-
Notifications
You must be signed in to change notification settings - Fork 45
Add the ability to create cluster-local
certificates by an internal cert-issuer
#538
Add the ability to create cluster-local
certificates by an internal cert-issuer
#538
Conversation
Codecov Report
@@ Coverage Diff @@
## main #538 +/- ##
==========================================
+ Coverage 83.96% 87.50% +3.53%
==========================================
Files 5 5
Lines 368 392 +24
==========================================
+ Hits 309 343 +34
+ Misses 44 34 -10
Partials 15 15
|
I decided to go with these changes, regardless of the similarity of #353 and the discussion in https://cloud-native.slack.com/archives/C04LMU0AX60/p1684321868604549. Otherwise the work on full end-to-end internal encryption is kind of blocked until we find some common ground. Changing the configuration logic to a domain based one seems a bit unrealistic at the moment and a bit ambiguous from an users UX. Please also take a look at https://github.com/ReToCode/knative-encryption/blob/main/4-final-setup/HOW_DOES_IT_WORK.md. I tried to summarise how this is going to look like, as there will be more PRs to I'm not sure if we should include a "default" self-signed issuer -> /assign @skonto , @dprotaso , @evankanderson , @davidhadas , @nak3 , @KauzClay |
Does the readme file of this repo correctly represent what this repo is for? |
/hold The result of having two config points where one of them, when used, makes the other one ignored, seems not great... |
I don't think it does. But I'd like this in a separate PR.
What do you mean by that?
|
To use Auto TLS before the PR the admin needed for example to do:
|
Ah I see what you mean, here my comments:
|
and also
Regarding the defaulting behaviour, I'm unsure what is the best approach. We could actually have "sane" defaults if both are not specified. To use the internal CA to create external domains might work technically, but makes not much sense form an user perspective, as nothing would trust the internal CA out of the box, making the routes unusable without |
Is this what you mean? |
Yes for If we do not do that (in general, not specifically here), we enable internal encryption and/or trust, but the service is still called via http. |
After this PR we will have two types of certificates: those with if the user also sets a I think we need to try and avoid having config points where one config requires the user to always do some other config and without it, the system is left in an error state. Bottom line, I don't like knative logging errors instead of working with workable defaults when Would like others to consider the above, yet unholding... |
I think we will end up there when we re-model the control-protocol stuff to use the abstraction and ship that by default.
I think that approach is feasible. But it does mean that we change the current behaviour for external certificates as well and there its a bit tricky to say what the default issuer should be. Also I have some doubts that people willing to use Open for other input. @dprotaso, @skonto, @evankanderson , @nak3 |
Would you mind sharing why you want to tie this to the trustConfig flag? Just curious, what do you think of linking it to the autoTLS config instead? As long as autoTLS is true, if an internal provider is set in I agree securing ClusterLocal routes falls under the broad category of internal encryption, but in my mind, the trustConfig options feel more like Knative nuts and bolts. Users aren't going to talk to the activator or the queue-proxy directly (at least I don't think). But they will hit clusterLocal routes directly, just as they hit ExternalIP routes. To me, having same root on/off switch for both internal and external routes is clearer. I admit this would still mean there are multiple things to turn on if you want to secure the path all the way from client to user-container, though. Not just one nice switch. |
I was also struggling with the difference between the way we configure external and local and I agree that making both set by the same autoTls flag makes more sense.
I would avoid dropping to HTTP after the admin had set autoTls + chose net-certmanager, but forgot to set internalIssuerRef ... Admins will not be able to figure that out if this is what we will do.
I agree that making a divide between configuring "internal" (ingress to queue) that will be using
I agree this needs to be improved (not by this PR though). Some of our options:
|
I see, that makes sense. Okay, if I understand correctly, it seems like this PR intends to do that? And then, based on earlier comments on this PR, sounds like there would have to be some separate PR to make that error more visible within Knative. |
Just to make sure we are in sync, I am advocating that we should not silently drop to HTTP when we discover inconsistent HTTPs ingress configuration (autoTLS=true). So if we find that |
Ah okay, I follow. I like the default option of a self-signed cert from certmanager. You could probably even use it for both internal and external provider defaults, but that is outside the scope of this PR. I think I misunderstood the changes. I took the presence of this file and the the example config block as evidence that the behavior was to default to the self-signed cert from certmanager. |
I would strongly vote against mixing external certificates and internal encryption in general. For example on OCP we have a separate ingress solution in front of Knative that handles all external Domains and TLS for that, so we do not want autoTLS but we still want internal-encryption. Today, these two things (autoTLS and internal-encryption/or the new trust flags) are separated from each other and can be turned on/off independently. I do get your point about the defaulting behaviour, although, I still do not think it makes sense to use But I'm ok with always adding a self-signed CA and use them as a default. So turning on either |
status:
conditions:
- lastTransitionTime: "2023-06-08T12:20:46Z"
message: Issuing certificate as Secret was previously issued by ClusterIssuer.cert-manager.io/knative-internal-encryption-issuer
observedGeneration: 2
reason: IncorrectIssuer
status: "True"
type: Issuing |
Updated the defaulting. |
@davidhadas , @KauzClay can you please take another look ^^. |
Nice, I like the idea of using the default issuer for both internal and external.
I see what you're saying about not wanting to attach it to autoTLS config. And I can see how for all traffic internal to the cluster (whether that is from cluster-internal client -> Ingress, or Ingress to activator/queue), you probably want to use the same issuer. I guess personally, I'm still not a huge fan of having the same on/off switch for both cases. Just throwing things out there, but what do you think about adding an autoTLSInternal config or something to serving? net-certmanager would still only have the internal and external issuers like you have in this PR, but the trust config can be separate from deciding if you want your clusterlocal routes to be encrypted? I suppose that branches out to a separate PR then... |
Hm I agree that the flags are a bit confusing and also not ideally named. For now we have:
But to clean that up would be the scope of another PR. |
agreed. Maybe we can start a discussion in slack or one of the working group meetings. Anyway, I am cool with the changes here. Idk if I have the ability to approve it for real, but... /approve |
@davidhadas what is your latest take on this? ^^ |
@ReToCode - The name used - Another change I suggest is replacing the existing |
@davidhadas I thought the idea is to also use the abstraction in the future for the certs that we use between the Knative components and that we update the cert-generation in
Agreed, but that would break the existing config API. I suggest we do the renaming of those flags (as well as in Serving, Docs, Operator for the actual encryption configuration) separately. We should probably also rename the feature from autoTLS to something more meaningful which is aligned with the issuer here. |
@davidhadas updated naming to |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: KauzClay, nak3, ReToCode The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Context
Changes
/kind enhancement
Release Note
Docs
Will be done for the completed feature (when serving and net-* changes are also done).