Support multiple server certificates in gateway (istio & gateway api)

Address istio#36181
- Update istio gateway to support multiple server certificates (istio/api#3466)
- Update gateway api support to allow at most 2 server certificates

Author: raoaditya314

pilot/pkg/config/kube/gateway/conversion.go

@@ -1906,26 +1906,31 @@ func buildTLS(
 				return out, nil
 			}
 		}
-		if len(tls.CertificateRefs) != 1 {
-			// This is required in the API, should be rejected in validation
-			return out, &ConfigError{Reason: InvalidTLS, Message: "exactly 1 certificateRefs should be present for TLS termination"}
-		}
-		cred, err := buildSecretReference(ctx, tls.CertificateRefs[0], gw, secrets)
-		if err != nil {
-			return out, err
-		}
-		credNs := ptr.OrDefault((*string)(tls.CertificateRefs[0].Namespace), namespace)
-		sameNamespace := credNs == namespace
-		if !sameNamespace && !grants.SecretAllowed(ctx, creds.ToResourceName(cred), namespace) {
+		if len(tls.CertificateRefs) > 2 {
 			return out, &ConfigError{
-				Reason: InvalidListenerRefNotPermitted,
-				Message: fmt.Sprintf(
-					"certificateRef %v/%v not accessible to a Gateway in namespace %q (missing a ReferenceGrant?)",
-					tls.CertificateRefs[0].Name, credNs, namespace,
-				),
+				Reason:  InvalidTLS,
+				Message: "TLS mode can only support up to 2 server certificates",
+			}
+		}
+		out.CredentialNames = make([]string, len(tls.CertificateRefs))
+		for i, certRef := range tls.CertificateRefs {
+			cred, err := buildSecretReference(ctx, certRef, gw, secrets)
+			if err != nil {
+				return out, err
+			}
+			credNs := ptr.OrDefault((*string)(certRef.Namespace), namespace)
+			sameNamespace := credNs == namespace
+			if !sameNamespace && !grants.SecretAllowed(ctx, creds.ToResourceName(cred), namespace) {
+				return out, &ConfigError{
+					Reason: InvalidListenerRefNotPermitted,
+					Message: fmt.Sprintf(
+						"certificateRef %v/%v not accessible to a Gateway in namespace %q (missing a ReferenceGrant?)",
+						tls.CertificateRefs[0].Name, credNs, namespace,
+					),
+				}
 			}
+			out.CredentialNames[i] = cred
 		}
-		out.CredentialName = cred
 	case k8s.TLSModePassthrough:
 		out.Mode = istio.ServerTLSSettings_PASSTHROUGH
 		if isAutoPassthrough {

pilot/pkg/config/kube/gateway/testdata/reference-policy-tls.yaml.golden

@@ -17,7 +17,8 @@ spec:
       number: 443
       protocol: HTTPS
     tls:
-      credentialName: kubernetes-gateway://cert/cert
+      credentialNames:
+      - kubernetes-gateway://cert/cert
       mode: SIMPLE
 ---
 apiVersion: networking.istio.io/v1

pilot/pkg/config/kube/gateway/testdata/tls.yaml.golden

@@ -37,7 +37,8 @@ spec:
       number: 34000
       protocol: HTTPS
     tls:
-      credentialName: kubernetes-gateway://istio-system/my-cert-http
+      credentialNames:
+      - kubernetes-gateway://istio-system/my-cert-http
       mode: SIMPLE
 ---
 apiVersion: networking.istio.io/v1
@@ -80,7 +81,8 @@ spec:
       number: 34000
       protocol: HTTPS
     tls:
-      credentialName: kubernetes-gateway://istio-system/my-cert-http
+      credentialNames:
+      - kubernetes-gateway://istio-system/my-cert-http
       mode: MUTUAL
 ---
 apiVersion: networking.istio.io/v1

