Add support for "projectcontour.io/tls-cert-namespace" annotation

[pablo-ruth]

Hello,

Following the issue raised in #3544 we are maintaining an internal fork of Contour to be able to use TLS Delegation with Ingress v1. After a discussion with our Tanzu Solution Egineer @lzetea we decided that it could be interesting to propose our changes upstream.

We described our context here to @xaleeks and it seems to be similar to @ghouscht here.

@youngnick said that using an annotation could be the only way to go so I used this approach. I tried to keep the code simple and the change very small. It's backward compatible with "namespace/secret" syntax because the annotation is used only if namespace is blank. It doesn't cover the case where you have multiple TLS secrets from different namespaces.

[codecov]

Codecov Report

Merging #4271 (b145460) into main (49e3dcc) will increase coverage by 0.08%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #4271      +/-   ##
==========================================
+ Coverage   77.74%   77.82%   +0.08%     
==========================================
  Files         112      112              
  Lines       10014    10020       +6     
==========================================
+ Hits         7785     7798      +13     
+ Misses       2046     2040       -6     
+ Partials      183      182       -1     

Impacted Files	Coverage Δ
internal/annotation/annotations.go	100.00% <100.00%> (ø)
internal/dag/ingress_processor.go	97.53% <100.00%> (+4.32%)	⬆️
internal/k8s/objectmeta.go	93.75% <100.00%> (+0.89%)	⬆️

[skriss]

Thanks for the PR @pablo-ruth! I think this is a reasonable approach here for giving folks an option to keep using this functionality when moving to Ingress v1, but others with more of the backstory here can chime in as well.

Assuming we go forward with this, I'd also like to see some test cases added to:

• internal/dag/builder_test.go
• internal/featuretests/v3/tlscertificatedelegation_test.go

And some docs updates:

• https://projectcontour.io/docs/main/config/tls-delegation/
• https://projectcontour.io/docs/main/config/annotations/

[sunjayBhatia]

i think one unit test to fix, included an Ingress with namespace in the secret name

[ghouscht]

Looks like a good solution to me. However we went "all-in" with GatewayAPI together with contour in order to be able to update to k8s 1.22. Nevertheless I'd like to see this merged too 👍🏻

[pablo-ruth]

Thanks @sunjayBhatia for the fix on the test, I merged it.

As discussed @skriss I added tests on both test files and updated the docs.

[skriss]

@pablo-ruth thanks for those updates, they all LGTM. The last thing I see to do here is to add a changelog file, changelogs/unreleased/4271-pablo-ruth-small.md, with a one line description of the change (see https://github.com/projectcontour/contour/blob/main/changelogs/unreleased/small-sample.md). Or if you prefer to write a short paragraph that could include an example, use https://github.com/projectcontour/contour/blob/main/changelogs/unreleased/minor-sample.md and name your file 4271-pablo-ruth-minor.md. Up to you.

[skriss]

Thanks again @pablo-ruth for contributing this change!

[pablo-ruth]

Thanks for your guidance !