feat(extension manager): dynamically reload CA certificates

[sapirpol]

What type of PR is this?
Dynamically reload CA certificates for GRPC connections on extension-manager.

What this PR does / why we need it:
This PR introduces dynamic reloading of CA certificates used by Envoy Gateway's extension manager when establishing GRPC connections. Previously, certificates were loaded once, making updates difficult without restarting the service. To resolve this, the PR uses grpc-go's advancedtls library, enabling dynamic certificate management via a custom callback that reloads the certificate.

Comparison of TLS Settings: Before vs. After Update

Setting	Before (Old Approach)	After (New Approach)
Min TLS Version	TLS 1.2	TLS 1.2
Max TLS Version	Highest available	Highest available
Ciphers	Used safe default cipher list with explicitly forbidden RFC 7540 ciphers grpc-go.	Uses safe default cipher list grpc-go. RSA key exchange, 3DES, and CBC cipher suites removed in Go 1.22 and Go 1.23.
Dynamic Certificate Loading	No	Yes (Using GetRootCertificates)

This change was manually tested.

Which issue(s) this PR fixes:

Fixes #5396

Release Notes: Yes

[guydc]

cc @nareddyt

[codecov]

Codecov Report

Attention: Patch coverage is 60.00000% with 14 lines in your changes missing coverage. Please review.

Project coverage is 65.23%. Comparing base (096cb8d) to head (f9a3f16).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/extension/registry/extension_manager.go	60.00%	10 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5613      +/-   ##
==========================================
+ Coverage   65.19%   65.23%   +0.03%     
==========================================
  Files         214      214              
  Lines       34321    34339      +18     
==========================================
+ Hits        22377    22401      +24     
+ Misses      10591    10578      -13     
- Partials     1353     1360       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[guydc]

LGTM

[sapirpol]

@nareddyt Could you please review?

[nareddyt]

Thanks for making this PR! A few minor comments on the production code. Though the test may need another look.

[nareddyt]

Suggested change

	return nil, errors.New("no TLS certificate found in CA secret")
	return nil, fmt.Errorf("no CA certificate found in Kubernetes Secret %s in namespace %s", secret.GetName(), secret.GetNamespace())

1. This is parsing a CA certificate, not TLS certificate. The pre-existing naming of key corev1.TLSCertKey is incorrect unfortunately, but we need to support it for backwards compatibility.
2. Let's include secret name and namespace for debuggability.

[sapirpol]

I fixed the error message

[nareddyt]

This function will run in the background in a goroutine inside advancedtls, correct?

If so, I suggest you don't pass in the parent context to this function, as someone may change the parent context to cancel or timeout in the future.

Instead, create a new context in this function ctx := context.Background()

[sapirpol]

Done

[nareddyt]

Unfortunately this doesn't seem right. extension_manager.go line 316 is reading CA cert from corev1.TLSCertKey (yes it is incorrectly named, but that is a legacy behavior we need to support).

If so, I'm not entirely sure how this test is working (?) Because the CA cert is not in the correct place.

[sapirpol]

I checked the test, and it worked because both the CA and the server certificate were accepted — see: https://stackoverflow.com/questions/77084841/server-certificate-used-as-ca-cert-why-does-it-work/77084918#77084918

I've now updated the test to use a self-signed certificate, so the certificate acts as both the server cert and the CA.

[nareddyt]

Wow, did not know that. Thanks for the explanation!

[nareddyt]

I recommend modifying the test to only pass in the exact necessary data. This makes it clearer to readers that the current naming is incorrect.

Specifically, change the secret to just this, the test should still pass:

Data: map[string][]byte{
  corev1.TLSCertKey:       caCert,
},

Otherwise the PR looks good.

[sapirpol]

Thanks! I updated the secret to include only the necessary data

[sapirpol]

Thanks for making this PR! A few minor comments on the production code. Though the test may need another look.

Thanks! I’ve made the changes and replied back.

[sapirpol]

@nareddyt Could you please re-review the PR and trigger the tests?

[arkodg]

Hey @sapirpol can you rebase the go.mod file

[sapirpol]

Hi @arkodg, I rebased the branch. Could you please review the PR and retrigger the tests?