pilot/pkg/model/context.go

@@ -66,6 +66,7 @@ type (
 	PodPort                 = pm.PodPort
 	StringBool              = pm.StringBool
 	IPMode                  = pm.IPMode
+	TLSServerCertificate    = pm.TLSServerCertificate
 )
 
 const (

pilot/pkg/networking/core/listener.go

@@ -164,18 +164,40 @@ func BuildListenerTLSContext(serverTLSSettings *networking.ServerTLSSettings,
 	switch {
 	case serverTLSSettings.Mode == networking.ServerTLSSettings_ISTIO_MUTUAL:
 		authnmodel.ApplyToCommonTLSContext(ctx.CommonTlsContext, proxy, serverTLSSettings.SubjectAltNames, serverTLSSettings.CaCrl, []string{}, validateClient)
+	// If credential names are specified at gateway config, create SDS config for gateway to fetch key/cert from Istiod.
+	case len(serverTLSSettings.GetCredentialNames()) > 0:
+		authnmodel.ApplyCredentialSDSToServerCommonTLSContext(ctx.CommonTlsContext, serverTLSSettings, credentialSocketExist)
 	// If credential name is specified at gateway config, create  SDS config for gateway to fetch key/cert from Istiod.
 	case serverTLSSettings.CredentialName != "":
 		authnmodel.ApplyCredentialSDSToServerCommonTLSContext(ctx.CommonTlsContext, serverTLSSettings, credentialSocketExist)
 	default:
+		// If certificate files are specified in gateway configuration, use file based SDS.
+		var tlsCertificates []*model.TLSServerCertificate
+		// If multiple certificates are specified in gateway configuration, create proxy with multiple certificates.
+		if len(serverTLSSettings.TlsCertificates) > 0 {
+			tlsCertificates = make([]*model.TLSServerCertificate, len(serverTLSSettings.TlsCertificates))
+			for i, cert := range serverTLSSettings.TlsCertificates {
+				tlsCertificates[i] = &model.TLSServerCertificate{
+					TLSServerCertChain: cert.ServerCertificate,
+					TLSServerKey:       cert.PrivateKey,
+					TLSServerRootCert:  cert.CaCertificates,
+				}
+			}
+			// Fallback to single certificate via server certificate settings in the gateway config.
+		} else {
+			tlsCertificates = []*model.TLSServerCertificate{
+				{
+					TLSServerCertChain: serverTLSSettings.ServerCertificate,
+					TLSServerKey:       serverTLSSettings.PrivateKey,
+					TLSServerRootCert:  serverTLSSettings.CaCertificates,
+				},
+			}
+		}
 		certProxy := &model.Proxy{}
 		certProxy.IstioVersion = proxy.IstioVersion
-		// If certificate files are specified in gateway configuration, use file based SDS.
 		certProxy.Metadata = &model.NodeMetadata{
-			TLSServerCertChain: serverTLSSettings.ServerCertificate,
-			TLSServerKey:       serverTLSSettings.PrivateKey,
-			TLSServerRootCert:  serverTLSSettings.CaCertificates,
-			Raw:                proxy.Metadata.Raw,
+			TLSServerCertificates: tlsCertificates,
+			Raw:                   proxy.Metadata.Raw,
 		}
 
 		authnmodel.ApplyToCommonTLSContext(ctx.CommonTlsContext, certProxy, serverTLSSettings.SubjectAltNames, serverTLSSettings.CaCrl, []string{}, validateClient)

pilot/pkg/networking/core/listener_test.go

@@ -35,13 +35,15 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 	wrappers "google.golang.org/protobuf/types/known/wrapperspb"
 
