implement cluster-local-domain-tls in serving #14610
Conversation
knative-prow
bot
added
the
do-not-merge/hold
knative-prow-robot
added
the
needs-rebase
knative-prow
bot
added
area/API
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
c96a9cb
to
68c4e4c
Compare
knative-prow-robot
added
needs-rebase
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
d6939f2
to
b297bec
Compare
knative-prow-robot
added
needs-rebase
ReToCode
force-pushed
the
encryption-certmanager-only
branch
3 times, most recently
from
0eeae3d
to
6198bf3
Compare
knative-prow-robot
removed
the
needs-rebase
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
6198bf3
to
a8d4cde
Compare
knative-prow-robot
added
the
needs-rebase
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
a8d4cde
to
33bc391
Compare
knative-prow-robot
removed
the
needs-rebase
| @@ -63,6 +65,28 @@ func GetAllDomainsAndTags(ctx context.Context, r *v1.Route, names []string, visi | |||
| return domainTagMap, nil | |||
| } | |||
|
|
|||
| // GetDomainsForVisibility return all domains for the specified visibility. | |||
| func GetDomainsForVisibility(ctx context.Context, targetName string, r *v1.Route, visibility netv1alpha1.IngressVisibility) (sets.String, error) { | |||
There was a problem hiding this comment.
this is moved and renamed from ingress.go
I also added some tests for this function.
| // We use https://golang.org/pkg/hash/adler32/#Checksum to compute the digest which returns a uint32. | ||
| // We represent the digest in unsigned integer format with maximum value of 4,294,967,295 which are 10 digits. | ||
| // The "-[tag digest]" is computed only if there's a tag | ||
| func certNameFromRouteAndTag(route *v1.Route, tag string) string { |
There was a problem hiding this comment.
extracted from existing function
| @@ -205,27 +203,6 @@ func makeIngressSpec( | |||
| }, nil | |||
| } | |||
|
|
|||
| func routeDomain(ctx context.Context, targetName string, r *servingv1.Route, visibility netv1alpha1.IngressVisibility) (sets.String, error) { | |||
There was a problem hiding this comment.
moved to domains.go, see above.
| } | ||
| } | ||
|
|
||
| return unusedCerts, nil | ||
| } | ||
|
|
||
| func (c *Reconciler) deleteOrphanedCerts(ctx context.Context, orphanCerts []*netv1alpha1.Certificate) { |
There was a problem hiding this comment.
extracted to be reused from both callees.
| // WithRouteConditionsTLSNotEnabledForClusterLocalMessage calls | ||
| // MarkTLSNotEnabled with TLSNotEnabledForClusterLocalMessage after initialized | ||
| // the Service's conditions. | ||
| func WithRouteConditionsTLSNotEnabledForClusterLocalMessage(rt *v1.Route) { |
There was a problem hiding this comment.
we don't longer need this, as we support it now.
| "knative.dev/serving/pkg/apis/autoscaling" | ||
| "knative.dev/serving/pkg/apis/serving" | ||
| rtesting "knative.dev/serving/pkg/testing/v1" | ||
| "knative.dev/serving/test" | ||
| v1test "knative.dev/serving/test/v1" | ||
| ) | ||
|
|
||
| const ( |
There was a problem hiding this comment.
moved to separate file, see above.
| @@ -229,6 +101,13 @@ func TestServiceToServiceCall(t *testing.T) { | |||
| } | |||
| t.Logf("helloworld internal domain is %s.", resources.Route.Status.URL.Host) | |||
|
|
|||
| // if cluster-local-domain-tls is enabled, this will return the CA used to sign the certificates. | |||
| // TestProxyToHelloworld will use this CA to verify the https connection | |||
| secret, err := GetCASecret(clients) | |||
There was a problem hiding this comment.
All our tests that call cluster-local domains need to trust if we enable TLS, this helper gets the CA secret and the following TestProxyToHelloworld will add this CA to it's trust pool and thus validate the TLS connection.
| @@ -103,27 +103,20 @@ func newTLSEnabledTransport() http.RoundTripper { | |||
| } | |||
| transport.TLSClientConfig = &tls.Config{ | |||
| RootCAs: rootCAs, | |||
| // If SERVER_NAME is not set the empty value will make the | |||
There was a problem hiding this comment.
httpproxy no longer needs to trust a defined SERVER_NAME. The certificates will be valid for the actual service. Also we get the CA directly in the env variable.
ReToCode
changed the title
knative-prow
bot
added
the
do-not-merge/work-in-progress
knative-prow-robot
added
the
needs-rebase
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
4be9d8f
to
8ad22bc
Compare
knative-prow-robot
removed
the
needs-rebase
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
bf85971
to
67cf527
Compare
knative-prow-robot
removed
the
needs-rebase
|
I disabled istio-tls testing - unsure if you want to re-enable it again as part of this PR see github action here and test here |
| @@ -131,6 +136,7 @@ func newControllerWithOptions( | |||
| } | |||
| deploymentInformer.Informer().AddEventHandler(handleMatchingControllers) | |||
| paInformer.Informer().AddEventHandler(handleMatchingControllers) | |||
| certificateInformer.Informer().AddEventHandler(handleMatchingControllers) | |||
There was a problem hiding this comment.
Since the namespace is the owner of the certificate - this won't work.
You could re-sync all the revisions when the cert changes by listing and enqueing (then filtering) - or you can use a tracker https://pkg.go.dev/knative.dev/pkg/tracker
There was a problem hiding this comment.
Ah I see, makes sense. Updated it to using a tracker, I added it after the initial creation of a Certificate was successful. If that would fail (e.g. on the first Revision), we'd have an error on the Revision reconciliation anyway.
Let's keep that as a follow-up thing, as we also have flakiness with ambient that we'd need to look into. |
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
ae3acea
to
535f6fa
Compare
|
/test unit-tests |
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
535f6fa
to
8a08a96
Compare
| // Tell our trackers to reconcile when the KnativeCertificate changes | ||
| gvk := rev.GetGroupVersionKind() | ||
| apiVersion, kind := gvk.ToAPIVersionAndKind() | ||
| if err := c.tracker.TrackReference(tracker.Reference{ |
There was a problem hiding this comment.
this is backwards
you want to track the cert and reconcile the revision so the invocation is
TrackReference(certificate, rev)
There was a problem hiding this comment.
Uh that API is quite confusing, but it makes sense that it has to be this way. Thanks for explaining and bearing with me on this.
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
8a08a96
to
fb1065f
Compare
ReToCode
force-pushed
the
encryption-certmanager-only
branch
from
fb1065f
to
e04287b
Compare
|
/hold We'll bring this in after the release cut |
knative-prow
bot
added
the
do-not-merge/hold
|
/unhold |
knative-prow
bot
removed
the
do-not-merge/hold
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dprotaso, ReToCode The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
approved
Context: https://github.com/orgs/knative/projects/63/views/1 and https://github.com/knative/serving/blob/main/docs/encryption/knative-encryption.md
Fixes #14217
Changes
KnativeCertificateswhencluster-local-domain-tlsis enabledKnativeCertificatefor Activator and one in each namespace where Queue-Proxy isKnativeCertificatescluster-local-domain-tlswill also run all existing tests with TLS.Depends on these being merged first:
KnativeCertificateinstead of control-protocol secret knative-extensions/net-istio#1221Release Note
/hold