search

nginxinc / nginx-gateway-fabric

NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane.
Apache License 2.0
511 stars 96 forks source link

Allowing `CACertificateRef` to be loaded from a secret #2629

Open asger-noer opened 1 month ago

asger-noer commented 1 month ago

Is your enhancement request related to a problem? Please describe. When running CockroachDB in secure mode with Cert-Manager acting as CA. This will produce a CA in a secret instead of in the currently supported ConfigMap. I don't see anything in the API that would prevent the certificate ref being a secret.

What would you like to be added: The option to provide a secret ref in the spec.validation. caCertificateRefs[*].kind

Why this is needed: For supporting different ways of storing CAs.

Additional context This is the status of the create BackendTLSPolicy when created referencing a Secret instead of a ConfigMap

apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
  creationTimestamp: "2024-09-30T22:32:27Z"
  generation: 1
  labels:
    kustomize.toolkit.fluxcd.io/name: tools-controllers
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: cockroach-tls
  namespace: cockroach
  resourceVersion: "3860621"
  uid: 84a3e868-9dfc-4bdd-8938-492e88877254
spec:
  targetRefs:
  - group: ""
    kind: Service
    name: cockroach-cockroachdb-public
  validation:
    caCertificateRefs:
    - group: ""
      kind: Secret
      name: cockroach-ca
    hostname: cockroach-cockroachdb-public.cockroach
status:
  ancestors:
  - ancestorRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: shared-gateway
      namespace: nginx-gateway
    conditions:
    - lastTransitionTime: "2024-09-30T22:40:28Z"
      message: 'invalid CACertificateRef: tls.cacertrefs[0[].kind: Unsupported value:
        "Secret": supported values: "ConfigMap"'
      observedGeneration: 1
      reason: Invalid
      status: "False"
      type: Accepted
    controllerName: gateway.nginx.org/nginx-gateway-controller

Versions

nginx-gateway-fabric version: v1.4.0
api-gw-crd bundle version: v1.1.0
api-gw-crd channel: experimental
k8s revision: v1.31.1
mpstefan commented 1 month ago

Thanks for reporting this @asger-noer! We initially only implementing ConfigMap support as that is the only object that is specifically listed as "core" support under the Gateway API, but as you say, there's no explicit reason why it should be limited to ConfigMaps only.

We should be able to look at this in the future, and I'll update this issue as it goes through the process.

Otherwise, we are open to PRs on this issue in the meantime!

bozho commented 1 week ago

Hi,

I'd like to add a 👍 for this. We'd like to use NGF as a reverse proxy to an Elasticsearch cluster. ES nodes use TLS for intra-node communication, so the reverse proxy must trust the self-signed root cert.

ECK operator creates a Secret with public certs, which is a JSON document, and the root cert is under data."ca.cert", so support to reference a field inside a secret would be needed in our scenario.