Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Host cluster-local-domain TLS on local listener with SNI #1156

Merged
merged 1 commit into from
Dec 4, 2023
Merged

Host cluster-local-domain TLS on local listener with SNI #1156

merged 1 commit into from
Dec 4, 2023

Conversation

ReToCode
Copy link
Member

@ReToCode ReToCode commented Nov 13, 2023
edited
Loading

Changes

  • Add cluster-local https listener when cluster-local-domain-tls is enabled and a KSVC exists
  • Uses SNI to host multiple certificates for all cluster-local domain Knative Services
  • Rename internal -> local to be consistent with the new encryption flags

/hold requires knative/networking#891 to be merged first.

/kind enhancement

Fixes knative/serving#14218
Partially knative/serving#14624

Release Note

net-kourier now hosts a TLS listener using SNI when `cluster-local-domain-tls` is enabled. Note: this is an experimental alpha-feature.

Docs

Will be done once the features is complete

@knative-prow knative-prow bot added kind/enhancement do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Nov 13, 2023
@knative-prow Knative Prow
Copy link

knative-prow bot commented Nov 13, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ReToCode

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 13, 2023
@codecov Codecov
Copy link

codecov bot commented Nov 13, 2023
edited
Loading

Codecov Report

Attention: 15 lines in your changes are missing coverage. Please review.

Comparison is base (6077768) 80.81% compared to head (9f3405e) 81.12%.
Report is 4 commits behind head on main.

Files Patch % Lines
pkg/generator/caches.go 88.15% 6 Missing and 3 partials ⚠️
pkg/generator/ingress_translator.go 87.50% 4 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1156      +/-   ##
==========================================
+ Coverage   80.81%   81.12%   +0.30%     
==========================================
  Files          18       18              
  Lines        1392     1462      +70     
==========================================
+ Hits         1125     1186      +61     
- Misses        213      219       +6     
- Partials       54       57       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@knative-prow knative-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 13, 2023
@ReToCode
Copy link
Member Author

PTAL, I'll rebase and remove the go mod replace once the networking PR is merged.

/assign @nak3
/assign @skonto

@ReToCode ReToCode changed the title [wip] Add TLS for cluster-local-domains Add TLS for cluster-local-domains Nov 13, 2023
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2023
@ReToCode ReToCode changed the title Add TLS for cluster-local-domains Host cluster-local-domain TLS on local listener with SNI Nov 13, 2023
skonto
skonto reviewed Nov 13, 2023
View reviewed changes
pkg/generator/ingress_translator.go
@@ -48,11 +48,13 @@ import (

type translatedIngress struct {
name types.NamespacedName
sniMatches []*envoy.SNIMatch
localSNIMatches []*envoy.SNIMatch
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking out loud is there a scenario where a ksvc wants to communicate with an egress target via the knative local gateway and the target does not need mutual tls. I was wondering about the use of auto_sni.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm sounds to me more like a Service-Mesh case. I don't think we ever want to go through kourier for egress traffic, right?

skonto
skonto reviewed Nov 13, 2023
View reviewed changes
pkg/generator/caches_test.go
@@ -166,14 +166,14 @@ func TestDeleteIngressInfoWhenDoesNotExist(t *testing.T) {
assert.DeepEqual(t, listenersBeforeDelete, listenersAfterDelete, protocmp.Transform())
}

func TestTLSListenerWithEnvCertsSecret(t *testing.T) {
func TestExternalTLSListener(t *testing.T) {
Copy link
Contributor

@skonto skonto Nov 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't want to support

  • TestExternalTLSListenerWithEnvCertsSecrets
  • TestExternalTLSListenerWithInternalCertSecret
  • ?
    Local is only meant to use the config map config?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think I get your question.

The ExternalTLS Listener is for cluster-external domains and the cluster-local one is for the cluster-local domains. Both can have the SNI option (has already been there for the external one, this PR adds it for cluster-local) when a specific cert is there for a specific domain, and a general certificate for all other traffic (that is already there for both listeners).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes but the tests were renamed and the source of the cert can be either env or some cm config. What do we support for internal and external cases?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I felt the naming did not really reflect what they test. Both cases can have a default cert for all domains and specific ones for specified domains, I think we do cover all of them for both cases with:

func TestExternalTLSListener(t *testing.T) {

// sets the default cert
t.Setenv(envCertsSecretNamespace, "certns")
t.Setenv(envCertsSecretName, "secretname")

// Test with only default domains
t.Run("without SNI matches", func(t *testing.T) {}

// Test with one added specific domain
t.Run("with a single SNI match", func(t *testing.T) {}

// Test with two added specific domains
t.Run("with multiple SNI matches", func(t *testing.T) {}
}

@skonto
Copy link
Contributor

skonto commented Nov 13, 2023

LGTM in general waiting for @nak3 before stamping.

nak3
nak3 reviewed Nov 14, 2023
View reviewed changes
Copy link
Contributor

@nak3 nak3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a plan to add conformance or e2e test for this cluster local domain TLS in networking or net-* repos like external domain for test/conformance/ingress/tls.go?

pkg/reconciler/ingress/lister.go Show resolved Hide resolved
@ReToCode
Copy link
Member Author

Do you have a plan to add conformance or e2e test for this cluster local domain TLS in networking or net-* repos like external domain for test/conformance/ingress/tls.go?

Yes this is the plan in knative/serving#13855. I'm not sure yet how they can look like exactly. I think we should finish the implementation end to end for one ingress then add conformance tests. Also Serving will get additional end-2-end tests draft here.

@knative-prow-robot knative-prow-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 16, 2023
@knative-prow-robot knative-prow-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 24, 2023
@ReToCode
Copy link
Member Author

/unhold

Networking PR is merged: knative/networking#891, conformance tests is tracked in knative/serving#13855. So this is ready to be reviewed again @nak3 @skonto

@knative-prow knative-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 24, 2023
This was referenced Nov 24, 2023
Closed
Merged
@skonto skonto mentioned this pull request Dec 4, 2023
Closed
@skonto
Copy link
Contributor

skonto commented Dec 4, 2023

Tested in knative/serving#14703 stamping.

@skonto
Copy link
Contributor

skonto commented Dec 4, 2023

/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Dec 4, 2023
@knative-prow knative-prow bot merged commit c3b4a15 into knative-extensions:main Dec 4, 2023
46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skonto skonto skonto left review comments

@nak3 nak3 nak3 left review comments

@krsna-m krsna-m Awaiting requested review from krsna-m

Assignees

@nak3 nak3

@skonto skonto

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/enhancement lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[cluster-local-domain-tls] host cluster-local certificates with SNI in net-kourier
4 participants
@ReToCode @skonto @nak3 @knative-prow-robot