diff --git a/config/config-network.yaml b/config/config-network.yaml index aed72bba5..39cbc4a1b 100644 --- a/config/config-network.yaml +++ b/config/config-network.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: networking app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "d0b91f80" + knative.dev/example-checksum: "73d96d1b" data: _example: | ################################ @@ -173,50 +173,12 @@ data: # Knative doesn't know about that otherwise. default-external-scheme: "http" - # The CA public certificate used to sign the activator TLS certificate. - # It is specified by the secret name, which has the "ca.crt" data field. - # Use an empty value to disable the feature (default). + # internal-encryption indicates whether internal traffic is encrypted or not. + # If this is "true", the following traffic are encrypted: + # - ingress to activator + # - ingress to queue-proxy + # - activator to queue-proxy # # NOTE: This flag is in an alpha state and is mostly here to enable internal testing # for now. Use with caution. - activator-ca: "" - - # The SAN (Subject Alt Name) used to validate the activator TLS certificate. - # It must be set when "activator-ca" is specified. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - activator-san: "" - - # The server certificates to serve the TLS traffic from ingress to activator. - # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - activator-cert-secret: "" - - # The CA public certificate used to sign the queue-proxy TLS certificate. - # It is specified by the secret name, which has the "ca.crt" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - queue-proxy-ca: "" - - # The SAN (Subject Alt Name) used to validate the activator TLS certificate. - # It must be set when "queue-proxy-ca" is specified. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - queue-proxy-san: "" - - # The server certificates to serve the TLS traffic from activator to queue-proxy. - # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - queue-proxy-cert-secret: "" + internal-encryption: "false" diff --git a/pkg/config/config.go b/pkg/config/config.go index 1a7a59428..30580161a 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -65,6 +65,10 @@ const ( // CertManagerCertificateClassName value for specifying Knative's Cert-Manager // Certificate reconciler. CertManagerCertificateClassName = "cert-manager.certificate.networking.knative.dev" + + // ServingInternalCertName is the name of secret contains certificates in serving + // system namespace. + ServingInternalCertName = "knative-serving-certs" ) // Config Keys @@ -118,27 +122,9 @@ const ( // hostname for a Route's tag. TagTemplateKey = "tag-template" - // ActivatorCAKey is the config for the secret name, which stores CA public certificate used - // to sign the activator TLS certificate. - ActivatorCAKey = "activator-ca" - - // ActivatorSANKey is the config for the SAN used to validate the activator TLS certificate. - ActivatorSANKey = "activator-san" - - // ActivatorCertKey is the config for the secret name, which stores certificates - // to serve the TLS traffic from ingress to activator. - ActivatorCertKey = "activator-cert-secret" - - // QueueProxyCAKey is the config for the secret name, which stores CA public certificate used - // to sign the queue-proxy TLS certificate. - QueueProxyCAKey = "queue-proxy-ca" - - // QueueProxySANKey is the config for the SAN used to validate the queue-proxy TLS certificate. - QueueProxySANKey = "queue-proxy-san" - - // QueueProxyCertKey is the config for the secret name, which stores certificates - // to serve the TLS traffic from activator to queue-proxy. - QueueProxyCertKey = "queue-proxy-cert-secret" + // InternalEncryptionKey is the name of the configuration whether + // internal traffic is encrypted or not. + InternalEncryptionKey = "internal-encryption" ) // HTTPProtocol indicates a type of HTTP endpoint behavior @@ -265,27 +251,8 @@ type Config struct { // not enabled. Defaults to "http". DefaultExternalScheme string - // ActivatorCA defines the secret name of the CA public certificate used to sign the activator TLS certificate. - // The traffic is not encrypted if ActivatorCA is empty. - ActivatorCA string - - // ActivatorSAN defines the SAN (Subject Alt Name) used to validate the activator TLS certificate. - // It is used only when ActivatorCA is specified. - ActivatorSAN string - - // ActivatorCertSecret defines the secret name of the server certificates to serve the TLS traffic from ingress to activator. - ActivatorCertSecret string - - // QueueProxyCA defines the secret name of the CA public certificate used to sign the queue-proxy TLS certificate. - // The traffic to queue-proxy is not encrypted if QueueProxyCA is empty. - QueueProxyCA string - - // QueueProxySAN defines the SAN (Subject Alt Name) used to validate the queue-proxy TLS certificate. - // It