Proposal: For multi-cluster allocation move remote server CA to GameServerAllocationPolicy

[pooneh-m]

Is your feature request related to a problem? Please describe.
Currently, for multi-cluster allocation the client secret is expected to have the server CA. However, this is not compatible with the out-of-the-box certificate management solutions (e.g. cert-manager).

Describe the solution you'd like
GameServerAllocationPolicy has the information about the remote cluster allocation endpoint. The server CA should be a field under connectionInfo, and only provided if the remote server cert is not signed by a public CA (e.g. self-signed). This will be similar to caBundle model in k8s webhooks.

apiVersion: multicluster.agones.dev/v1
kind: GameServerAllocationPolicy
metadata:
  ...
spec:
  connectionInfo:
    allocationEndpoints:
    - 1.1.1.1
    namespace: default
    secretName: client-secret
    serverCA: c2VydmVyQ0E=
  priority: 1
  weight: 100

The solution should be backward compatible to support the existing client secret setup, meaning if the secretCA is set in GameServerAllocationPolicy, use it. Otherwise, fall back to the existing solution of using ca.crt from the client secret.

Describe alternatives you've considered
Instead of storing the base64 PEM encoded secret for server CA in connectionInfo, the value can be stored in a k8s secret and a reference to the secret is stored in the GameServerAllocationPolicy. However, because server CA is the public portion of the certificate, there is no security reason for storing it in the k8s secret. It also will add an extra resource read to the multi-cluster allocation operation to read the server CA secret.

[markmandel]

This sounds like a good idea to me 👍