+	tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	extensions "istio.io/api/extensions/v1alpha1"
 	meshconfig "istio.io/api/mesh/v1alpha1"
 	networking "istio.io/api/networking/v1alpha3"
 	security "istio.io/api/security/v1beta1"
 	telemetry "istio.io/api/telemetry/v1alpha1"
 	"istio.io/istio/pilot/pkg/features"
 	"istio.io/istio/pilot/pkg/model"
+	istionetworking "istio.io/istio/pilot/pkg/networking"
 	"istio.io/istio/pilot/pkg/networking/core/listenertest"
 	"istio.io/istio/pilot/pkg/networking/util"
 	"istio.io/istio/pilot/pkg/serviceregistry/provider"
@@ -3137,3 +3139,106 @@ func TestListenerTransportSocketConnectTimeoutForSidecar(t *testing.T) {
 		})
 	}
 }
+
+func TestBuildListenerTLSContext(t *testing.T) {
+	tests := []struct {
+		name                    string
+		serverTLSSettings       *networking.ServerTLSSettings
+		proxy                   *model.Proxy
+		mesh                    *meshconfig.MeshConfig
+		transportProtocol       istionetworking.TransportProtocol
+		gatewayTCPServerWithTLS bool
+		expectedCertCount       int
+		expectedValidation      bool
+	}{
+		{
+			name: "single certificate with credential name",
+			serverTLSSettings: &networking.ServerTLSSettings{
+				Mode:           networking.ServerTLSSettings_SIMPLE,
+				CredentialName: "test-cert",
+			},
+			proxy: &model.Proxy{
+				Metadata: &model.NodeMetadata{},
+			},
+			mesh:                    &meshconfig.MeshConfig{},
+			transportProtocol:       istionetworking.TransportProtocolTCP,
+			gatewayTCPServerWithTLS: false,
+			expectedCertCount:       1,
+			expectedValidation:      false,
+		},
+		{
+			name: "multiple certificates with credential names",
+			serverTLSSettings: &networking.ServerTLSSettings{
+				Mode:            networking.ServerTLSSettings_SIMPLE,
+				CredentialNames: []string{"rsa-cert", "ecdsa-cert"},
+			},
+			proxy: &model.Proxy{
+				Metadata: &model.NodeMetadata{},
+			},
+			mesh:                    &meshconfig.MeshConfig{},
+			transportProtocol:       istionetworking.TransportProtocolTCP,
+			gatewayTCPServerWithTLS: false,
+			expectedCertCount:       2,
+			expectedValidation:      false,
+		},
+		{
+			name: "multiple certificates with mutual TLS",
+			serverTLSSettings: &networking.ServerTLSSettings{
+				Mode:            networking.ServerTLSSettings_MUTUAL,
+				CredentialNames: []string{"rsa-cert", "ecdsa-cert"},
+				SubjectAltNames: []string{"test.com"},
+			},
+			proxy: &model.Proxy{
+				Metadata: &model.NodeMetadata{},
+			},
+			mesh:                    &meshconfig.MeshConfig{},
+			transportProtocol:       istionetworking.TransportProtocolTCP,
+			gatewayTCPServerWithTLS: false,
+			expectedCertCount:       2,
+			expectedValidation:      true,
+		},
+		{
+			name: "prefer credential names over credential name",
+			serverTLSSettings: &networking.ServerTLSSettings{
+				Mode:            networking.ServerTLSSettings_SIMPLE,
+				CredentialName:  "old-cert",
+				CredentialNames: []string{"rsa-cert", "ecdsa-cert"},
+			},
+			proxy: &model.Proxy{
+				Metadata: &model.NodeMetadata{},
+			},
+			mesh:                    &meshconfig.MeshConfig{},
+			transportProtocol:       istionetworking.TransportProtocolTCP,
+			gatewayTCPServerWithTLS: false,
+			expectedCertCount:       2,
+			expectedValidation:      false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := BuildListenerTLSContext(tt.serverTLSSettings, tt.proxy, tt.mesh, tt.transportProtocol, tt.gatewayTCPServerWithTLS)
+
+			// Check certificate count
+			if len(ctx.CommonTlsContext.TlsCertificateSdsSecretConfigs) != tt.expectedCertCount {
+				t.Errorf("expected %d certificates, got %d", tt.expectedCertCount, len(ctx.CommonTlsContext.TlsCertificateSdsSecretConfigs))
+			}
+
+			// Check validation context
+			if tt.expectedValidation {
+				if ctx.CommonTlsContext.ValidationContextType == nil {
+					t.Error("expected validation context to be set")
+				}
+				combinedCtx, ok := ctx.CommonTlsContext.ValidationContextType.(*tls.CommonTlsContext_CombinedValidationContext)
+				if !ok {
+					t.Error("expected CombinedValidationContext")
+				}
+				if combinedCtx.CombinedValidationContext == nil {
+					t.Error("expected CombinedValidationContext to be set")
+				}
+			} else if ctx.CommonTlsContext.ValidationContextType != nil {
+				t.Error("unexpected validation context")
+			}
+		})
+	}
+}

