From 67116372bdee2239569277e701b1d9230f0e2dd3 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 6 Apr 2022 16:11:13 +0900 Subject: [PATCH 1/4] Add certificates keys in config-network This patch adds the following certificate variables: - `activator-server-certs` - `queue-proxy-ca` - `queue-proxy-san` - `queue-proxy-server-certs` It is similar to https://github.com/knative/networking/pull/608. https://github.com/knative/serving/pull/12815 and https://github.com/knative/serving/pull/12770 verifeid the change. --- config/config-network.yaml | 34 +++++++++++++++++++++++++++- pkg/network.go | 45 ++++++++++++++++++++++++++++++++++++++ pkg/network_test.go | 27 ++++++++++++++++++++++- 3 files changed, 104 insertions(+), 2 deletions(-) diff --git a/config/config-network.yaml b/config/config-network.yaml index 7c1b4edcf..e9f397d98 100644 --- a/config/config-network.yaml +++ b/config/config-network.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: networking app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "7c86cb6a" + knative.dev/example-checksum: "65b0cddb" data: _example: | ################################ @@ -188,3 +188,35 @@ data: # NOTE: This flag is in an alpha state and is mostly here to enable internal testing # for now. Use with caution. activator-san: "" + + # The server certificates to serve the TLS traffic from ingress to activator. + # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + activator-server-certs: "" + + # The CA public certificate used to sign the queue-proxy TLS certificate. + # It is specified by the secret name, which has the "ca.crt" data field. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + queue-proxy-ca: "" + + # The SAN (Subject Alt Name) used to validate the activator TLS certificate. + # It must be set when "queue-proxy-ca" is specified. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + queue-proxy-san: "" + + # The server certificates to serve the TLS traffic from activator to queue-proxy. + # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + queue-proxy-server-certs: "" diff --git a/pkg/network.go b/pkg/network.go index 26a2633ca..89aa84abc 100644 --- a/pkg/network.go +++ b/pkg/network.go @@ -196,6 +196,21 @@ const ( // ActivatorSANKey is the config for the SAN used to validate the activator TLS certificate. ActivatorSANKey = "activator-san" + + // ActivatorServerCertKey is the config for the secret name, which stores certificates + // to serve the TLS traffic from ingress to activator. + ActivatorServerCertKey = "activator-server-certs" + + // QueueProxyCAKey is the config for the secret name, which stores CA public certificate used + // to sign the queue-proxy TLS certificate. + QueueProxyCAKey = "queue-proxy-ca" + + // QueueProxySANKey is the config for the SAN used to validate the queue-proxy TLS certificate. + QueueProxySANKey = "queue-proxy-san" + + // QueueProxyServerCertKey is the config for the secret name, which stores certificates + // to serve the TLS traffic from activator to queue-proxy. + QueueProxyServerCertKey = "queue-proxy-server-certs" ) // DomainTemplateValues are the available properties people can choose from @@ -302,6 +317,20 @@ type Config struct { // ActivatorSAN defines the SAN (Subject Alt Name) used to validate the activator TLS certificate. // It is used only when ActivatorCA is specified. ActivatorSAN string + + // ActivatorSererCert defines the secret name of the server certificates to serve the TLS traffic from ingress to activator. + ActivatorServerCert string + + // QueueProxyCA defines the secret name of the CA public certificate used to sign the queue-proxy TLS certificate. + // The traffic to queue-proxy is not encrypted if QueueProxyCA is empty. + QueueProxyCA string + + // QueueProxySAN defines the SAN (Subject Alt Name) used to validate the queue-proxy TLS certificate. + // It is used only when QueueProxyCA is specified. + QueueProxySAN string + + // QueueProxyServerCert defines the secret name of the server certificates to serve the TLS traffic from activator to queue-proxy. + QueueProxyServerCert string } // HTTPProtocol indicates a type of HTTP endpoint behavior @@ -359,6 +388,10 @@ func defaultConfig() *Config { MeshCompatibilityMode: MeshCompatibilityModeAuto, ActivatorCA: "", ActivatorSAN: "", + ActivatorServerCert: "", + QueueProxyCA: "", + QueueProxySAN: "", + QueueProxyServerCert: "", } } @@ -392,6 +425,10 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { