Add internal trust flag to config (#778)

* Add internal trust flag to config Signed-off-by: David Hadas <david.hadas@gmail.com> * nits Signed-off-by: David Hadas <david.hadas@gmail.com> * text improvements * text improvements * text improvements * multi-level flag * repush * seperate flags for control and data planes * refreshed * string as enum * update-deps --------- Signed-off-by: David Hadas <david.hadas@gmail.com>
knative · May 2, 2023 · 3f4627e · 3f4627e
1 parent 02055c8
commit 3f4627e
Show file tree

Hide file tree

Showing 3 changed files with 135 additions and 6 deletions.
diff --git a/config/config-network.yaml b/config/config-network.yaml
@@ -22,7 +22,7 @@ metadata:
     app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
   annotations:
-    knative.dev/example-checksum: "73d96d1b"
+    knative.dev/example-checksum: "2b6d10ba"
 data:
   _example: |
     ################################
@@ -173,12 +173,34 @@ data:
     # Knative doesn't know about that otherwise.
     default-external-scheme: "http"
 
+    # internal-encryption is deprecated and replaced by internal-dataplane-trust and internal-controlplane-trust
     # internal-encryption indicates whether internal traffic is encrypted or not.
-    # If this is "true", the following traffic are encrypted:
-    #  - ingress to activator
-    #  - ingress to queue-proxy
-    #  - activator to queue-proxy
     #
     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
     #       for now. Use with caution.
     internal-encryption: "false"
+
+    # dataplane-trust indicates the level of trust established in the knative data-plane.
+    # dataplane-trust = "disabled" (the default) - uses no encryption for internal data plane traffic
+    # Using any other value ensures that the following traffic is encrypted using TLS:
+    #  - ingress to activator
+    #  - ingress to queue-proxy
+    #  - activator to queue-proxy
+    #
+    # dataplane-trust = "minimal" ensures data messages are encrypted, Kingress authenticate that the receiver is a Ksvc
+    # dataplane-trust = "enabled" same as "minimal" and in addition, Kingress authenticate that Ksvc is at the correct namespace
+    # dataplane-trust = "mutual" same as "enabled" and in addition, Ksvc authenticate that the messages come from the Kingress
+    # dataplane-trust = "identity" same as "mutual" with Kingress adding a trusted sender identity to the message
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
+    dataplane-trust: "disabled"
+
+    # controlplane-trust indicates the level of trust established in the knative control-plane.
+    # controlplane-trust = "disabled" (the default) - uses no encryption for internal control plane traffic
+    # Using any other value ensures that control traffic is encrypted using TLS.
+    #
+    # controlplane-trust = "enabled" ensures control messages are encrypted using TLS (client authenticate the server)
+    # controlplane-trust = "mutual" ensures control messages are encrypted using mTLS (client and server authenticate each other)
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
+    controlplane-trust: "disabled"
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -122,9 +122,39 @@ const (
 	// hostname for a Route's tag.
 	TagTemplateKey = "tag-template"
 
+	// InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and internal-controlplane-trust
 	// InternalEncryptionKey is the name of the configuration whether
 	// internal traffic is encrypted or not.
 	InternalEncryptionKey = "internal-encryption"
+
+	// DataplaneTrustKey is the name of the configuration entry
+	// defining the level of trust used for data plane traffic.
+	DataplaneTrustKey = "dataplane-trust"
+
+	// ControlplaneTrustKey is the name of the configuration entry
+	// defining the level of trust used for control plane traffic.
+	ControlplaneTrustKey = "controlplane-trust"
+)
+
+// HTTPProtocol indicates a type of HTTP endpoint behavior
+// that Knative ingress could take.
+type Trust string
+
+const (
+	// TrustDisabled - TLS not used
+	TrustDisabled Trust = "disabled"
+
+	// TrustMinimal - TLS used. We verify that the server is using Knative certificates
+	TrustMinimal Trust = "minimal"
+
+	// TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace
+	TrustEnabled Trust = "enabled"
+
+	// TrustMutual - same as TrustEnabled and we also verify the identity of the client.
+	TrustMutual Trust = "mutual"
+
+	// TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message.
+	TrustIdentity Trust = "identity"
 )
 
 // HTTPProtocol indicates a type of HTTP endpoint behavior
@@ -251,8 +281,15 @@ type Config struct {
 	// not enabled. Defaults to "http".
 	DefaultExternalScheme string
 
