[THREESCALE-7921] New APIcast CRD field: caCertificateSecretRef

Author: tkan145

apis/apps/v1alpha1/apicast_types.go

@@ -177,6 +177,9 @@ type APIcastSpec struct {
 	// HTTPSCertificateSecretRef references secret containing the X.509 certificate in the PEM format and the X.509 certificate secret key.
 	// +optional
 	HTTPSCertificateSecretRef *v1.LocalObjectReference `json:"httpsCertificateSecretRef,omitempty"`
+	// CACertificateSecretRef references secret containing the X.509 CA certificate in the PEM format.
+	// +optional
+	CACertificateSecretRef *v1.LocalObjectReference `json:"caCertificateSecretRef,omitempty"`
 	// Workers defines the number of APIcast's worker processes per pod.
 	// +optional
 	// +kubebuilder:validation:Minimum=1

apis/apps/v1alpha1/zz_generated.deepcopy.go

@@ -65,6 +65,17 @@ spec:
                   a protocol-specific proxy is not specified. Authentication is not supported.
                   Format is <scheme>://<host>:<port>
                 type: string
+              caCertificateSecretRef:
+                description: CACertificateSecretRef references secret containing the X.509 CA certificate in the PEM format.
+                properties:
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               cacheConfigurationSeconds:
                 description: |-
                   The period (in seconds) that the APIcast configuration will be stored in

bundle/manifests/apps.3scale.net_apicasts.yaml

@@ -58,6 +58,18 @@ spec:
                   a protocol-specific proxy is not specified. Authentication is not supported.
                   Format is <scheme>://<host>:<port>
                 type: string
+              caCertificateSecretRef:
+                description: CACertificateSecretRef references secret containing the
+                  X.509 CA certificate in the PEM format.
+                properties:
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               cacheConfigurationSeconds:
                 description: |-
                   The period (in seconds) that the APIcast configuration will be stored in

config/crd/bases/apps.3scale.net_apicasts.yaml

@@ -42,6 +42,8 @@ const (
 const (
 	HTTPSCertificatesMountPath  = "/var/run/secrets/apicast"
 	HTTPSCertificatesVolumeName = "https-certificates"
+	CACertificatesSecretKey     = "ca-bundle.crt"
+	CACertificatesVolumeName    = "ca-certificate"
 	CustomPoliciesMountBasePath = "/opt/app-root/src/policies"
 	CustomEnvsMountBasePath     = "/opt/app-root/src/custom-environments"
 	TracingConfigMountBasePath  = "/opt/app-root/src/tracing-configs"
@@ -91,6 +93,15 @@ func (a *APIcast) deploymentVolumeMounts() []v1.VolumeMount {
 		})
 	}
 
+	// Use the same mount path with https certificate
+	if a.options.CACertificateSecret != nil {
+		volumeMounts = append(volumeMounts, v1.VolumeMount{
+			Name:      CACertificatesVolumeName,
+			MountPath: HTTPSCertificatesMountPath,
+			ReadOnly:  true,
+		})
+	}
+
 	for _, customPolicy := range a.options.CustomPolicies {
 		volumeMounts = append(volumeMounts, v1.VolumeMount{
 			Name:      policyVolumeName(customPolicy),
@@ -167,6 +178,23 @@ func (a *APIcast) deploymentVolumes() []v1.Volume {
 		})
 	}
 
+	if a.options.CACertificateSecret != nil {
+		volumes = append(volumes, v1.Volume{
+			Name: CACertificatesVolumeName,
+			VolumeSource: v1.VolumeSource{
+				Secret: &v1.SecretVolumeSource{
+					SecretName: a.options.CACertificateSecret.Name,
+					Items: []v1.KeyToPath{
+						{
+							Key:  CACertificatesSecretKey,
+							Path: "ca-bundle.crt", // Map the secret key to the ca-bundle.crt file in the container
+						},
+					},
+				},
+			},
+		})
+	}
+
 	for _, customPolicy := range a.options.CustomPolicies {
 		volumes = append(volumes, v1.Volume{
 			Name: policyVolumeName(customPolicy),
@@ -324,6 +352,11 @@ func (a *APIcast) deploymentEnv() []v1.EnvVar {
 			k8sutils.EnvVarFromValue("APICAST_HTTPS_CERTIFICATE_KEY", fmt.Sprintf("%s/%s", HTTPSCertificatesMountPath, v1.TLSPrivateKeyKey)))
 	}
 
+	if a.options.CACertificateSecret != nil {
+		env = append(env,
+			k8sutils.EnvVarFromValue("SSL_CERT_FILE", path.Join(HTTPSCertificatesMountPath, "ca-bundle.crt")))
+	}
+
 	if a.options.Workers != nil {
 		env = append(env, k8sutils.EnvVarFromValue("APICAST_WORKERS", strconv.Itoa(int(*a.options.Workers))))
 	}

pkg/apicast/apicast.go

@@ -136,6 +136,12 @@ func (a *APIcastOptionsProvider) GetApicastOptions(ctx context.Context) (*APIcas
 	}
 	a.APIcastOptions.HTTPSCertificateSecret = httpsCertificateSecret
 
+	caCertificateSecret, err := a.getCACertificateSecret(ctx)
+	if err != nil {
+		return nil, err
+	}
+	a.APIcastOptions.CACertificateSecret = caCertificateSecret
+
 	// Resource requirements
 	resourceRequirements := DefaultResourceRequirements(a.APIcastCR.Spec.Hpa)
 
@@ -368,6 +374,39 @@ func (a *APIcastOptionsProvider) getHTTPSCertificateSecret(ctx context.Context)
 	return secret, err
 }
 
+func (a *APIcastOptionsProvider) getCACertificateSecret(ctx context.Context) (*v1.Secret, error) {
+	if a.APIcastCR.Spec.CACertificateSecretRef == nil {
+		return nil, nil
+	}
+
+	errors := field.ErrorList{}
+	specFldPath := field.NewPath("spec")
+	caCertificateSecretRefFldPath := specFldPath.Child("caCertificateSecretRef")
+	secretNameFldPath := caCertificateSecretRefFldPath.Child("name")
+
+	ns := a.APIcastCR.Namespace
+
+	if a.APIcastCR.Spec.CACertificateSecretRef.Name == "" {
+		errors = append(errors, field.Required(secretNameFldPath, "secret name not provided"))
+		return nil, errors.ToAggregate()
+	}
+
+	namespacedName := types.NamespacedName{
+		Name:      a.APIcastCR.Spec.CACertificateSecretRef.Name,
+		Namespace: ns,
+	}
+
+	secret := &v1.Secret{}
+	err := a.Client.Get(ctx, namespacedName, secret)
+
+	if err != nil {
+		// NotFoundError is also an error, it is required to exist
+		return nil, err
+	}
+
+	return secret, nil
+}
+
 func (a *APIcastOptionsProvider) validateCustomPolicySecret(ctx context.Context, nn types.NamespacedName) (*v1.Secret, error) {
 	secret := &v1.Secret{}
 	err := a.Client.Get(ctx, nn, secret)

pkg/apicast/apicast_option_provider.go

@@ -66,6 +66,7 @@ type APIcastOptions struct {
 	HTTPSPort                           *int32
 	HTTPSVerifyDepth                    *int64
 	HTTPSCertificateSecret              *v1.Secret
+	CACertificateSecret                 *v1.Secret
 	Workers                             *int32
 	Timezone                            *string
 	CustomPolicies                      []CustomPolicy