Add support for TLS (conformance test passes)

[evankanderson]

Changes

• 🐛 Add support for TLS by filling out Gateway's Spec.Listener
• 🧹 Fix a few typo'ed import aliases

Still TODO:

• Clean up Spec.Listener on delete (separate PR)
• More testing in ingress_test.go (I got one done, but I want to test the "listener already exists" scenario, at least)

/kind enhancement

Fixes #199
Fixes #319

Release Note

Adds support for Knative-configured TLS ("auto-TLS")

Docs

This increases parity with other implementations, but should not require its own
documentation, as no configuration options were added.

[codecov]

Codecov Report

Merging #316 (ad027c7) into main (c82e90c) will increase coverage by 3.63%.
The diff coverage is 68.58%.

@@            Coverage Diff             @@
##             main     #316      +/-   ##
==========================================
+ Coverage   12.91%   16.55%   +3.63%     
==========================================
  Files          20       21       +1     
  Lines        2958     3172     +214     
==========================================
+ Hits          382      525     +143     
- Misses       2554     2616      +62     
- Partials       22       31       +9     

Impacted Files	Coverage Δ
...kg/reconciler/ingress/resources/reference_grant.go	0.00% <0.00%> (ø)
pkg/reconciler/ingress/reconcile_resources.go	67.67% <77.21%> (+35.96%)	⬆️
pkg/reconciler/ingress/ingress.go	74.19% <87.50%> (+2.19%)	⬆️
pkg/reconciler/ingress/controller.go	94.02% <100.00%> (+0.27%)	⬆️
pkg/reconciler/ingress/resources/httproute.go	94.77% <100.00%> (+0.16%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c82e90c...ad027c7. Read the comment docs.

[dprotaso]

nit: corev1.Secret not metav1

[evankanderson]

Thanks, done

[dprotaso]

whoops accidentally hit the wrong button earlier

change looks good

tl;dr

• I think one of the lint warnings is a legit bug
• We should have a follow up where we create multiple gateways vs updating a single one

[dprotaso]

Want to open up a new issue about creating multiple gateways vs. updating a single one?

[evankanderson]

#317

[dprotaso]

Given that these controllers have a default threadiness of 2 - I'd expect many update conflicts since we're updating a single shared resource - this can be addressed by using multiple gateways at a future date.

I'd probably skip recording the event since that might trigger client side throttling since we'll be hitting the API frequently

[dprotaso]

Also, we shouldn't run this controller in HA with the number of buckets being greater than 1.

[evankanderson]

Ah, I see what you're suggesting. I'll add o TODO and a comment here.

I'll also bring this up with the Gateway API maintainers -- it feels like generating hundreds of Gateways that are supposed to collapse onto the same proxy is probably not right (and doesn't seem to work for at least Contour today), but the one-Gateway model doesn't scale, either.

Filed #318

[dprotaso]

Curious if we should update the gateway listeners first before updating the httproute

[evankanderson]

I'm not sure -- how would you decide which to do?

[dprotaso]

I could imagine a poor implementation (of the gateway api) that doesn't trigger reconciliation of existing HTTP routes when ReferenceGrants for certain namespaces are create.

Thus I think I'd prefer to create the listener & grant and update the gateway prior to creating an HTTPRoute.

I'm ok if that's done in a followup PR

[dprotaso]

this lint warning seems legit -probably should make a copy of h otherwise this points to the address space that's updated by the loop iteration

[evankanderson]

Ah, I don't think I've ever had more than one entry in tls.Hosts, good catch!

[dprotaso]

issue?

[evankanderson]

#319

[evankanderson]

Okay, I've added a couple more test cases, going over Dave's comments now.

I think my next steps are going to be to figure out what the Contour maintainers expect from AppPrortocol to enable Webhook and TLS, and see whether or not I can reasonably hack that into Contour to get the websocket and grpc tests passing.

[nak3]

This repo has two conformance tests:

1. the test with net-gateway-api controller. (test/kind-e2e-contour.sh)
2. the test without net-gateway-api controller (test/kind-conformance-contour.sh)

This PR has 1, but we still need to add a test for 2. I think we can do it in another PR but just wanted to mention about it.

