Support config to deploy internal certificates automatically (knative…

…#13005) * Add certificate reconciler for internal certs * Fix cert path * Temporary use local networking repo * Support internal-encryption configuration * Use const for cert name * Fix lint * rm blank line * Drop unused variable * Use one line style * Use one line code * Update net-kourier nightly bumping knative.dev/net-kourier d758682...b9b1e8b: > b9b1e8b Use `internal-encryption` to deploy internal certificates automatically (# 855) > 427434c bump kind and k8s versions in kind-e2e tests (# 859) Signed-off-by: Knative Automation <automation@knative.team> * Verify SecretPKKey as well * Do not drop activator always in the path * Comment about ctrl-ca suffix Co-authored-by: Knative Automation <automation@knative.team>
nak3 · Jul 25, 2022 · ea6abd6 · ea6abd6
1 parent e80a125
commit ea6abd6
Show file tree

Hide file tree

Showing 60 changed files with 3,617 additions and 605 deletions.
diff --git a/cmd/activator/main.go b/cmd/activator/main.go
@@ -40,6 +40,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 
+	"knative.dev/control-protocol/pkg/certificates"
 	network "knative.dev/networking/pkg"
 	"knative.dev/pkg/configmap"
 	configmapinformer "knative.dev/pkg/configmap/informer"
@@ -154,14 +155,14 @@ func main() {
 		logger.Fatalw("Failed to construct network config", zap.Error(err))
 	}
 
-	// Enable TLS against queue-proxy when the CA and SA are specified.
-	tlsEnabled := networkConfig.QueueProxyCA != "" && networkConfig.QueueProxySAN != ""
+	// Enable TLS against queue-proxy when internal-encryption is enabled.
+	tlsEnabled := networkConfig.InternalEncryption
 
 	// Enable TLS client when queue-proxy-ca is specified.
 	// At this moment activator with TLS does not disable HTTP.
 	// See also https://github.com/knative/serving/issues/12808.
 	if tlsEnabled {
-		caSecret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, networkConfig.QueueProxyCA, metav1.GetOptions{})
+		caSecret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, netcfg.ServingInternalCertName, metav1.GetOptions{})
 		if err != nil {
 			logger.Fatalw("Failed to get secret", zap.Error(err))
 		}
@@ -171,14 +172,14 @@ func main() {
 			pool = x509.NewCertPool()
 		}
 
-		if ok := pool.AppendCertsFromPEM(caSecret.Data["ca.crt"]); !ok {
+		if ok := pool.AppendCertsFromPEM(caSecret.Data[certificates.SecretCaCertKey]); !ok {
 			logger.Fatalw("Failed to append ca cert to the RootCAs")
 		}
 
 		tlsConf := &tls.Config{
 			RootCAs:            pool,
 			InsecureSkipVerify: false,
-			ServerName:         networkConfig.QueueProxySAN,
+			ServerName:         certificates.FakeDnsName,
 			MinVersion:         tls.VersionTLS12,
 		}
 		transport = pkgnet.NewProxyAutoTLSTransport(env.MaxIdleProxyConns, env.MaxIdleProxyConnsPerHost, tlsConf)
@@ -273,15 +274,15 @@ func main() {
 		}(name, server)
 	}
 
-	// Enable TLS server when activator-server-cert is specified.
+	// Enable TLS server when internal-encryption is specified.
 	// At this moment activator with TLS does not disable HTTP.
 	// See also https://github.com/knative/serving/issues/12808.
-	if networkConfig.ActivatorCertSecret != "" {
-		secret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, networkConfig.ActivatorCertSecret, metav1.GetOptions{})
+	if networkConfig.InternalEncryption {
+		secret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, netcfg.ServingInternalCertName, metav1.GetOptions{})
 		if err != nil {
 			logger.Fatalw("failed to get secret", zap.Error(err))
 		}
-		cert, err := tls.X509KeyPair(secret.Data["tls.crt"], secret.Data["tls.key"])
+		cert, err := tls.X509KeyPair(secret.Data[certificates.SecretCertKey], secret.Data[certificates.SecretPKKey])
 		if err != nil {
 			logger.Fatalw("failed to load certs", zap.Error(err))
 		}

diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -18,6 +18,7 @@ package main
 
 import (
 	// The set of controllers this controller process runs.
+	certificate "knative.dev/control-protocol/pkg/certificates/reconciler"
 	"knative.dev/serving/pkg/reconciler/configuration"
 	"knative.dev/serving/pkg/reconciler/gc"
 	"knative.dev/serving/pkg/reconciler/labeler"
@@ -30,6 +31,7 @@ import (
 	// This defines the shared main for injected controllers.
 	"knative.dev/pkg/injection"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/serving/pkg/networking"
 )
 
 var ctors = []injection.ControllerConstructor{
@@ -41,6 +43,7 @@ var ctors = []injection.ControllerConstructor{
 	service.NewController,
 	gc.NewController,
 	nscert.NewController,
+	certificate.NewControllerFactory(networking.ServingCertName),
 }
 
 func main() {

diff --git a/cmd/queue/main.go b/cmd/queue/main.go
@@ -33,6 +33,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/types"
 
+	"knative.dev/control-protocol/pkg/certificates"
 	network "knative.dev/networking/pkg"
 	pkglogging "knative.dev/pkg/logging"
 	"knative.dev/pkg/logging/logkey"
@@ -64,10 +65,10 @@ const (
 	drainSleepDuration = 30 * time.Second
 
 	// certPath is the path for the server certificate mounted by queue-proxy.
-	certPath = queue.CertDirectory + "/tls.crt"
+	certPath = queue.CertDirectory + "/" + certificates.SecretCertKey
 
 	// keyPath is the path for the server certificate key mounted by queue-proxy.
-	keyPath = queue.CertDirectory + "/tls.key"
+	keyPath = queue.CertDirectory + "/" + certificates.SecretPKKey
 )
 
 type config struct {

diff --git a/test/config/tls/config-network.yaml → config/core/300-secret.yaml b/test/config/tls/config-network.yaml → config/core/300-secret.yaml
@@ -13,17 +13,19 @@
 # limitations under the License.
 
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
-  name: config-network
+  # Do not drop -ctrl-ca suffix as control-protocol requires it.
+  # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go
+  name: serving-certs-ctrl-ca
+  namespace: knative-serving
+# The data is populated when internal-encryption is enabled.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knative-serving-certs
+  namespace: knative-serving
   labels:
-    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
-data:
-  activator-ca: "serving-ca"
-  activator-san: "knative"
-  activator-cert-secret: "server-certs"
-  queue-proxy-ca: "serving-ca"
-  queue-proxy-san: "knative"
-  queue-proxy-cert-secret: "server-certs"
+    serving-certs-ctrl: "data-plane"
+# The data is populated when internal-encryption is enabled.
diff --git a/go.mod b/go.mod
@@ -33,9 +33,10 @@ require (
 	k8s.io/code-generator v0.23.5
 	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf
 	knative.dev/caching v0.0.0-20220412163508-8b5c244b8182
-	knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c
+	knative.dev/control-protocol v0.0.0-20220610133426-4a1c8e84039f
+	knative.dev/hack v0.0.0-20220610014127-dc6c287516dc
 	knative.dev/networking v0.0.0-20220412163509-1145ec58c8be
-	knative.dev/pkg v0.0.0-20220412134708-e325df66cb51
+	knative.dev/pkg v0.0.0-20220610014025-7d607d643ee2
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -145,3 +146,10 @@ require (
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )
+
+replace (
+	knative.dev/caching => knative.dev/caching v0.0.0-20220610113725-9c092893371a
+	knative.dev/hack => knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c
+	knative.dev/networking => knative.dev/networking v0.0.0-20220614203516-07c9d7614c61
+	knative.dev/pkg => knative.dev/pkg v0.0.0-20220412134708-e325df66cb51
+)