Add more validation; handle conflicts

Author: ciarams87

internal/mode/static/manager.go

@@ -390,7 +390,8 @@ func registerControllers(
 				objectType: &gatewayv1alpha2.BackendTLSPolicy{},
 			},
 			{
-				objectType: &apiv1.ConfigMap{}, // TODO(ciarams87): Use only metadata predicate
+				// FIXME(ciarams87): If possible, use only metadata predicate
+				objectType: &apiv1.ConfigMap{},
 			},
 		}
 		controllerRegCfgs = append(controllerRegCfgs, backendTLSObjs...)

internal/mode/static/nginx/config/servers.go

@@ -3,7 +3,6 @@ package config
 import (
 	"encoding/json"
 	"fmt"
-	"os"
 	"strings"
 	gotemplate "text/template"
 
@@ -275,8 +274,8 @@ func createProxyTLSFromBackends(backends []dataplane.Backend) *http.ProxySSLVeri
 		proxyVerify := createProxySSLVerify(b.VerifyTLS)
 		if proxyVerify != nil {
 			// If any backend has a backend TLS policy defined, then we use that for the proxy SSL verification.
-			// If multiple backends in the group have a backend TLS policy defined, then we use the first one we find.
-			// TODO(ciarams87): Fix this
+			// We require that all backends in a group have the same backend TLS policy.
+			// Verification that all backends in a group have the same backend TLS policy is done in the graph package.
 			return proxyVerify
 		}
 	}
@@ -291,32 +290,14 @@ func createProxySSLVerify(v *dataplane.VerifyTLS) *http.ProxySSLVerify {
 	if v.CertBundleID != "" {
 		trustedCert = generateCertBundleFileName(v.CertBundleID)
 	} else {
-		trustedCert = getRootCAPath()
+		trustedCert = v.RootCAPath
 	}
 	return &http.ProxySSLVerify{
 		TrustedCertificate: trustedCert,
 		Name:               v.Hostname,
 	}
 }
 
-// TODO(ciarams87): Move this logic earlier
-func getRootCAPath() string {
-	certFiles := []string{
-		"/etc/ssl/cert.pem",                                 // Alpine Linux
-		"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
-		"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
-		"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
-		"/etc/pki/tls/cacert.pem",                           // OpenELEC
-		"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
-	}
-	for _, certFile := range certFiles {
-		if _, err := os.Stat(certFile); err == nil {
-			return certFile
-		}
-	}
-	return ""
-}
-
 func createReturnValForRedirectFilter(filter *dataplane.HTTPRequestRedirectFilter, listenerPort int32) *http.Return {
 	if filter == nil {
 		return nil

internal/mode/static/nginx/config/servers_template.go

@@ -54,7 +54,7 @@ server {
         proxy_pass {{ $l.ProxyPass }};
             {{- if $l.ProxySSLVerify }}
         proxy_ssl_verify on;
-        proxy_ssl_name {{ $l.ProxySSLVerify.Hostname }};
+        proxy_ssl_name {{ $l.ProxySSLVerify.Name }};
         proxy_ssl_trusted_certificate {{ $l.ProxySSLVerify.TrustedCertificate }};
             {{- end }}
         {{- end }}

internal/mode/static/state/dataplane/configuration.go

@@ -3,6 +3,7 @@ package dataplane
 import (
 	"context"
 	"fmt"
+	"os"
 	"sort"
 
 	apiv1 "k8s.io/api/core/v1"
@@ -177,11 +178,31 @@ func convertBackendTLS(btp *graph.BackendTLSPolicy) *VerifyTLS {
 	verify := &VerifyTLS{}
 	if btp.CaCertRef.Name != "" {
 		verify.CertBundleID = generateCertBundleID(btp.CaCertRef)
+	} else {
+		verify.RootCAPath = getRootCAPath()
 	}
 	verify.Hostname = string(btp.Source.Spec.TLS.Hostname)
 	return verify
 }
 
