Update GEP-713 and add BackendTLSPolicy implementation

[youngnick]

What type of PR is this?
/kind feature
/kind gep

What this PR does / why we need it:

This updates GEP-713 with the information needed for BackendTLSPolicy's status (including making this a new recommendation for Policy status), and also implements BackendTLSPolicy.

Which issue(s) this PR fixes:
Updates #713
Updates #1897

Does this PR introduce a user-facing change?:

BackendTLSPolicy has been added to control TLS from Gateway to backends specified in HTTPRoutes.

[youngnick]

This needs a little more work to add tests for the BackendTLSPolicy CEL rules, but I haven't done that before, not sure how long it will take. This will let folks review the rest while I work on that.

/hold

[youngnick]

Note that this file is basically copied verbatim from GEP-1897.

Now's the time to carefully review though and see if we missed anything there.

[youngnick]

BackendTLSPolicy also has the problem that support for it should be Extended, but it will be tricky to write conformance tests for. I probably also need to add something to GEP-1897 about how implementations should signal that they support the new object.

I'll work on that now.

Edit: This needs quite a lot of talking, and GRPCRoute is in a similar boat. I actually think we should hold off here and do both together.

[robscott]

Thanks for getting this one through @youngnick! I just focused on the TLS side of things, but the Policy side largely lines up with what I was hoping for, just did not have time to take a close look yet.

[robscott]

I think these both look correct, but would appreciate new tests in pkg/test/cel to confirm that they're working as expected.

[robscott]

Nit: I'm not convinced that ConfigMaps are the best long term solution here, would prefer not starting with a type that defaults to them.

[youngnick]

Okay, would you prefer no default here to start with then? That also doesn't seem ideal.

The idea we discussed was to make it easy to get started for now, and we can change the defaults later if we want - because they are defaults, they are added the first time the object is persisted, so existing resources will keep working even if we do.

[robscott]

My concern is that I think generally we're supposed to release a new API version when changing default values (https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#static-defaults). We could theoretically say that it's experimental channel and anything goes, but in this particular case it seems very unlikely that ConfigMap as default is something we want to stick with through to GA, so I'd personally rather not start with it.

[youngnick]

Yeah, okay, I'll pull out ConfigMapObjectReference for now then, can always bring it back later if need be. This will be moved to just a straight ObjectReference then, which will mean that people will need to specify that this is a configmap to begin with (which I agree is not a huge deal).

[youngnick]

Paging @candita though for this one, this is a little different to the discussion we had on the GEP.

[howardjohn]

+1 to no defaults

[youngnick]

I've updated this to use a new ObjectReference type that has no defaults - this means that group and kind are now required.

[candita]

@youngnick we went in a few different directions in the original GEP, and first decided that ConfigMapReference would be the simplest at the time: #2113 (comment)

#2113 (comment) discusses why we went with ConfigMapReference.

ObjectReference seems even simpler, but perhaps we could add some examples for the Group and Kind if we don't default it (ClusterTrustBundled, ConfigMapReference)?

[robscott]

Thanks @youngnick! This review just covers the policy side of the PR. I think it all looks solid, just had some suggested tweaks + additions to spec here.

[howardjohn]

nit: MinItems=1? otherwise you can say certRefs=[] (I think)

[youngnick]

MinItems=1 makes this not optional though, so I think we need to stick with this. In any case, we can add this later if we need it.

[danehans]

Note that GEP-1897 states "CertRefs contains one or more (up to 64) references to Kubernetes objects..." and should be updated accordingly.

[robscott]

I think CEL validation should be able to prevent invalid inputs like this, but I've filled #2473 to ensure we have good test coverage of our validation here before releasing this.

[howardjohn]

+1 to no defaults

[howardjohn]

do we want to do like we did for address? Some core enum types, but allow vendor builtin prefix?

Seems less required here as you could use a certRefs to point to an arbitrary type

[youngnick]

Yes, this is essentially a boolean with room for later expansion if we need it. I think domain-prefix is not necessary in this case.

[robscott]

Yeah, I think domain-prefixed values might actually be useful in the future, but I'm fine with leaving that until later since I can't think of any immediate use cases. IMO, the most important thing at this point is that we have room for expansion here.

[howardjohn]

nit: This is trading off precising vs complexity, but technically it doesn't need to be in the certificate; the cert could be a wildcard. Maybe simply use "match"? Possibly tie to the TLS verification RFC if we want

[youngnick]

"match" is a good idea, done.

[kflynn]

I voiced concerns about this one at the v1.0 API review. Overall, those concerns kind of boil down to the backend TLS and ancestors feeling even more experimental than GEP-713 itself, which worries me: landing this will fold those into GEP-713, and no one reading the GEP later will know the gradations between bits of 713.

But perhaps I should trust the experimental process more. @youngnick, I'm OK landing this as experimental for v1.0. Probably sometime after that we should take a serious look at graduation criteria for GEP-713 -- it's significant enough that we might not want to leave it exempt.

[robscott]

Thanks @youngnick! A few nits but otherwise LGTM.

[robscott]

Added #2473 to track adding CEL tests for this. Does not need to block this PR, but probably needs to block v1.0.

[robscott]

I think CEL validation should be able to prevent invalid inputs like this, but I've filled #2473 to ensure we have good test coverage of our validation here before releasing this.

[robscott]

Good catch! I think this might actually be best for a follow up PR because we probably also want to have TargetSectionNotFound like you're suggesting, but I think it would be cleaner to add a new condition like that in a separate PR.

[robscott]

Yeah, I think domain-prefixed values might actually be useful in the future, but I'm fine with leaving that until later since I can't think of any immediate use cases. IMO, the most important thing at this point is that we have room for expansion here.

[robscott]

Thanks @youngnick! 3 non-blocking nits, feel free to remove hold if you'd rather cover them in a follow up.

/lgtm
/hold

[robscott]

Don't think it needs to block this PR, but we should address Tim's feedback here. We really should define what implementations should do when this is full. At a minimum we should clarify that they should not try to add to the list, but maybe we can think of some better options here longer term?

[robscott]

Non-blocking nit:

Suggested change

	// requirement.
	// requirement.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robscott, youngnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [robscott,youngnick]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[robscott]

/lgtm

[robscott]

/hold cancel

[EItanya]

No ReferenceGrant support?

[youngnick]

Not for now - we wanted to get this MVP in, and we can add ReferenceGrant support later. I agree it seems reasonable to add for this field though.

[EItanya]

Sounds good, at a high level is this the kind of decision an implementation could decide to implement on their own given the right documentation/reasoning, or would that be considered bad practice. Mostly just curious about how people should/have approach such a thing

[youngnick]

We've actually chosen the types such that you can't at the moment - but the LocalObjectReference type and the ObjectReference type are unmarshal-equivalent, so when we do migrate, anything stored as JSON/YAML in etcd will deserialize correctly into the ObjectReference type.

So, I guess that's a long way of saying that changing this right now will require forking BackendTLSPolicy, which I wouldn't recommend.