All Hops Encrypted: alpha Kourier support for encrypted for internal traffic #824
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: nak3 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
approved
|
@evankanderson knative/serving#11906 did not mention about the internal traffic ( |
Codecov Report
@@ Coverage Diff @@
## main #824 +/- ##
==========================================
- Coverage 82.22% 81.83% -0.40%
==========================================
Files 18 18
Lines 1142 1167 +25
==========================================
+ Hits 939 955 +16
- Misses 162 168 +6
- Partials 41 44 +3
Continue to review full report at Codecov.
|
| @@ -336,3 +367,12 @@ func newExternalEnvoyListenerWithOneCert(ctx context.Context, manager *httpconnm | |||
|
|
|||
| return envoy.NewHTTPSListener(config.HTTPSPortExternal, []*v3.FilterChain{filterChain}, enableProxyProtocol) | |||
| } | |||
|
|
|||
| func newInternalEnvoyListenerWithOneCert(ctx context.Context, manager *httpconnmanagerv3.HttpConnectionManager, kubeClient kubeclient.Interface, enableProxyProtocol bool, certSecretName string) (*v3.Listener, error) { | |||
There was a problem hiding this comment.
The only diff between internal and external for newXXXEnvoyListenerWithOneCertFilterChain is the namespace and secretaName pair?
os.Getenv(envCertsSecretNamespace) , os.Getenv(envCertsSecretName)
vs
system.Namespace(), certSecretName,
Should we simplify this by merging newInternalEnvoyListenerWithOneCertFilterChain and newInternalEnvoyListenerWithOneCert to one func and then just the appropriate values for both internal/external cases?
There was a problem hiding this comment.
Alternatively, rather than making the cert name configurable, you could hard code it, and use the presence / absence of the cert to activate the encryption on the internal interface.
In my experience, this can work fairly well if the component is installed in its own namespace and isn't expected to share. In that case, you could default the secret name to e.g. kourier-internal-domain-cert or the like, and then document that if that cert is created, Kourier will use it.
There was a problem hiding this comment.
Hard cord name is fine, but I assumed that the future plan as:
- Create the secret(=certs) automatically by cert-manager or the library in
knative.dev/pkg. - Knative always use TLS traffic with the auto generated certs.
At step-2, cluster-cert-secrete in the ConfigMap starts having the default value like:
kind: ConfigMap
name: config-kourier
cluster-cert-secret: "kourier-internal-domain-cert"
And if users want to use their own certs rather than auto-gen certs, they can set the different value in cluster-cert-secret.
|
How does this work with Addressable resources? Will they refuse to connect without trusting the (self-signed?) CA for the I'm concerned about unintended side effects of skipping this into the 1.4 build with only 3-4 business days of testing before the release. If we are going to do it, it should definitely be confined to |
There was a problem hiding this comment.
Reading through this, it looks like it doesn't disable HTTP serving, nor does it change the published URL of the KIngress. If that's true (I didn't try running it, and I'm only seeing the changed files, not the final outcome), then I'm less worried about the short-term impact on Addressable.
| @@ -336,3 +367,12 @@ func newExternalEnvoyListenerWithOneCert(ctx context.Context, manager *httpconnm | |||
|
|
|||
| return envoy.NewHTTPSListener(config.HTTPSPortExternal, []*v3.FilterChain{filterChain}, enableProxyProtocol) | |||
| } | |||
|
|
|||
| func newInternalEnvoyListenerWithOneCert(ctx context.Context, manager *httpconnmanagerv3.HttpConnectionManager, kubeClient kubeclient.Interface, enableProxyProtocol bool, certSecretName string) (*v3.Listener, error) { | |||
There was a problem hiding this comment.
Alternatively, rather than making the cert name configurable, you could hard code it, and use the presence / absence of the cert to activate the encryption on the internal interface.
In my experience, this can work fairly well if the component is installed in its own namespace and isn't expected to share. In that case, you could default the secret name to e.g. kourier-internal-domain-cert or the like, and then document that if that cert is created, Kourier will use it.
|
@nak3 (ignore my previous comment on cov) the coverage report is here.The files marked with red are the offending ones, need better coverage. |
|
The coverage https://codecov.io/gh/knative-sandbox/net-kourier/compare/483cd470dc95d03d63c9c853877d8df104d946e6...4a5366996df81b2524357458d1bb92bc14272dbe# compared with non-related old commits. Just rebased and passed codeconv. |
|
/lgtm /hold for @evankanderson |
skonto
added
do-not-merge/hold
knative-prow
bot
removed
the
do-not-merge/hold
Fix #805
As described in #805, service to service traffic does not
support TLS encryption.
kourier-internalservice does not even open the port.This patch fixes it.
/cc @skonto @rhuss