feat: Support applying BackendTlsPolicy and other backend-modifying configurations on custom backends #7645
Description
Description:
I was playing around with my prototype of a custom backend ref by trying to apply a BackendTlsPolicy on it. I noticed that the TLS settings weren't getting applied. Here were the configurations I tested:
apiVersion: v1
kind: ConfigMap
metadata:
name: backend-tls-ca-cert
namespace: envoy-gateway-system
data:
ca.crt: <omitted>
---
# my custom backend
apiVersion: xdsbackend.wtzhang23.github.io/v1alpha1
kind: XdsBackend
metadata:
name: test-backend-tls
namespace: envoy-gateway-system
spec:
server:
server: fileeds-server
service: test-http-service-tls
apiType: GRPC
---
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
name: test-backend-tls-policy
namespace: envoy-gateway-system
spec:
targetRefs:
- group: xdsbackend.wtzhang23.github.io
kind: XdsBackend
name: test-backend-tls
validation:
caCertificateRefs:
- name: backend-tls-ca-cert
kind: ConfigMap
group: ""
hostname: test-http-service.test-namespace.svc.cluster.local
As a feature request, I'd like to know if it would be possible if we pre-applied the backend tls policy for custom backend refs before sending to an extension server for processing the PostClusterModify hook.
My guess is that this is due to the application of the TLS configurations being short-circuited by the return here. I assume if the TLS field was specified in that return value this would allow the backend tls policy to apply?
[optional Relevant Links:]
Any extra documentation required to understand the issue.