Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support system-internal-tls in net-istio #1063

Closed
ReToCode opened this issue Feb 16, 2023 · 4 comments · Fixed by #1085 or knative/serving#14494
Closed

Support system-internal-tls in net-istio #1063

ReToCode opened this issue Feb 16, 2023 · 4 comments · Fixed by #1085 or knative/serving#14494
Assignees
@ReToCode
Labels
kind/feature-request triage/accepted Issues which should be fixed (post-triage)
Milestone
v1.12.0

Comments

@ReToCode
Copy link
Member

Larger description in the Feature Track document
Parent-issue: knative/serving#11906

Summary
net-istio should support calling activator / backends with a known CA key and subject name.

/kind feature-request
@ReToCode ReToCode mentioned this issue Feb 16, 2023
Open
6 tasks
@nak3
Copy link
Contributor

nak3 commented Feb 16, 2023

If all net-* plugins are going to support the TLS encryption for the path Ingress -> backend, would it be better to add:

  • conformance test in networking repo
  • and KIngress contract which means adding API for KIngress ?

@nak3
Copy link
Contributor

nak3 commented Feb 16, 2023

(This may be off topic but) for the Kingress API addition, if we add the "SanName" field it would also help to solve knative/serving#12797 by using the SAN for each ingress like:

(based on Feature Track document)

type InternalTLS struct {
        // SecretName is the name of the secret used to SSL traffic against upstream(backend).
        // The secret should store the CA (root) cert to use SSL traffic.
        SecretName string `json:"secretName,omitempty"`
       
	// SanName is the name of SAN which s verified if at least one of SAN is matched.
        // The field is array to store two SANs such as activator and queue-proxy.
        SanName []string `json:"secretName,omitempty"`
}

(I know we should use SNI but I think SNI solution is not possible...)

@ReToCode ReToCode mentioned this issue Mar 28, 2023
Merged
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 18, 2023
@ReToCode
Copy link
Member Author

/remove-lifecycle stale

@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 22, 2023
@KauzClay KauzClay assigned KauzClay and unassigned KauzClay Jun 1, 2023
@ReToCode ReToCode self-assigned this Aug 3, 2023
@ReToCode ReToCode added the triage/accepted Issues which should be fixed (post-triage) label Aug 30, 2023
@ReToCode ReToCode changed the title Support internal-encryption in net-istio Support knative-internal-tls in net-istio Sep 14, 2023
@ReToCode ReToCode changed the title Support knative-internal-tls in net-istio Support system-internal-tls in net-istio Oct 2, 2023
@ReToCode ReToCode mentioned this issue Oct 10, 2023
Merged
@ReToCode ReToCode added this to the v1.12.0 milestone Oct 10, 2023
@ReToCode ReToCode mentioned this issue Nov 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ReToCode ReToCode

Labels
kind/feature-request triage/accepted Issues which should be fixed (post-triage)
Projects
None yet
Milestone
v1.12.0
3 participants
@nak3 @ReToCode @KauzClay