Add Gateway API TLS Support

[danehans]

Please describe the problem you have
Add support for TLSRoute and HTTPRoute configured with TLS. Note: the contour controller may need to read the TLS config, i.e certs, from the gateway TLS config (projectcontour/contour-operator#214).

• Support TLSRoute (Support TLSRoute #3440)
• Support Gateway GatewayTLSConfig (Support TLS on Gateway #3438)
• Support TLS with HTTPRoute (Support RouteTLSConfig on HTTPRoute #3439)

[eloycoto]

Hi,

I checked the current gateway-api implementation, and I think design to be changed to implement this feature, no?

By default, the TLS listener certificate is part of the Gateway object that it's implemented on the Operator. Contour only implements HTTPRoute object, and it translates that to an Envoy Dynamic route, using the internal VirtualHost struct.

Example code:

contour/internal/dag/gatewayapi_processor.go

Lines 118 to 123 in 9fc4431

	routes := p.routes(pathPrefixes, services)
	for _, vhost := range hosts {
	vhost := p.dag.EnsureVirtualHost(vhost)
	for _, route := range routes {
	vhost.addRoute(route)
	}

Also, If I want to implement ext-authz draft, I need to implement the TLS on the Listener, but I think that it's not possible to implement it using only HTTPRoute, that it's translated to VirtualHost, and maybe it should be translated to SecureVirtualHost.

Is there any document/draft about how these things will be implemented? Do you need any help? I would like to build a POC regarding ext-authz, but I need the TLS termination first.

Regards

[stevesloka]

Hey @eloycoto, you are correct, we haven't implemented that bit yet. If you'd like to contribute that work it would be great, or I think that's probably a logical next step that I was going to take on.

[eloycoto]

Hi,

It's quite a big change, and it might change how the project is structured, so I would like to know what it's your implementation idea, and I can start working on some pieces.

Regards

[stevesloka]

I poked around a bit and this is what I think will work: main...stevesloka:httpsRoute

This needs all the tests, etc, but a quick dry run its works on my machine.

[stevesloka]

Is this enough to get started @eloycoto? Or do you want me to finish up? Just let me know. =)

[eloycoto]

I'll have a look and I'll come back to you

[sunjayBhatia]

Moving this to 1.15.0 as we're working out some interactions between the Contour controller and operator still

[sunjayBhatia]

Seems like TLSRoute will not make it in before 1.15, can we move this to 1.16?

[youngnick]

Some TLSRoute support is in (see #3440), but it's not finished yet, moving this to 1.17.

[youngnick]

Bumping this to 1.18.

[skriss]

#3440 is just about done, just waiting to merge some additional unit test cases, so I've marked TLSRoute support as done on the task list.

[youngnick]

As of v1alpha2, TLS on HTTPRoute will be removed, so we probably shouldn't bother implementing for v1alpha1. We can probably call this mostly done.

[skriss]

As of v1alpha2, TLS on HTTPRoute will be removed, so we probably shouldn't bother implementing for v1alpha1. We can probably call this mostly done.

Sounds good, I'll close this out and we can open new issues as needed if we find any gaps.