pilot/pkg/security/model/authentication.go

@@ -129,46 +129,52 @@ func AppendURIPrefixToTrustDomain(trustDomainAliases []string) []string {
 func ApplyToCommonTLSContext(tlsContext *tls.CommonTlsContext, proxy *model.Proxy,
 	subjectAltNames []string, crl string, trustDomainAliases []string, validateClient bool,
 ) {
-	customFileSDSServer := proxy.Metadata.Raw[security.CredentialFileMetaDataName] == "true"
-	// These are certs being mounted from within the pod. Rather than reading directly in Envoy,
-	// which does not support rotation, we will serve them over SDS by reading the files.
-	// We should check if these certs have values, if yes we should use them or otherwise fall back to defaults.
-	res := security.SdsCertificateConfig{
-		CertificatePath:   proxy.Metadata.TLSServerCertChain,
-		PrivateKeyPath:    proxy.Metadata.TLSServerKey,
-		CaCertificatePath: proxy.Metadata.TLSServerRootCert,
-	}
-
-	// TODO: if subjectAltName ends with *, create a prefix match as well.
-	// TODO: if user explicitly specifies SANs - should we alter his explicit config by adding all spifee aliases?
-	matchSAN := util.StringToExactMatch(subjectAltNames)
-	if len(trustDomainAliases) > 0 {
-		matchSAN = append(matchSAN, util.StringToPrefixMatch(AppendURIPrefixToTrustDomain(trustDomainAliases))...)
+	if proxy.Metadata.TLSServerCertificates == nil {
+		// Create a default TLS server certificate
+		proxy.Metadata.TLSServerCertificates = []*model.TLSServerCertificate{{}}
 	}
+	sdsSecretConfigs := make([]*tls.SdsSecretConfig, len(proxy.Metadata.TLSServerCertificates))
+	for i, cert := range proxy.Metadata.TLSServerCertificates {
+		customFileSDSServer := proxy.Metadata.Raw[security.CredentialFileMetaDataName] == "true"
+		// These are certs being mounted from within the pod. Rather than reading directly in Envoy,
+		// which does not support rotation, we will serve them over SDS by reading the files.
+		// We should check if these certs have values, if yes we should use them or otherwise fall back to defaults.
+		res := security.SdsCertificateConfig{
+			CertificatePath:   cert.TLSServerCertChain,
+			PrivateKeyPath:    cert.TLSServerKey,
+			CaCertificatePath: cert.TLSServerRootCert,
+		}
 
