Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All Hops Encrypted: alpha Kourier support for encrypted backends #750

Closed
evankanderson opened this issue Jan 13, 2022 · 1 comment · Fixed by #761
Closed

All Hops Encrypted: alpha Kourier support for encrypted backends #750

evankanderson opened this issue Jan 13, 2022 · 1 comment · Fixed by #761
Assignees
@nak3
Labels
kind/feature-request
Milestone
v1.4.0

Comments

@evankanderson
Copy link
Contributor

Larger description in the Feature Track document

Summary:

Kourier should support calling activator / backends with a known CA key and subject name (provided by the cluster administrator in config-network for the All Hops Encrypted alpha).

Expected config-network keys:

  • activator-ca -- contains the CA public certificate used to sign the activator TLS certificate
  • activator-name -- contains the SAN (Subject Alt Name) used to validate the activator TLS certificate

This probably involves extending the Cluster configuration with an UpstreamTlsContext and CommonTlsContext, and possibly implementing SDS for these certificates.

/kind feature-request
@evankanderson evankanderson mentioned this issue Jan 13, 2022
Open
6 tasks
@evankanderson
Copy link
Contributor Author

Ref https://github.com/nak3/net-kourier/pull/11 for a prototype

@nak3 nak3 self-assigned this Jan 19, 2022
This was referenced Jan 26, 2022
Merged
Merged
Merged
knative-prow-robot pushed a commit to knative/networking that referenced this issue Feb 8, 2022
@nak3
Add activator-ca and activator-name keys in config-network (#608)
c9e7082 
* Add `activator-ca` and `activator-name` keys in `config-network`

This pach adds `activator-ca` and `activator-name` keys in `config-network`.

Part of knative-extensions/net-kourier#750
knative-extensions/net-kourier#761 demonstrates how it works.

* Rename activator-name to activator-san
knative-prow-robot pushed a commit to knative/networking that referenced this issue Mar 2, 2022
@nak3
Support TLS server for each test image (#609)
e2b9815 
This pach supports TLS server on each test image.
It needs to verify if Ingress surely connects to the backend with TLS.

The usage is as follows:

1. Create server certificate with the name `server-certs` in `serving-tests` namespace.

  ```shell
  $ kubectl create -n serving-tests secret tls server-certs \
      --key=tls.key --cert=tls.crt
  ```

1. Set env variable `UPSTREAM_TLS_CERT=server-certs` and run the tests.

  ```shell
  $ export UPSTREAM_TLS_CERT=server-certs
  $ go test -race -count=1 -tags=e2e ./test/conformance/ -run "TestIngressConformance/basic"
  ```

1. The backend test server starts running with TLS.

  ```shell
  $ kubectl -n serving-tests logs ingress-conformance-basics-tfpnykaw
  2022/01/27 11:54:14 Server starting on port with TLS 8047
    ...
  ```

Part of knative-extensions/net-kourier#750
knative-extensions/net-kourier#761 demonstrates how it works.
@nak3 nak3 added this to the v1.4.0 milestone Mar 3, 2022
@nak3 nak3 mentioned this issue Mar 15, 2022
Closed
@nak3 nak3 mentioned this issue Mar 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nak3 nak3

Labels
kind/feature-request
Projects
None yet
Milestone
v1.4.0
Development

Successfully merging a pull request may close this issue.

All Hops Encrypted: alpha Kourier support for encrypted backends
3 participants
@nak3 @evankanderson @knative-prow-robot