cm.AsString(DefaultExternalSchemeKey, &nc.DefaultExternalScheme), cm.AsString(ActivatorCAKey, &nc.ActivatorCA), cm.AsString(ActivatorSANKey, &nc.ActivatorSAN), + cm.AsString(ActivatorServerCertKey, &nc.ActivatorServerCert), + cm.AsString(QueueProxyCAKey, &nc.QueueProxyCA), + cm.AsString(QueueProxySANKey, &nc.QueueProxySAN), + cm.AsString(QueueProxyServerCertKey, &nc.QueueProxyServerCert), asMode(MeshCompatibilityModeKey, &nc.MeshCompatibilityMode), asLabelSelector(NamespaceWildcardCertSelectorKey, &nc.NamespaceWildcardCertSelector), ); err != nil { @@ -456,6 +493,14 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { return nil, fmt.Errorf("%q must be set when %q was set", ActivatorCAKey, ActivatorSANKey) } + if nc.QueueProxyCA != "" && nc.QueueProxySAN == "" { + return nil, fmt.Errorf("%q must be set when %q was set", QueueProxySANKey, QueueProxyCAKey) + } + + if nc.QueueProxyCA == "" && nc.QueueProxySAN != "" { + return nil, fmt.Errorf("%q must be set when %q was set", QueueProxyCAKey, QueueProxySANKey) + } + return nc, nil } diff --git a/pkg/network_test.go b/pkg/network_test.go index d63c58ad5..befdb3ec6 100644 --- a/pkg/network_test.go +++ b/pkg/network_test.go @@ -307,7 +307,32 @@ func TestConfiguration(t *testing.T) { }, { name: "network configuration with activator-san and missing activator-ca", data: map[string]string{ - ActivatorCAKey: "test-san", + ActivatorSANKey: "test-san", + }, + wantErr: true, + }, { + name: "network configuration with queue-proxy-ca and queue-proxy-san", + data: map[string]string{ + QueueProxyCAKey: "test-ca", + QueueProxySANKey: "test-san", + }, + wantErr: false, + wantConfig: func() *Config { + c := defaultConfig() + c.QueueProxyCA = "test-ca" + c.QueueProxySAN = "test-san" + return c + }(), + }, { + name: "network configuration with queue-proxy-ca and missing queue-proxy-san", + data: map[string]string{ + QueueProxyCAKey: "test-ca", + }, + wantErr: true, + }, { + name: "network configuration with queue-proxy-san and missing queue-proxy-ca", + data: map[string]string{ + QueueProxySANKey: "test-san", }, wantErr: true, }, { From 3e704c8451f7fbd0657483079967dca01a190b3e Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Mon, 11 Apr 2022 16:03:35 +0900 Subject: [PATCH 2/4] Rename -server-certs with -cert-secret --- config/config-network.yaml | 4 ++-- pkg/network.go | 24 ++++++++++++------------ 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/config/config-network.yaml b/config/config-network.yaml index e9f397d98..3dd27fe6b 100644 --- a/config/config-network.yaml +++ b/config/config-network.yaml @@ -195,7 +195,7 @@ data: # # NOTE: This flag is in an alpha state and is mostly here to enable internal testing # for now. Use with caution. - activator-server-certs: "" + activator-cert-secret: "" # The CA public certificate used to sign the queue-proxy TLS certificate. # It is specified by the secret name, which has the "ca.crt" data field. @@ -219,4 +219,4 @@ data: # # NOTE: This flag is in an alpha state and is mostly here to enable internal testing # for now. Use with caution. - queue-proxy-server-certs: "" + queue-proxy-cert-secret: "" diff --git a/pkg/network.go b/pkg/network.go index 89aa84abc..d87898afc 100644 --- a/pkg/network.go +++ b/pkg/network.go @@ -197,9 +197,9 @@ const ( // ActivatorSANKey is the config for the SAN used to validate the activator TLS certificate. ActivatorSANKey = "activator-san" - // ActivatorServerCertKey is the config for the secret name, which stores certificates + // ActivatorCertSecretKey is the config for the secret name, which stores certificates // to serve the TLS traffic from ingress to activator. - ActivatorServerCertKey = "activator-server-certs" + ActivatorCertSecretKey = "activator-cert-secret" // QueueProxyCAKey is the config for the secret name, which stores CA public certificate used // to sign the queue-proxy TLS certificate. @@ -208,9 +208,9 @@ const ( // QueueProxySANKey is the config for the SAN used to validate the queue-proxy TLS certificate. QueueProxySANKey = "queue-proxy-san" - // QueueProxyServerCertKey is the config for the secret name, which stores certificates + // QueueProxyCertSecretKey is the config for the secret name, which stores certificates // to serve the TLS traffic from activator to queue-proxy. - QueueProxyServerCertKey = "queue-proxy-server-certs" + QueueProxyCertSecretKey = "queue-proxy-cert-secret" ) // DomainTemplateValues are the available properties people can choose from @@ -318,8 +318,8 @@ type Config struct { // It is used only when ActivatorCA is specified. ActivatorSAN string - // ActivatorSererCert defines the secret name of the server certificates to serve the TLS traffic from ingress to activator. - ActivatorServerCert string + // ActivatorCertSecret defines the secret name of the server certificates to serve the TLS traffic from ingress to