-	// DefaultExternal specifies whether internal traffic is encrypted or not.
+	// Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust
+	// InternalEncryption specifies whether internal traffic is encrypted or not.
 	InternalEncryption bool
+
+	// DataplaneTrust specifies the level of trust used for date plane.
+	DataplaneTrust Trust
+
+	// ControlplaneTrust specifies the level of trust used for control plane.
+	ControlplaneTrust Trust
 }
 
 func defaultConfig() *Config {
@@ -268,6 +305,8 @@ func defaultConfig() *Config {
 		DefaultExternalScheme:         "http",
 		MeshCompatibilityMode:         MeshCompatibilityModeAuto,
 		InternalEncryption:            false,
+		DataplaneTrust:                TrustDisabled,
+		ControlplaneTrust:             TrustDisabled,
 	}
 }
 
@@ -351,6 +390,34 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey])
 	}
 
+	switch strings.ToLower(data[DataplaneTrustKey]) {
+	case "", string(TrustDisabled):
+		// If DataplaneTrus is not set in the config-network, default is already
+		// set to TrustDisabled.
+	case string(TrustMinimal):
+		nc.DataplaneTrust = TrustMinimal
+	case string(TrustEnabled):
+		nc.DataplaneTrust = TrustEnabled
+	case string(TrustMutual):
+		nc.DataplaneTrust = TrustMutual
+	case string(TrustIdentity):
+		nc.DataplaneTrust = TrustIdentity
+	default:
+		return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey])
+	}
+
+	switch strings.ToLower(data[ControlplaneTrustKey]) {
+	case "", string(TrustDisabled):
+		// If ControlplaneTrust is not set in the config-network, default is already
+		// set to TrustDisabled.
+	case string(TrustEnabled):
+		nc.ControlplaneTrust = TrustEnabled
+	case string(TrustMutual):
+		nc.ControlplaneTrust = TrustMutual
+	default:
+		return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey])
+	}
+
 	return nc, nil
 }
 

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -287,6 +287,40 @@ func TestConfiguration(t *testing.T) {
 			c.InternalEncryption = true
 			return c
 		}(),
+	}, {
+		name: "bad network configuration of the data-plane",
+		data: map[string]string{
+			DataplaneTrustKey: "trustLevel",
+		},
+		wantErr: true,
+	}, {
+		name: "network configuration of the data-plane",
+		data: map[string]string{
+			DataplaneTrustKey: "identity",
+		},
+		wantErr: false,
+		wantConfig: func() *Config {
+			c := defaultConfig()
+			c.DataplaneTrust = TrustIdentity
+			return c
+		}(),
+	}, {
+		name: "bad network configuration of the control-plane",
+		data: map[string]string{
+			ControlplaneTrustKey: "trustLevel",
+		},
+		wantErr: true,
+	}, {
+		name: "network configuration of the control-plane",
+		data: map[string]string{
+			ControlplaneTrustKey: "mutual",
+		},
+		wantErr: false,
+		wantConfig: func() *Config {
+			c := defaultConfig()
+			c.ControlplaneTrust = TrustMutual
+			return c
+		}(),
 	}, {
 		name: "legacy keys",
 		data: map[string]string{
@@ -315,6 +349,8 @@ func TestConfiguration(t *testing.T) {
 
 			// This is defaulted
 			MeshCompatibilityMode: MeshCompatibilityModeAuto,
+			DataplaneTrust:        TrustDisabled,
+			ControlplaneTrust:     TrustDisabled,
 		},
 	}, {
 		name: "newer keys take precedence over legacy keys",
@@ -340,6 +376,8 @@ func TestConfiguration(t *testing.T) {
 			AutocreateClusterDomainClaimsKey: "false",
 			HTTPProtocolKey:                  "enabled",
 			AutoTLSKey:                       "disabled",
+			DataplaneTrustKey:                "MiNiMal",
+			ControlplaneTrustKey:             "EnAbLeD",
 		},
 		wantConfig: &Config{
 			DefaultIngressClass:     "7",
@@ -355,6 +393,8 @@ func TestConfiguration(t *testing.T) {
 
 			// This is defaulted
 			MeshCompatibilityMode: MeshCompatibilityModeAuto,
+			DataplaneTrust:        TrustMinimal,
+			ControlplaneTrust:     TrustEnabled,
 		},
 	}}