[NET-9500] Cleanup orphaned inline-certs and acl role/policy

[jm96441n]

Changes proposed in this PR

• Add a goroutine on start up that loops and tries to clean up inline certs that are no longer referenced by any gateway and the original shared acl role/policy that is now specific to each gateway. Once all those are cleaned up the goroutine will exit and stop polling

How I've tested this PR

Run/Write tests

Manual Testing:

1. clone the following gist: https://gist.github.com/jm96441n/b92a80c2251c7a54d1feada320c5eac6
2. run the start.sh script in the gist (this will install consul 1.18-ent so ensure you have an ent license setup)
3. port forward port 8501 to the consul server instance
4. once the cluster is up run the following in another terminal:

export CONSUL_HTTP_ADDR="127.0.0.1:8501"
export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-consul-bootstrap-acl-token --template={{.data.token}} | base64 -d)
export CONSUL_HTTP_SSL=true
export CONSUL_HTTP_SSL_VERIFY=false

5. run consul acl role list and you will see the shared "managed-gateway-acl-role"
6. run consul acl policy list and you will see the shared "api-gateway-token-policy"
7. run consul acl binding-rule list and you will see the shared binding-rules referencing both managed-gateway-acl-role
8. run consul config list -kind inline-certificate and you will see an inline certificate listed
9. in the consul_values.yaml uncomment lines 3 and 4 and comment lines 4 and 5 (also make sure you build consul-k8s from this branch and have an up to date build of main of consul)
10. in the same terminal run export CONSUL_K8S_CHARTS_LOCATION="$HOME/hashi/consul-k8s/charts/consul" and replace the value being set with the location of the helm charts in your local copy of consul-k8s
11. run the following helm upgrade --install consul $CONSUL_K8S_CHARTS_LOCATION -f ./consul_values.yaml -n consul --create-namespace --wait to install the new version of consul-k8s that you built
12. force a re-reconciliation of your gateways (this should happen by default due to the change in dataplane version, if it does not you can delete and recreate the gateways)
13. run consul acl role list and you will not see the shared "managed-gateway-acl-role"
14. run consul acl policy list and you will not see the shared "api-gateway-token-policy"
15. . run consul acl binding-rule list and you will not see the shared binding-rules referencing managed-gateway-acl-role
16. run consul config list -kind inline-certificate and you will see no inline certificates listed

How I expect reviewers to test this PR

read the code
run the tests
do the above steps

Checklist

• Tests added
• CHANGELOG entry added

[jm96441n]

so another direction we could've gone down here is to fetch all the gateways and then for each gateway match it to a binding rule and if we match each gateway to a new binding rule then we can safely delete all the binding rules, definitely open to push back to change this to utilize that heuristic for deleting binding rules rather than what we have here (and we already fetch all the gateways for the inline cert cleanup so it's not like we don't need that data anyways)

[NiniOak]

Code looks fine but the test steps don't seem correct. Happy to re-review it with you before approval

[jm96441n]

Code looks fine but the test steps don't seem correct. Happy to re-review it with you before approval

repro steps should be fixed now! sorry about that!

[nathancoleman]

Do we need to recreate the client every 60s?

[jm96441n]

we do this for the cache code as well, everytime the cache syncs we re-create the client so I wanted to mirror that functionality

[nathancoleman]

Does this list for all namespaces?

[nathancoleman]

Discussed on Slack that the gateway approach described below is probably more scalable in all use cases and would query directly whatever namespace the gateway resided in.

[jm96441n]

we also always write the binding-rules into the default namespace and partition https://github.com/hashicorp/consul-k8s/blob/main/control-plane/api-gateway/cache/consul.go#L557