Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support encrypted traffic between ingress and queue-proxy #12797

Closed
nak3 opened this issue Mar 30, 2022 · 9 comments
Closed

Support encrypted traffic between ingress and queue-proxy #12797

nak3 opened this issue Mar 30, 2022 · 9 comments
Assignees
@ReToCode
Labels
kind/feature Well-understood/specified features, ready for coding. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. triage/accepted Issues which should be fixed (post-triage)

Comments

@nak3
Copy link
Contributor

nak3 commented Mar 30, 2022
edited
Loading

As described in the feature docs:

the HTTP Proxy (KIngress) needs to be able to accept certificates for both the activator (in the knative-serving namespace) and the Revision pods (in the user namespace). There are three ways to manage this:
... snip ...
For the initial Alpha release, we will implement approach 2 and reduce scope by keeping the activator always (and only) in the set of Knative Revision endpoints exposed to the KIngress.

the alpha release does not support the encrypted traffic between ingress and queue-proxy but it is a temporary state and we should support it.
@nak3 nak3 added the kind/feature Well-understood/specified features, ready for coding. label Mar 30, 2022
@nak3 nak3 mentioned this issue Mar 30, 2022
Merged
@nak3 nak3 mentioned this issue Jun 6, 2022
Closed
2 tasks
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 28, 2022
@nak3 nak3 added lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 28, 2022
@nak3
Copy link
Contributor Author

nak3 commented Jun 28, 2022

This is possible to support if we sign the server certs in activator and queue-proxy by the same CA and SAN.

However, it is better to support different SAN or CA for the server certs on each namespace, which means the support of the encrypted traffic between ingress and queue-proxy is very difficult.

@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 27, 2022
@psschwei
Copy link
Contributor

/remove-lifecycle stale

@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 27, 2022
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 27, 2022
@psschwei
Copy link
Contributor

psschwei commented Jan 3, 2023

/remove-lifecycle stale

@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 3, 2023
@nak3
Copy link
Contributor Author

nak3 commented Jan 23, 2023

Just linking to the discussion #13005 (comment)

This is achievable with the current same CA and same SAN but we should try SNI.

@ReToCode ReToCode mentioned this issue Feb 3, 2023
Open
6 tasks
@nak3 nak3 mentioned this issue Feb 16, 2023
Closed
@ReToCode ReToCode added the triage/accepted Issues which should be fixed (post-triage) label Mar 8, 2023
@ReToCode ReToCode mentioned this issue Mar 29, 2023
Closed
@ReToCode
Copy link
Member

ReToCode commented Aug 3, 2023

With the latest discussion, we'll focus on doing the multi-SAN approach for Istio + Kourier and let activator stay in path for contour + gw-api as long as they do not support the multi-SAN approach. So no need for SNI in activator for now.

/close

@knative-prow
Copy link

knative-prow bot commented Aug 3, 2023

@ReToCode: Closing this issue.

In response to this:

With the latest discussion, we'll focus on doing the multi-SAN approach for Istio + Kourier and let activator stay in path for contour + gw-api as long as they do not support the multi-SAN approach. So no need for SNI in activator for now.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow knative-prow bot closed this as completed Aug 3, 2023
@ReToCode ReToCode self-assigned this Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ReToCode ReToCode

Labels
kind/feature Well-understood/specified features, ready for coding. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. triage/accepted Issues which should be fixed (post-triage)
Projects
Serving Encryption
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[WIP] Use cert-manager to deploy internal certificates nak3/serving
3 participants
@nak3 @ReToCode @psschwei