+// getRootCAPath returns the path to the root CA certificate bundle.
+func getRootCAPath() string {
+	certFiles := []string{
+		"/etc/ssl/cert.pem",                                 // Alpine Linux
+		"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
+		"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
+		"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
+		"/etc/pki/tls/cacert.pem",                           // OpenELEC
+		"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
+	}
+	for _, certFile := range certFiles {
+		if _, err := os.Stat(certFile); err == nil {
+			return certFile
+		}
+	}
+	return ""
+}
+
 func buildServers(listeners []*graph.Listener) (http, ssl []VirtualServer) {
 	rulesForProtocol := map[v1.ProtocolType]portPathRules{
 		v1.HTTPProtocolType:  make(portPathRules),

internal/mode/static/state/dataplane/configuration_test.go

@@ -2477,7 +2477,8 @@ func TestConvertBackendTLS(t *testing.T) {
 	}
 
 	expectedWithWellKnownCerts := &VerifyTLS{
-		Hostname: "example.com",
+		Hostname:   "example.com",
+		RootCAPath: getRootCAPath(),
 	}
 
 	tests := []struct {

internal/mode/static/state/dataplane/types.go

@@ -247,4 +247,5 @@ type Backend struct {
 type VerifyTLS struct {
 	CertBundleID CertBundleID
 	Hostname     string
+	RootCAPath   string
 }

internal/mode/static/state/graph/backend_refs.go

@@ -9,6 +9,7 @@ import (
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/conditions"
+	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/helpers"
 	staticConds "github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/state/conditions"
 )
 
@@ -92,6 +93,13 @@ func addBackendRefsToRules(
 			}
 		}
 
+		if len(backendRefs) > 1 {
+			cond := validateBackendTLSPolicyMatchingAllBackends(backendRefs)
+			if cond != nil {
+				route.Conditions = append(route.Conditions, *cond)
+			}
+		}
+
 		route.Rules[idx].BackendRefs = backendRefs
 	}
 }
@@ -170,6 +178,40 @@ func createBackendRef(
 	return backendRef, nil
 }
 
+// validateBackendTLSPolicyMatchingAllBackends validates that all backends in a rule reference the same
+// BackendTLSPolicy. We require that all backends in a group have the same backend TLS policy configuration.
+// FIXME (ciarams87): This is a temporary solution until we can support multiple backend TLS policies per group.
+func validateBackendTLSPolicyMatchingAllBackends(backendRefs []BackendRef) *conditions.Condition {
+	var mismatch bool
+	var referencePolicy *BackendTLSPolicy
+
+	for _, backendRef := range backendRefs {
+		if backendRef.BackendTLSPolicy == nil {
+			if referencePolicy != nil {
+				// There was a reference before, so they do not all match
+				mismatch = true
+			}
+			continue
+		}
+
+		if referencePolicy == nil {
+			// First reference, store the policy as reference
+			referencePolicy = backendRef.BackendTLSPolicy
+		} else {
+			// Check if the policies match
+			if backendRef.BackendTLSPolicy.Source.Name != referencePolicy.Source.Name ||
+				backendRef.BackendTLSPolicy.Source.Namespace != referencePolicy.Source.Namespace {
+				mismatch = true
+			}
+		}
+	}
+	if mismatch {
+		msg := "Backend TLS policies do not match for all backends"
+		return helpers.GetPointer(staticConds.NewRouteBackendRefUnsupportedValue(msg))
+	}
+	return nil
+}
+
 func findBackendTLSPolicyForService(
 	backendTLSPolicies map[types.NamespacedName]*BackendTLSPolicy,
 	ref gatewayv1.HTTPBackendRef,
@@ -189,9 +231,19 @@ func findBackendTLSPolicyForService(
 			btpNs = string(*btp.Source.Spec.TargetRef.Namespace)
 		}
 		if btp.Source.Spec.TargetRef.Name == ref.Name && btpNs == refNs {
-			// TODO: resolve conflicts between multiple backend TLS policies
-			beTLSPolicy = btp
-			break
+			if beTLSPolicy != nil {
+				if btp.Source.CreationTimestamp.Equal(&beTLSPolicy.Source.CreationTimestamp) {
+					// if the policies have the same creation timestamp, the one that comes first alphabetically wins
+					if btp.Source.Name < beTLSPolicy.Source.Name {
+						beTLSPolicy = btp
+					}
+				} else if btp.Source.CreationTimestamp.Before(&beTLSPolicy.Source.CreationTimestamp) {
+					// the oldest policy wins - see https://gateway-api.sigs.k8s.io/geps/gep-713/#conflict-resolution
+					beTLSPolicy = btp
+				}
+			} else {
+				beTLSPolicy = btp
+			}
 		}
 	}