feat: add support for certificate fetching and rotation via SDS server

[zirain]

fixes: #6366

The idea is introduce a new API SDS in EnvoyProxy to define an external SDS server.

• It could be a Service or Backend
• Users could use kind: SDS incaCertificateRefs or clientCertificateRef, name will be used to fetch certificate from (external) SDS server.

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	5e3ea59
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69ba0cb115b89e000823ef93
😎 Deploy Preview	https://deploy-preview-8537--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[zirain]

do we need to support multiple SDS here?

[arko-oai]

probably safer to do a list

[zirain]

In that case, we need to figure out how to reference to specific sds provider in clientCertificateRef:

caCertificateRefs:
- name: ROOTCA
  kind: SDS

we probably need something like sds-provider-name://ROOTCA but which make thing more complex, becasue we use BackendObjectReference/BackendCluster to reference the backend, there's no provider name.

[arkodg]

we rely on parentRef like semantics

[zirain]

AFAIT, CACertificateRefs uses gwapiv1.SecretObjectReference or gwapiv1.LocalObjectReference.

[codecov]

Codecov Report

❌ Patch coverage is 72.83951% with 44 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@cc23457). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
internal/provider/kubernetes/controller.go	17.64%	26 Missing and 2 partials ⚠️
internal/gatewayapi/backendtlspolicy.go	82.45%	8 Missing and 2 partials ⚠️
internal/gatewayapi/listener.go	92.85%	2 Missing ⚠️
internal/xds/translator/sds.go	93.10%	1 Missing and 1 partial ⚠️
internal/xds/translator/translator.go	85.71%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8537   +/-   ##
=======================================
  Coverage        ?   74.19%           
=======================================
  Files           ?      243           
  Lines           ?    37727           
  Branches        ?        0           
=======================================
  Hits            ?    27991           
  Misses          ?     7782           
  Partials        ?     1954           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkodg]

shouldnt this be

gateway/api/v1alpha1/shared_types.go

Line 600 in ffceb4f

type BackendCluster struct {

?

[zirain]

this related to #8537 (comment)

[arkodg]

does this need to be a named sds string ?

[zirain]

I have no strong option about use a SDSName instead of the combination of FromSDS+Name.

[arkodg]

also needs smething like https://gateway-api.sigs.k8s.io/reference/1.5/spec/#allowedroutes to allow which namespaces and BTLSP can reference it

[zirain]

Under what conditions, we need to limit a BTLSP reference to SDS provider.

[arkodg]

we dont want an unknown app to reference an sds secret unless allowed by the platform team

[zirain]

this could be done in the next iterater or later.
Let's focus on #8537 (comment) first, do we really need mutiple SDS providers, and how will the API looks like.

[cnvergence]

should we validate if it is a Service or Backend?

[zirain]

we should, let's make an agreement about should this be multiple or not first.