Actually 2 still needs to add the test code into test/conformance/ingressv2 and enable it in run.go.
The procedure is described in DEVELOPMENT.md.

[dprotaso]

nit: knative/pkg/ptr

[evankanderson]

Why prefer knative.dev packages to the upstream k8s ones?

[evankanderson]

/hold

After discussion and testing, it turns out that we can create new Gateway resources in both contour and istio implementations which share the same IP address, so I'm going to re-work this to create new Gateway resources for each KIngress with TLS, rather than adding onto an existing Gateway.

[evankanderson]

/hold cancel

Gateway merging doesn't actually work for at least Contour, and if you have two Gateways, there's no clear way to determine which Gateway the ones without addresses merge to.

[evankanderson]

/hold

@carlisia asked that #315 go in first.

I'm going to see whether I can get listener cleanup in while she's working.

[evankanderson]

I added some more code, we now have distinctly-named listeners of the form kni-$INGRESS_UID, and a finalizer to clean them up.

/assign @carlisia

@dprotaso @nak3 not sure if you want to take (another?) look.

[nak3]

/test integration-tests_net-gateway-api_main

LGTM. Thank you!

[evankanderson]

Missed one comment earlier.

Also, this is now merged with #315, and unit tests should be passing. I'm checking e2e now, but this is ready for review.

@carlisia @dprotaso @nak3

I wouldn't mind this getting in before nightly testing / as a candidate for 1.6...

[evankanderson]

Why prefer knative.dev packages to the upstream k8s ones?

[evankanderson]

Ugh, I've somehow screwed up just the kind e2e tests...

[evankanderson]

/hold

(sorting out the timeout...)

[evankanderson]

I missed the rename ReferencePolicy -> ReferenceGrant in the ClusteRole for the controller, so it couldn't manage the resources it thought it needed to create.

/hold cancel

[evankanderson]

Tests run locally seem to pass now... (I had a cleanup issue I was debugging when I pushed before the /hold, so I figured I'd get the CI tests in parallel).

[evankanderson]

Hmm, it looks like the conformance tests in the e2e tests are unhappy; I can repro locally with Istio, but not with Contour. Debugging...

[carlisia]

The PR changes lgtm. I'll standby...

[carlisia]

Does the Port not need to be added as well?

[carlisia]

Whoa side note: I was wondering where and how ISTIO_VERSION was being used since I couldn't find it anywhere in the code base. It is used by the Istio script for its installation (https://raw.githubusercontent.com/istio/istio/master/release/downloadIstioCtl.sh).

Here are the changes to the latest version, v1.14.1: Istio / Announcing Istio 1.14.1. I wonder if this update would help with the tls stuff.

PS: I'll document the info about the Istio version.

---

Since the Istio version being currently used (1.13.2), this other update also adds a TLS related fix:
Istio / Announcing Istio 1.13.5

[carlisia]

Also: Istio has not had a release since upgrading their code to use v0.5.0-rc1 (gateway-api: upgrade to v0.5.0-rc1 by howardjohn · Pull Request #39506 · istio/istio).

[carlisia]

Trying to update Istio is failing: Bump Istio to v1.14.1 by carlisia · Pull Request #330 · knative-sandbox/net-gateway-api

[evankanderson]

I foolishly attempted to use the new ReferenceGrant API immediately; I've since mended my ways and switched back to using ReferencePolicy.

Pro tip when doing a merge like this:

1. Make sure the e2e test passes before upgrade
2. Upgrade the code and run the e2e test on the pre-merge controller with post-merge tests.
3. Redeploy the controller and verify the e2e tests continue to pass.

Once I did this, triage of the tests was a lot easier, because it was clear that it was something in the controller code, not the merge, that had broken the tests.

[evankanderson]

/hold cascel

[evankanderson]

Tests, including TLS tests, now pass locally.

[carlisia]

This is great, thank you! 🎉

I will add an issue to switch to ReferenceGrant once the providers are updated to support it. And I'll add your tips to the dev documentation.

Thanks for creating all the issues for followup work. Wanted to surface this one comment, I think it requires an issue as well? #316

/lgtm
/approve

🚀

[carlisia]

/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: carlisia, evankanderson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [carlisia,evankanderson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[carlisia]

/hold cancel