion: "46114"
  uid: 57374582-c0fd-4b80-96e8-138196371cf9
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 8080
      protocol: HTTP

4. Run the save-tls-secret action to pass values (strings)

$ juju run istio-pilot/0 save-tls-secret ssl-key=foo ssl-crt=bar
Running operation 111 with 1 task
  - task 112 on unit-istio-pilot-0

Waiting for task 112...

5. Confirm these values have been passed to the Secret the gateway uses for TLS:

$ kubectl get gateways -n istio-secrets istio-gateway -oyaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  creationTimestamp: "2024-03-18T13:01:38Z"
  generation: 6
  labels:
    app.juju.is/created-by: istio-pilot
    app.kubernetes.io/instance: istio-pilot-istio-secrets
    kubernetes-resource-handler-scope: gateway
  name: istio-gateway
  namespace: istio-secrets
  resourceVersion: "46454"
  uid: 57374582-c0fd-4b80-96e8-138196371cf9
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: https
      number: 8443
      protocol: HTTPS # <---- it is now using HTTPS
    tls:
      credentialName: istio-gateway-gateway-secret # <---- It is now pointing at a secret
      mode: SIMPLE
$ kubectl get secret -nistio-secrets istio-gateway-gateway-secret -oyaml
apiVersion: v1
data:
  tls.crt: YmFy # <--- base64 encoded string
  tls.key: Zm9v # <--- base64 encoded string
kind: Secret
metadata:
  creationTimestamp: "2024-03-18T15:24:48Z"
  labels:
    app.juju.is/created-by: istio-pilot
    app.kubernetes.io/instance: istio-pilot-istio-secrets
    kubernetes-resource-handler-scope: gateway
  name: istio-gateway-gateway-secret
  namespace: istio-secrets
  resourceVersion: "46453"
  uid: f77394a2-a773-4407-8c1f-eb6a18db996c
type: kubernetes.io/tls

6. Test other cases:
   • Remove the secret with remove-tls-secret action and watch the Gateway be reconfigured w/o TLS
   • Pass only one value to the save-tls-secret action and watch the unit go to BlockedStatus
   • Do an upgrade from 1.17/stable to this version of the charm

[DnPlas]

Unit tests are blocked because of #395. The issue should be resolved after merging #396 and rebasing this branch.