Ability to observe Kubernetes secrets and expose them as SDS resources?

[aukevanleeuwen]

This is more or less a followup of #5301 (reply in thread).

In that question, it turns out that adding an extra cluster as the target of a Lua httpCall should (for now?) be done with an EnvoyPatchPolicy. This leaves me wanting a little bit though, because on that cluster I would like to add TLS configuration with certificate pinning to a certain trust store and mTLS configuration to send a client certificate.

For this I need to add some UpstreamTlsContext which I can obviously provide in the JSON patch.

However, ideally I don't want to inline or file reference a ca.crt / tls.key / tls.crt secret, but ideally want to use the SDS capabilities of Envoy (like the validation_context_sds_secret_config).

So basically my question is: is it possible either with Envoy Gateway API to generically 'load' / observe extra secrets such as a secret containing ca.crt or a TLS secret and expose them via the SDS service? If this is not possible in Envoy Gateway, do you know of open source components that I would be able to leverage to create an SDS service? Maybe I'm talking nonsense, but it looks possible to me to be honest. I think the whole idea of SDS is that I should be able to spin up an SDS service, create a cluster for it (more EnvoyPatchPolicy probably) and then reference that SDS service for some of the configuration that I'm using for (m)TLS.

To reiterate my question: if the above is indeed the intended architecture of Envoy (I'm still learning daily here), are there components that I can use to implement such a service?

Thanks in advance for all your hard work!

[arkodg]

is this unlikely something that will be added as an API to Envoy Gateway, because its not tied to a specific feature.
you could use volume mounts to achieve this https://gateway.envoyproxy.io/docs/tasks/operations/customize-envoyproxy/#customize-envoyproxy-deployment-volumes-or-volumemounts

[aukevanleeuwen]

That's clear then. Since you know the domain better than I do, if you wanted automated certificate rotation like this, how would you go about it?