-	// configure server listeners with SDS.
-	if validateClient {
-		defaultValidationContext := &tls.CertificateValidationContext{
-			MatchSubjectAltNames: matchSAN,
+		// TODO: if subjectAltName ends with *, create a prefix match as well.
+		// TODO: if user explicitly specifies SANs - should we alter his explicit config by adding all spifee aliases?
+		matchSAN := util.StringToExactMatch(subjectAltNames)
+		if len(trustDomainAliases) > 0 {
+			matchSAN = append(matchSAN, util.StringToPrefixMatch(AppendURIPrefixToTrustDomain(trustDomainAliases))...)
 		}
-		if crl != "" {
-			defaultValidationContext.Crl = &core.DataSource{
-				Specifier: &core.DataSource_Filename{
-					Filename: crl,
+
+		// configure server listeners with SDS.
+		if validateClient {
+			defaultValidationContext := &tls.CertificateValidationContext{
+				MatchSubjectAltNames: matchSAN,
+			}
+			if crl != "" {
+				defaultValidationContext.Crl = &core.DataSource{
+					Specifier: &core.DataSource_Filename{
+						Filename: crl,
+					},
+				}
+			}
+			tlsContext.ValidationContextType = &tls.CommonTlsContext_CombinedValidationContext{
+				CombinedValidationContext: &tls.CommonTlsContext_CombinedCertificateValidationContext{
+					DefaultValidationContext:         defaultValidationContext,
+					ValidationContextSdsSecretConfig: constructSdsSecretConfig(res.GetRootResourceName(), SDSRootResourceName, customFileSDSServer),
 				},
 			}
-		}
-		tlsContext.ValidationContextType = &tls.CommonTlsContext_CombinedValidationContext{
-			CombinedValidationContext: &tls.CommonTlsContext_CombinedCertificateValidationContext{
-				DefaultValidationContext:         defaultValidationContext,
-				ValidationContextSdsSecretConfig: constructSdsSecretConfig(res.GetRootResourceName(), SDSRootResourceName, customFileSDSServer),
-			},
-		}
 
+		}
+		sdsSecretConfigs[i] = constructSdsSecretConfig(res.GetResourceName(), SDSDefaultResourceName, customFileSDSServer)
 	}
-	tlsContext.TlsCertificateSdsSecretConfigs = []*tls.SdsSecretConfig{
-		constructSdsSecretConfig(res.GetResourceName(), SDSDefaultResourceName, customFileSDSServer),
-	}
+	tlsContext.TlsCertificateSdsSecretConfigs = sdsSecretConfigs
 }
 
 // constructSdsSecretConfig allows passing a file name and a fallback.
@@ -217,9 +223,19 @@ func ApplyCredentialSDSToServerCommonTLSContext(tlsContext *tls.CommonTlsContext
 	tlsOpts *networking.ServerTLSSettings, credentialSocketExist bool,
 ) {
 	// create SDS config for gateway/sidecar to fetch key/cert from agent.
-	tlsContext.TlsCertificateSdsSecretConfigs = []*tls.SdsSecretConfig{
-		ConstructSdsSecretConfigForCredential(tlsOpts.CredentialName, credentialSocketExist),
+	if len(tlsOpts.CredentialNames) > 0 {
+		// Handle multiple certificates for RSA and ECDSA
+		tlsContext.TlsCertificateSdsSecretConfigs = make([]*tls.SdsSecretConfig, len(tlsOpts.CredentialNames))
+		for i, name := range tlsOpts.CredentialNames {
+			tlsContext.TlsCertificateSdsSecretConfigs[i] = ConstructSdsSecretConfigForCredential(name, credentialSocketExist)
+		}
+	} else {
+		// Handle single certificate
+		tlsContext.TlsCertificateSdsSecretConfigs = []*tls.SdsSecretConfig{
+			ConstructSdsSecretConfigForCredential(tlsOpts.CredentialName, credentialSocketExist),
+		}
 	}
+
 	// If tls mode is MUTUAL/OPTIONAL_MUTUAL, create SDS config for gateway/sidecar to fetch certificate validation context
 	// at gateway agent. Otherwise, use the static certificate validation context config.
 	if tlsOpts.Mode == networking.ServerTLSSettings_MUTUAL || tlsOpts.Mode == networking.ServerTLSSettings_OPTIONAL_MUTUAL {