Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eventing TLS: Support exposing cluster-local CA Certs for addressables resources #14196

Closed
pierDipi opened this issue Jul 27, 2023 · 6 comments
Closed

Eventing TLS: Support exposing cluster-local CA Certs for addressables resources #14196

pierDipi opened this issue Jul 27, 2023 · 6 comments
Labels
kind/feature Well-understood/specified features, ready for coding. triage/accepted Issues which should be fixed (post-triage)

Comments

@pierDipi
Copy link
Member

pierDipi commented Jul 27, 2023
edited
Loading

Describe the feature

As the Eventing TLS proposal describes we should expose CA certs for Serving's addressables resources in the resource status when using HTTPS

status:
  address:
    url: https://service.default.svc.cluster.local
    CACerts: <PEM formatted CA cert>
  addresses:
    - name: https
      url: https://service.default.svc.cluster.local
      CACerts: <PEM formatted CA cert>
@pierDipi pierDipi added the kind/feature Well-understood/specified features, ready for coding. label Jul 27, 2023
@pierDipi pierDipi moved this to 🔖 Ready in Eventing TLS Jul 27, 2023
@dprotaso
Copy link
Member

Few questions:

  1. nit: Is it too late to change CACerts to caBundle ? - the casing looks really weird when looking at the yaml.

  2. Secondly, from our recent serving internal TLS discussion it became clear that since the activator can be in and out of the data path we required our Ingresses to support multiple subject alternate names. In this scenario Serving would be programming the ingress resources so we know the activator hostname/path. But how is Eventing supposed to know about this alternate name?

@pierDipi
Copy link
Member Author

Few questions:

  1. nit: Is it too late to change CACerts to caBundle ? - the casing looks really weird when looking at the yaml.

We just made a release, so technically yes ... renaming a field seems painful

  1. Secondly, from our recent serving internal TLS discussion it became clear that since the activator can be in and out of the data path we required our Ingresses to support multiple subject alternate names. In this scenario Serving would be programming the ingress resources so we know the activator hostname/path. But how is Eventing supposed to know about this alternate name?

I thought that Serving internal TLS will remove this limitation eventually (cc @ReToCode), I don't think even in non-eventing case you want clients to do any complex SAN logic to call a service

@dprotaso
Copy link
Member

Actually I was wrong - the service.default.svc.cluster.local domain would hit the internal ingress so this wouldn't be an issue for clients.

@ReToCode
Copy link
Member

I thought that Serving internal TLS will remove this limitation eventually (cc @ReToCode), I don't think even in non-eventing case you want clients to do any complex SAN logic to call a service
Actually I was wrong - the service.default.svc.cluster.local domain would hit the internal ingress so this wouldn't be an issue for clients.

Exactly. This should not be an issue and we (will) know what CA signed the certificate for service.default.svc.cluster.local so we can put it in the adressable.

@dprotaso
Copy link
Member

dprotaso commented Aug 2, 2023

/triage accepted

@knative-prow knative-prow bot added the triage/accepted Issues which should be fixed (post-triage) label Aug 2, 2023
@pierDipi
Copy link
Member Author

pierDipi commented Jan 9, 2024

As discussed earlier, we will integrate Eventing and Serving TLS using ConfigMaps with trust bundles (indirectly integrating Knative with trust-manager: https://cert-manager.io/docs/trust/trust-manager/) (see #14717 and knative/eventing#7532).

I think CA certs field in the status is still handy for quick experiments/development in the self-signed issuer case but it's optional.

So closing this issue for now

@pierDipi pierDipi closed this as not planned Won't fix, can't repro, duplicate, stale Jan 9, 2024
@github-project-automation github-project-automation bot moved this from 🔖 Ready to ✅ Done in Eventing TLS Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Well-understood/specified features, ready for coding. triage/accepted Issues which should be fixed (post-triage)
Projects
Serving Encryption
Status: Done
Eventing TLS
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dprotaso @ReToCode @pierDipi