activator. + ActivatorCertSecret string // QueueProxyCA defines the secret name of the CA public certificate used to sign the queue-proxy TLS certificate. // The traffic to queue-proxy is not encrypted if QueueProxyCA is empty. @@ -329,8 +329,8 @@ type Config struct { // It is used only when QueueProxyCA is specified. QueueProxySAN string - // QueueProxyServerCert defines the secret name of the server certificates to serve the TLS traffic from activator to queue-proxy. - QueueProxyServerCert string + // QueueProxyCertSecret defines the secret name of the server certificates to serve the TLS traffic from activator to queue-proxy. + QueueProxyCertSecret string } // HTTPProtocol indicates a type of HTTP endpoint behavior @@ -388,10 +388,10 @@ func defaultConfig() *Config { MeshCompatibilityMode: MeshCompatibilityModeAuto, ActivatorCA: "", ActivatorSAN: "", - ActivatorServerCert: "", + ActivatorCertSecret: "", QueueProxyCA: "", QueueProxySAN: "", - QueueProxyServerCert: "", + QueueProxyCertSecret: "", } } @@ -425,10 +425,10 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { cm.AsString(DefaultExternalSchemeKey, &nc.DefaultExternalScheme), cm.AsString(ActivatorCAKey, &nc.ActivatorCA), cm.AsString(ActivatorSANKey, &nc.ActivatorSAN), - cm.AsString(ActivatorServerCertKey, &nc.ActivatorServerCert), + cm.AsString(ActivatorCertSecretKey, &nc.ActivatorCertSecret), cm.AsString(QueueProxyCAKey, &nc.QueueProxyCA), cm.AsString(QueueProxySANKey, &nc.QueueProxySAN), - cm.AsString(QueueProxyServerCertKey, &nc.QueueProxyServerCert), + cm.AsString(QueueProxyCertSecretKey, &nc.QueueProxyCertSecret), asMode(MeshCompatibilityModeKey, &nc.MeshCompatibilityMode), asLabelSelector(NamespaceWildcardCertSelectorKey, &nc.NamespaceWildcardCertSelector), ); err != nil { From 1e34dd96b56d5b1185529559732fe6fe30fe5365 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Mon, 11 Apr 2022 16:03:53 +0900 Subject: [PATCH 3/4] Bump checksum --- config/config-network.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config-network.yaml b/config/config-network.yaml index 3dd27fe6b..aed72bba5 100644 --- a/config/config-network.yaml +++ b/config/config-network.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: networking app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "65b0cddb" + knative.dev/example-checksum: "d0b91f80" data: _example: | ################################ From 169e8c099d5d88489c156f2096837c3f8788ca2d Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Mon, 11 Apr 2022 16:10:53 +0900 Subject: [PATCH 4/4] Fix lint --- pkg/network.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/network.go b/pkg/network.go index d87898afc..fef813530 100644 --- a/pkg/network.go +++ b/pkg/network.go @@ -197,9 +197,9 @@ const ( // ActivatorSANKey is the config for the SAN used to validate the activator TLS certificate. ActivatorSANKey = "activator-san" - // ActivatorCertSecretKey is the config for the secret name, which stores certificates + // ActivatorCertKey is the config for the secret name, which stores certificates // to serve the TLS traffic from ingress to activator. - ActivatorCertSecretKey = "activator-cert-secret" + ActivatorCertKey = "activator-cert-secret" // QueueProxyCAKey is the config for the secret name, which stores CA public certificate used // to sign the queue-proxy TLS certificate. @@ -208,9 +208,9 @@ const ( // QueueProxySANKey is the config for the SAN used to validate the queue-proxy TLS certificate. QueueProxySANKey = "queue-proxy-san" - // QueueProxyCertSecretKey is the config for the secret name, which stores certificates + // QueueProxyCertKey is the config for the secret name, which stores certificates // to serve the TLS traffic from activator to queue-proxy. - QueueProxyCertSecretKey = "queue-proxy-cert-secret" + QueueProxyCertKey = "queue-proxy-cert-secret" ) // DomainTemplateValues are the available properties people can choose from @@ -425,10 +425,10 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { cm.AsString(DefaultExternalSchemeKey, &nc.DefaultExternalScheme), cm.AsString(ActivatorCAKey, &nc.ActivatorCA), cm.AsString(ActivatorSANKey, &nc.ActivatorSAN), - cm.AsString(ActivatorCertSecretKey, &nc.ActivatorCertSecret), + cm.AsString(ActivatorCertKey, &nc.ActivatorCertSecret), cm.AsString(QueueProxyCAKey, &nc.QueueProxyCA), cm.AsString(QueueProxySANKey, &nc.QueueProxySAN), - cm.AsString(QueueProxyCertSecretKey, &nc.QueueProxyCertSecret), + cm.AsString(QueueProxyCertKey, &nc.QueueProxyCertSecret), asMode(MeshCompatibilityModeKey, &nc.MeshCompatibilityMode), asLabelSelector(NamespaceWildcardCertSelectorKey, &nc.NamespaceWildcardCertSelector), ); err != nil {