feat: support crls in client traffic policies

Signed-off-by: Rudrakh Panigrahi <[email protected]>

Author: rudrakhp

api/v1alpha1/tls_types.go

@@ -167,7 +167,6 @@ type ClientValidationContext struct {
 
 	// Crl specifies the crl configuration that can be used to validate the client initiating the TLS connection
 	// +optional
-	// +notImplementedHide
 	Crl *CrlContext `json:"crl,omitempty"`
 }
 

internal/gatewayapi/backendtlspolicy.go

@@ -309,7 +309,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
 		case resource.KindConfigMap:
 			cm := resources.GetConfigMap(namespace, string(caRef.Name))
 			if cm != nil {
-				if crt, dataOk := getCaCertFromConfigMap(cm); dataOk {
+				if crt, dataOk := getCaCertFromData(cm.Data); dataOk {
 					if ca != "" {
 						ca += "\n"
 					}
@@ -323,7 +323,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
 		case resource.KindSecret:
 			secret := resources.GetSecret(namespace, string(caRef.Name))
 			if secret != nil {
-				if crt, dataOk := getCaCertFromSecret(secret); dataOk {
+				if crt, dataOk := getCaCertFromData(secret.Data); dataOk {
 					if ca != "" {
 						ca += "\n"
 					}

internal/gatewayapi/clienttrafficpolicy.go

@@ -857,7 +857,7 @@ func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPoli
 					return irTLSConfig, err
 				}
 
-				secretCertBytes, ok := getCaCertFromSecret(secret)
+				secretCertBytes, ok := getCaCertFromData(secret.Data)
 				if !ok || len(secretCertBytes) == 0 {
 					return irTLSConfig, fmt.Errorf(
 						"caCertificateRef secret [%s] not found", caCertRef.Name)
@@ -869,7 +869,7 @@ func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPoli
 					return irTLSConfig, err
 				}
 
-				configMapData, ok := getCaCertFromConfigMap(configMap)
+				configMapData, ok := getCaCertFromData(configMap.Data)
 				if !ok || len(configMapData) == 0 {
 					return irTLSConfig, fmt.Errorf(
 						"caCertificateRef configmap [%s] not found", caCertRef.Name)
@@ -892,12 +892,62 @@ func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPoli
 			}
 			irCACert.Certificate = append(irCACert.Certificate, caCertBytes...)
 		}
-
 		if len(irCACert.Certificate) > 0 {
 			irTLSConfig.CACertificate = irCACert
 			irTLSConfig.RequireClientCertificate = !tlsParams.ClientValidation.Optional
 			setTLSClientValidationContext(tlsParams.ClientValidation, irTLSConfig)
 		}
+
+		irCrl := &ir.TLSCrl{
+			Name: irTLSCrlName(policy.Namespace, policy.Name),
+		}
+
+		if tlsParams.ClientValidation.Crl != nil {
+			for _, crlRef := range tlsParams.ClientValidation.Crl.Refs {
+				crlRefKind := string(ptr.Deref(crlRef.Kind, resource.KindSecret))
+				var crlBytes []byte
+				switch crlRefKind {
+				case resource.KindSecret:
+					secret, err := t.validateSecretRef(false, from, crlRef, resources)
+					if err != nil {
+						return irTLSConfig, err
+					}
+
+					secretCrlBytes, ok := getCrlFromData(secret.Data)
+					if !ok || len(secretCrlBytes) == 0 {
+						return irTLSConfig, fmt.Errorf(
+							"crl secret [%s] not found", crlRef.Name)
+					}
+					crlBytes = secretCrlBytes
+				case resource.KindConfigMap:
+					configMap, err := t.validateConfigMapRef(false, from, crlRef, resources)
+					if err != nil {
+						return irTLSConfig, err
+					}
+
+					configMapData, ok := getCrlFromData(configMap.Data)
+					if !ok || len(configMapData) == 0 {
+						return irTLSConfig, fmt.Errorf(
+							"crl configmap [%s] not found", crlRef.Name)
+					}
+					crlBytes = []byte(configMapData)
+				default:
+					return irTLSConfig, fmt.Errorf("unsupported crlRef kind:%s", crlRefKind)
+				}
+
+				if err := validateCrl(crlBytes); err != nil {
+					return irTLSConfig, fmt.Errorf(
+						"invalid crl in %s %s: %w", crlRefKind, crlRef.Name, err)
+				}
+				irCrl.Data = append(irCrl.Data, crlBytes...)
+			}
+			if len(irCrl.Data) > 0 {
+				irTLSConfig.Crl = irCrl
+			}
+			if tlsParams.ClientValidation.Crl.OnlyVerifyLeafCertificate != nil {
+				irCrl.OnlyVerifyLeafCertificate = *tlsParams.ClientValidation.Crl.OnlyVerifyLeafCertificate
+			}
+		}
 	}
 
