Support for SSL BackendSet certificate

[MadalinaPatrichi]

Added support for supplying SSL certificates for LoadBalancers backend sets:

1. Added support for new type of generic Kubernetes secret to read from, which has the following data fields:

• ca.crt - Base64 encoded CA certificate
• tls.crt - Base64 encoded Public certificate
• tls.key - Base64 encoded Private key
• passphrase - Base64 encoded passphrase

2. Modified Health Check to support both TCP and HTTP protocols. The choice between protocols is driven by whether there exists an SSL certificate associated to the port for which the health check is being done. Both the SSL certificates and the SSL enabled ports are specified in the annotations of the Load Balancer configuration file

3. Added Ginkgo test to check connectivity for SSL enabled backend sets

[owainlewis]

The return type here is pretty hard to understand and might be prone to assignment error. Suggest refactoring into a struct or similar.

func (cp *CloudProvider) readSSLSecret(secretType string, svc *v1.Service) (*TLSCertificate, error)

[MadalinaPatrichi]

You're right, thanks!

[owainlewis]

Minor typo in commit message: Add Backendset SSL cerrtificates => Add Backendset SSL certificates

[owainlewis]

Let's remove this

[MadalinaPatrichi]

Done

[prydie]

👍

[prydie]

s/secret/Secret/

[prydie]

s/secret/Secret/

[prydie]

s/secret/Secret/

[prydie]

Space before :

[prydie]

Maybe cfssl (or god forbid even openssl) would be a more standard recommendation?

[MadalinaPatrichi]

Haha, true, I'll just remove it, Google can help if needed

[prydie]

This probably needs updating to reflect that we aren't using TLS Secrets.

[prydie]

This is a strange pattern. Any reason you're not allocating the map in the function and returning?

[MadalinaPatrichi]

It's because I wanted to hold all certificates (both for listeners and backend sets) within the same map. Therefore, I am creating a map of certificates and I add to it step by step. I guess this saves me from having to make a union of the map :) for which go doesn't have a nice implementation of (unlike python)

[prydie]

Ah, that makes sense. I think perhaps then that extending SSLConfig to include both BackendSet and Listener SSL configuration would likely result in cleaner code. Thoughts?

[MadalinaPatrichi]

Yeah, you're right, Or maybe have a separate struct to hold both

[prydie]

Do we also need to support something along the lines of ServiceAnnotationLoadBalancerSSLPorts but for backends at all?

[MadalinaPatrichi]

I thought of this too, but @owainlewis was mentioning that we can assume that both the Listener certificate and the Backend set certificates can be uniformly applied for the same ports. The closest thing to what OCI offers would be to have a one-to-one mapping between one port and one certificate, which is not the case now, even with Listeners. Maybe we should have a discussion about this and address this separately

[prydie]

return nil, errors.Errorf("...

[prydie]

Docstring comments should read as a sentence:

	// SSLCAFileName is the key name for ca data in the secrets config.

[prydie]

Appears unused.

[prydie]

// If the health-check has SSL enabled use TCP rather than HTTP.
protocol := lbNodesHealthCheckProtoHTTP
if cfg != nil && cfg.Ports.Has(port) {
	protocol = lbNodesHealthCheckProtoTCP
}		

[prydie]

As docstrings are expected to be sentences (for nice godocs) they should end with a full-stop.

[prydie]

s/-// (sentences)

[prydie]

url := fmt.Sprintf("http://%s%s", ipPort, request)
if secure {
	url = fmt.Sprintf("https://%s%s", ipPort, request)
}

[prydie]

Couple of nits and queries but otherwise looking awesome 👍

[prydie]

Should probably clean up commented out code?

[prydie]

url := fmt.Sprintf("http://%s%s", ipPort, request)

(no need for separate declare and define)

[prydie]

Could you not just do CreateCertificateDetails: cert, here?

[MadalinaPatrichi]

No, one is CreateCertificateDetails type and one is CertificateDetails. Unless there's some magic to make that happen? :)

[MadalinaPatrichi]

please say there is to make go cooler for me

[prydie]

🤦‍♂️

[MadalinaPatrichi]

Is that a facepalm because it should have been obvious for me on how to cast it from one type to the other?

[prydie]

Goodness no! Facepalm that I didn't notice they were different types 😄

[prydie]

	cacert = secret.Data[SSLCAFileName]

[prydie]

s/, _//

[prydie]

s/, _//

[prydie]

I'm not clear on how this works in the case that there's BackendSet certs but not Listener?

[MadalinaPatrichi]

LMAATCFT (let me add a test case for that) good spot

[prydie]

No need for if statement. loadbalancer.BackendSetDetails{SslConfiguration: sslConfig} when sslConfig == nil is equivalent to not specifying the property as the default value for pointers is nil.

[prydie]

We can support ca certificates and passphrases on listener certs and implement as follows I believe:

	secrets := make([]string, 0, 2)
	if s.SSLConfig.ListenerSSLSecretName != "" {
		secrets = append(secrets, s.SSLConfig.ListenerSSLSecretName)
	}
	if s.SSLConfig.BackendSetSSLSecretName != "" {
		secrets = append(secrets, s.SSLConfig.BackendSetSSLSecretName)
	}

	for _, name := range secrets {
		cert, err := s.SSLConfig.readSSLSecret(s.service.Namespace, name)
		if err != nil {
			return nil, errors.Wrap(err, "reading SSL BackendSet Secret")
		}

		certs[name] = loadbalancer.CertificateDetails{
			CertificateName:   &s.SSLConfig.BackendSetSSLSecretName,
			CaCertificate:     common.String(string(cert.CACert)),
			PublicCertificate: common.String(string(cert.PublicCert)),
			PrivateKey:        common.String(string(cert.PrivateKey)),
			Passphrase:        common.String(string(cert.Passphrase)),
		}
	}

[owainlewis]

Couple of minor comments to address from previous reviews. Overall looks good to me.

[owainlewis]

To be consistent let's change to service.beta.kubernetes.io/oci-load-balancer-tls-backendset-secret

[owainlewis]

Let's remove unused code

[owainlewis]

service.beta.kubernetes.io/oci-load-balancer-backendset-secret => service.beta.kubernetes.io/oci-load-balancer-backendset-tls-secret to be consistent?

[owainlewis]

Is this (var ok bool) needed?

if cert, ok := secret.Data[SSLCertificateFileName]; !ok {

[MadalinaPatrichi]

yes, I think it is. It's because we need to declare cert and key beforehand.

[owainlewis]

Is this needed in outer scope vs if _, ok := lb.Certificates[*cert.CertificateName]; !ok {

[owainlewis]

Remove unused code

[owainlewis]

Minor: Would generally prefer a more readable name like sslListenerSecretName

[owainlewis]

Minor: Would prefer sslBackendSetSecretName vs sslSecretNameB

[owainlewis]

Remove me

[owainlewis]

Copy paste from previous test. Probably not worth duplicating again.

[owainlewis]

Looks good. Once additional reviews are +1 we can merge.

[prydie]

Awesome work! 🎉