Add certificates config keys in config-network

[nak3]

This patch adds the following certificate variables:

• activator-server-certs
• queue-proxy-ca
• queue-proxy-san
• queue-proxy-server-certs

It is similar to #608.

knative/serving#12815 and knative/serving#12770
verified the change.

/cc @evankanderson

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nak3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nak3]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Merging #648 (1e34dd9) into main (a1261cd) will increase coverage by 0.29%.
The diff coverage is 100.00%.

❗ Current head 1e34dd9 differs from pull request most recent head 169e8c0. Consider uploading reports for the commit 169e8c0 to get more accurate results

@@            Coverage Diff             @@
##             main     #648      +/-   ##
==========================================
+ Coverage   94.56%   94.85%   +0.29%     
==========================================
  Files          38       38              
  Lines         810     1245     +435     
==========================================
+ Hits          766     1181     +415     
- Misses         31       52      +21     
+ Partials       13       12       -1     

Impacted Files	Coverage Δ
pkg/network.go	89.04% <100.00%> (+3.12%)	⬆️
pkg/prober/prober.go	96.80% <0.00%> (-0.17%)	⬇️
pkg/stats.go	100.00% <0.00%> (ø)
pkg/bufferpool.go	100.00% <0.00%> (ø)
pkg/probe_handler.go	100.00% <0.00%> (ø)
pkg/apis/config/store.go	100.00% <0.00%> (ø)
pkg/testing/status/fake.go	100.00% <0.00%> (ø)
pkg/apis/networking/ports.go	100.00% <0.00%> (ø)
pkg/apis/networking/register.go	0.00% <0.00%> (ø)
pkg/apis/networking/generic_types.go	100.00% <0.00%> (ø)
... and 28 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dde40b0...169e8c0. Read the comment docs.

[evankanderson]

I think we want to have a pattern for queue-proxy SANs which incorporates at least the namespace name, and possibly also the revision name.

I'm less concerned about revision name, but it would be nice if we could use the SAN to prove that we don't "cross the streams" at the networking layer and dispatch a request to a queue-proxy at the wrong namespace.

[evankanderson]

Shouldn't queue-proxies in different namespaces get different SANs and Certs?

[nak3]

Yes, it should get the different SANs and certs. But for the alpha release, I assumed that:

• admin deploys secret (server certs) in each application namespace with the name specified in queue-proxy-server-certs.
• queue-proxy mounts the secret via volume mount.

The different SANs and certs are very difficult to implement and we need to consider about another traffic ingress -> queue-proxy in the future.

[evankanderson]

It seems important that a user in one namespace not have access to the cert being used in a different namespace. SANs feel like the way to do that -- we can start with having the admins manually create the certs using something like Cert-Manager or by hand, and eventually enhance Knative to do this before GA.

[skonto]

I think we need to validate SAN/certs at service creation time. It should be done for GA. For now its ok to test with shared certs I guess.

[evankanderson]

How about activator-cert-secret if we need this to be configurable? (I'm okay with it being configurable, though I'm not sure how useful that feature might be vs simply having a hard-coded name.)

[nak3]

I wanted make this configurable as activator can turn on the https serving or not based on the config as:

	if networkConfig.ActivatorServerCert != "" {
              // activator starts serving https.
        }

[nak3]

For the name of activator-cert-secret vs activator-server-certs, we already have the activator ca as activator-ca (without -secert) so it should be consistent?

[evankanderson]

I'd thought the activator-ca was the actually CA certificate (which doesn't need to be kept private, because it's a certificate, not keys).

I'd prefer to have the -secret name here, because it provides a clearer clue that this is a value that needs to be kept private as well.

[nak3]

For queue-proxy's SANs and certs, it needs to consider about the ingress -> queue-proxy, which we have a plan to implement in the future, right? I think it is difficult to determine/implement it with the namespace level in this alpha release...

[nak3]

/cc @skonto @rhuss

[evankanderson]

For queue-proxy's SANs and certs, it needs to consider about the ingress -> queue-proxy, which we have a plan to implement in the future, right? I think it is difficult to determine/implement it with the namespace level in this alpha release...

I think the challenge for ingress -> queue-proxy is twofold:

1. Need some way to teach Ingresses about SANs and CAs associated with particular endpoints (i.e. a mix of activator and queue-proxy pods will have different SANs depending on the endpoint).
2. Need some way to teach individual Ingresses about per-SLS SANs, which means we probably need to put that information in KIngress, which means a "protocol feature bump" in a way that is harder than activator -> queue-proxy, where we control all the code (which is in Go).

I'd be happy with either hard-coding the SAN as equal to the internal cluster service name, or something like {{namespace}}.knative.

[skonto]

I think the challenge for ingress -> queue-proxy is twofold:
...

I would also vote for moving the san/cert info in the ingress part.

I'd be happy with either hard-coding the SAN as equal to the internal cluster service name, or something like {{namespace}}.knative.

SAN can be many things afaik. Could users use the service without the internal name (thinking out loud)?

[skonto]

/lgm

[evankanderson]

I think the challenge for ingress -> queue-proxy is twofold:
...

I would also vote for moving the san/cert info in the ingress part.

I'm not sure I understand the comment here. Do you mean move the SAN and Cert info in the KIngress, or into a different phase of the implementation.

I'd be happy with either hard-coding the SAN as equal to the internal cluster service name, or something like {{namespace}}.knative.

SAN can be many things afaik. Could users use the service without the internal name (thinking out loud)?

SAN is a field in the CA certificate; I don't think we need to align those values with specific resolvable DNS addresses. I think I'm suggesting using the dnsNames field here only because that seems to be supported by cert-manager, but I'm imagining that we'd have a custom validator and wouldn't want other systems using the internal name and attempting validation.

[nak3]

@skonto @evankanderson Is it possible to merge this into 1.4 😅

[evankanderson]

@skonto @evankanderson Is it possible to merge this into 1.4 😅

I'd like to understand the plan for queue-proxy certs. Is it to copy a shared cert to each namespace for 1.4, and then to replace them (and the related config options) in 1.5?

[nak3]

Is it to copy a shared cert to each namespace for 1.4, and then to replace them (and the related config options) in 1.5?

Yes, I assumed that.

[evankanderson]

I think this probably means that the feature will be pre-alpha for 1.4, but as long as we're fine with throwing out some or all of users configuration when we ship 1.5.

/lgtm