 	if tlsParams.Session != nil && tlsParams.Session.Resumption != nil {

internal/gatewayapi/helpers.go

@@ -38,6 +38,7 @@ const (
 	L7Protocol = "L7"
 
 	caCertKey = "ca.crt"
+	crlKey    = "ca.crl"
 )
 
 type protocolPort struct {
@@ -461,6 +462,10 @@ func irTLSCACertName(namespace, name string) string {
 	return fmt.Sprintf("%s/%s/%s", namespace, name, caCertKey)
 }
 
+func irTLSCrlName(namespace, name string) string {
+	return fmt.Sprintf("%s/%s/%s", namespace, name, crlKey)
+}
+
 func IsMergeGatewaysEnabled(resources *resource.Resources) bool {
 	return resources.EnvoyProxyForGatewayClass != nil && resources.EnvoyProxyForGatewayClass.Spec.MergeGateways != nil && *resources.EnvoyProxyForGatewayClass.Spec.MergeGateways
 }
@@ -688,38 +693,26 @@ func getPreserveRouteOrder(envoyProxy *egv1a1.EnvoyProxy) bool {
 	return false
 }
 
-func getCaCertFromConfigMap(cm *corev1.ConfigMap) (string, bool) {
-	var data string
-	data, exits := cm.Data[caCertKey]
-	switch {
-	case exits:
-		return data, true
-	case len(cm.Data) == 1: // Fallback to the first key if ca.crt is not found
-		for _, value := range cm.Data {
-			data = value
-			break
-		}
-		return data, true
-	default:
-		return "", false
-	}
+// getCrlFromData returns crl from the data map
+func getCrlFromData[T any](data map[string]T) (T, bool) {
+	return getOrFirstFromData(data, crlKey)
 }
 
-func getCaCertFromSecret(s *corev1.Secret) ([]byte, bool) {
-	var data []byte
-	data, exits := s.Data[caCertKey]
-	switch {
-	case exits:
-		return data, true
-	case len(s.Data) == 1: // Fallback to the first key if ca.crt is not found
-		for _, value := range s.Data {
-			data = value
-			break
+// getCaCertFromData returns ca certificate from the data map
+func getCaCertFromData[T any](data map[string]T) (T, bool) {
+	return getOrFirstFromData(data, caCertKey)
+}
+
+// getOrFirstFromData returns the value of the key in the data map, or the first value if the key is not found
+func getOrFirstFromData[T any](data map[string]T, key string) (T, bool) {
+	if val, exists := data[key]; exists {
+		return val, true
+	} else if len(data) > 0 {
+		for _, value := range data {
+			return value, true
 		}
-		return data, true
-	default:
-		return nil, false
 	}
+	return *new(T), false
 }
 
 func irStringMatch(name string, match egv1a1.StringMatch) *ir.StringMatch {

internal/gatewayapi/helpers_test.go

@@ -758,7 +758,7 @@ func TestGetCaCertFromConfigMap(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			got, found := getCaCertFromConfigMap(tc.cm)
+			got, found := getCaCertFromData(tc.cm.Data)
 			require.Equal(t, tc.expectedFound, found)
 			require.Equal(t, tc.expected, got)
 		})
@@ -804,7 +804,7 @@ func TestGetCaCertFromSecret(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			got, found := getCaCertFromSecret(tc.s)
+			got, found := getCaCertFromData(tc.s.Data)
 			require.Equal(t, tc.expectedFound, found)
 			require.Equal(t, tc.expected, string(got))
 		})

internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml

@@ -31,8 +31,8 @@ clientTrafficPolicies:
       conditions:
       - lastTransitionTime: null
         message: |-
-          TLS: caCertificateRef secret [tls-secret-1] not found
-          TLS: caCertificateRef secret [tls-secret-1] not found.
+          TLS: invalid certificate in Secret tls-secret-1: certificate has expired since 2025-01-25 23:15:31 +0000 UTC
+          TLS: invalid certificate in Secret tls-secret-1: certificate has expired since 2025-01-25 23:15:31 +0000 UTC.
         reason: Invalid
         status: "False"
         type: Accepted