BackendTLSPolicy - Changing a ConfigMap content should be reconciled by the controller

[rikatz]

What would you like to be added:
On a BackendTLSPolicy, once I change the content of a referenced spec.validation.caCertificateRefs it should be updated and used by the proxy.

This way, a conformance test here would be:

• Create a scenario with a workload/backend with TLS enabled
• Create a ConfigMap containing the CA for this backend, and a BackendTLSPolicy for it
• Make a call - should work
• Update the configmap to an invalid CA
• Make a call - should fail
• Roll back to the valid CA
• Make a call - should work

Why this is needed:
We need to guarantee that implementations reflect the desired state of BackendTLSPolicy and CA ASAP. If the implementation doesn't immediately watch a BackendTLSPolicy CA the call to a service may fail and cause disruptions.

[rikatz]

/assign @Thealisyed

I know Ali may be willing to work on this one, so pre-assigning him

[k8s-ci-robot]

@rikatz: GitHub didn't allow me to assign the following users: Thealisyed.

Note that only kubernetes-sigs members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @Thealisyed

I know Ali may be willing to work on this one, so pre-assigning him

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rikatz]

Ali, a good place to start looking at is https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/tests/backendtlspolicy.go#L60.

You can add the test to this file, replicating mostly what is done. We can sync tomorrow on this.

[Thealisyed]

Hey @rikatz, yes I would like to try and tackle this please :)

[rikatz]

/assign @Thealisyed