Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trust DataPlaneUserSAN from Activator to Queue-Proxy #14452

Merged
merged 7 commits into from
Oct 17, 2023
Merged

Trust DataPlaneUserSAN from Activator to Queue-Proxy #14452

merged 7 commits into from
Oct 17, 2023

Conversation

nak3
Copy link
Contributor

@nak3 nak3 commented Sep 27, 2023

Fixes #14402

Proposed Changes

This patch changes activator to trust a new SAN kn-user-<ns> instead of legacy SAN.

Release Note

internal encryption verifies a new SAN `kn-user-<ns>`.

@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/API API objects and controllers area/autoscale area/networking labels Sep 27, 2023
@nak3 nak3 mentioned this pull request Sep 27, 2023
Merged
@nak3
Copy link
Contributor Author

nak3 commented Sep 27, 2023

/cc @dprotaso @KauzClay @davidhadas @ReToCode

@codecov
Copy link

codecov bot commented Sep 27, 2023
edited
Loading

Codecov Report

Attention: 20 lines in your changes are missing coverage. Please review.

Comparison is base (71085f8) 86.15% compared to head (1187af5) 86.00%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14452      +/-   ##
==========================================
- Coverage   86.15%   86.00%   -0.16%     
==========================================
  Files         196      197       +1     
  Lines       14889    14915      +26     
==========================================
- Hits        12828    12827       -1     
- Misses       1753     1777      +24     
- Partials      308      311       +3
Files Coverage Δ
cmd/activator/main.go 0.00% <0.00%> (ø)
pkg/activator/certificate/tls_context.go 26.92% <26.92%> (ø)

... and 3 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ReToCode
ReToCode reviewed Oct 2, 2023
View reviewed changes
pkg/activator/certificate/tls_context.go Outdated

// dialTLSContext handles verify SAN before calling DialTLSWithBackOff.
func dialTLSContext(ctx context.Context, network, addr string, cr *CertCache) (net.Conn, error) {
cr.certificatesMux.Lock()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

defer unlock?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At L#47 it unlocks the certificatesMux.
We can use defer but we just want to lock during the cloning (L#45-46) so unlock at L#47 is enough, I think.

@ReToCode
Copy link
Member

ReToCode commented Oct 2, 2023

Looks nice, thanks Kenjiro.
Not sure if we should do it breaking here or not: knative/pkg#2842.

@knative-prow knative-prow bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 3, 2023
@nak3 nak3 force-pushed the fix-14402-main branch 2 times, most recently from e24ea72 to 4e61714 Compare October 3, 2023 06:28
@knative-prow knative-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 3, 2023
@dprotaso
Copy link
Member

knative.dev/pkg upstream changes have landed

@dprotaso
Copy link
Member

/lgtm
/approve

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 17, 2023
@knative-prow
Copy link

knative-prow bot commented Oct 17, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, nak3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dprotaso dprotaso mentioned this pull request Oct 17, 2023
Closed
@knative-prow knative-prow bot merged commit 39ee6f7 into knative:main Oct 17, 2023
70 checks passed
skonto pushed a commit to skonto/serving that referenced this pull request Oct 17, 2023
@nak3 @skonto
Trust DataPlaneUserSAN from Activator to Queue-Proxy (knative#14452)
accada5 
* Trust DataPlaneUserSAN from Activator to Queue-Proxy

* Fix lint

* Fix plate

* Remove

* Use read lock

* bump pkg

* Use DataPlaneUserSAN instead of DataPlaneUserName
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ReToCode ReToCode ReToCode left review comments

@jsanin-vmw jsanin-vmw Awaiting requested review from jsanin-vmw

@skonto skonto Awaiting requested review from skonto

@davidhadas davidhadas Awaiting requested review from davidhadas

@dprotaso dprotaso Awaiting requested review from dprotaso

@KauzClay KauzClay Awaiting requested review from KauzClay

Assignees

@dprotaso dprotaso

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/API API objects and controllers area/autoscale area/networking lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trust DataPlaneUserSAN from Activator to Queue-Proxy
3 participants
@nak3 @ReToCode @dprotaso