is used only when QueueProxyCA is specified. - QueueProxySAN string - - // QueueProxyCertSecret defines the secret name of the server certificates to serve the TLS traffic from activator to queue-proxy. - QueueProxyCertSecret string + // DefaultExternal specifies whether internal traffic is encrypted or not. + InternalEncryption bool } func defaultConfig() *Config { @@ -300,12 +267,7 @@ func defaultConfig() *Config { AutocreateClusterDomainClaims: false, DefaultExternalScheme: "http", MeshCompatibilityMode: MeshCompatibilityModeAuto, - ActivatorCA: "", - ActivatorSAN: "", - ActivatorCertSecret: "", - QueueProxyCA: "", - QueueProxySAN: "", - QueueProxyCertSecret: "", + InternalEncryption: false, } } @@ -332,12 +294,7 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { cm.AsBool(AutocreateClusterDomainClaimsKey, &nc.AutocreateClusterDomainClaims), cm.AsBool(EnableMeshPodAddressabilityKey, &nc.EnableMeshPodAddressability), cm.AsString(DefaultExternalSchemeKey, &nc.DefaultExternalScheme), - cm.AsString(ActivatorCAKey, &nc.ActivatorCA), - cm.AsString(ActivatorSANKey, &nc.ActivatorSAN), - cm.AsString(ActivatorCertKey, &nc.ActivatorCertSecret), - cm.AsString(QueueProxyCAKey, &nc.QueueProxyCA), - cm.AsString(QueueProxySANKey, &nc.QueueProxySAN), - cm.AsString(QueueProxyCertKey, &nc.QueueProxyCertSecret), + cm.AsBool(InternalEncryptionKey, &nc.InternalEncryption), asMode(MeshCompatibilityModeKey, &nc.MeshCompatibilityMode), asLabelSelector(NamespaceWildcardCertSelectorKey, &nc.NamespaceWildcardCertSelector), ); err != nil { @@ -394,22 +351,6 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey]) } - if nc.ActivatorCA != "" && nc.ActivatorSAN == "" { - return nil, fmt.Errorf("%q must be set when %q was set", ActivatorSANKey, ActivatorCAKey) - } - - if nc.ActivatorCA == "" && nc.ActivatorSAN != "" { - return nil, fmt.Errorf("%q must be set when %q was set", ActivatorCAKey, ActivatorSANKey) - } - - if nc.QueueProxyCA != "" && nc.QueueProxySAN == "" { - return nil, fmt.Errorf("%q must be set when %q was set", QueueProxySANKey, QueueProxyCAKey) - } - - if nc.QueueProxyCA == "" && nc.QueueProxySAN != "" { - return nil, fmt.Errorf("%q must be set when %q was set", QueueProxyCAKey, QueueProxySANKey) - } - return nc, nil } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 3afb8a788..ed5ab1743 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -279,53 +279,14 @@ func TestConfiguration(t *testing.T) { }, { name: "network configuration with activator-ca and activator-san", data: map[string]string{ - ActivatorCAKey: "test-ca", - ActivatorSANKey: "test-san", + InternalEncryptionKey: "true", }, wantErr: false, wantConfig: func() *Config { c := defaultConfig() - c.ActivatorCA = "test-ca" - c.ActivatorSAN = "test-san" + c.InternalEncryption = true return c }(), - }, { - name: "network configuration with activator-ca and missing activator-san", - data: map[string]string{ - ActivatorCAKey: "test-ca", - }, - wantErr: true, - }, { - name: "network configuration with activator-san and missing activator-ca", - data: map[string]string{ - ActivatorSANKey: "test-san", - }, - wantErr: true, - }, { - name: "network configuration with queue-proxy-ca and queue-proxy-san", - data: map[string]string{ - QueueProxyCAKey: "test-ca", - QueueProxySANKey: "test-san", - }, - wantErr: false, - wantConfig: func() *Config { - c := defaultConfig() - c.QueueProxyCA = "test-ca" - c.QueueProxySAN = "test-san" - return c - }(), - }, { - name: "network configuration with queue-proxy-ca and missing queue-proxy-san", - data: map[string]string{ - QueueProxyCAKey: "test-ca", - }, - wantErr: true, - }, { - name: "network configuration with queue-proxy-san and missing queue-proxy-ca", - data: map[string]string{ - QueueProxySANKey: "test-san", - }, - wantErr: true, }, { name: "legacy keys", data: map[string]string{ diff --git a/pkg/deprecated_config.go b/pkg/deprecated_config.go index f099c68f4..50c322d45 100644 --- a/pkg/deprecated_config.go +++ b/pkg/deprecated_config.go @@ -123,40 +123,6 @@ const ( // // Deprecated: use knative.dev/networking/pkg/config.DefaultExternalSchemeKey DefaultExternalSchemeKey = config.DefaultExternalSchemeKey - - // ActivatorCAKey is the config for the secret name, which stores CA public certificate used - // to sign the activator TLS certificate. - // - // Deprecated: use knative.dev/networking/pkg/config.ActivatorCAKey - ActivatorCAKey = config.ActivatorCAKey - - // ActivatorSANKey is the config for the SAN used to validate the activator TLS certificate. - // - // Deprecated: use knative.dev/networking/pkg/config.ActivatorSANKey - ActivatorSANKey = config.ActivatorSANKey - - // ActivatorCertKey is the config for the secret name, which stores certificates - // to serve the TLS traffic from ingress to activator. - // - // Deprecated: use knative.dev/networking/pkg/config.ActivatorCertKey - ActivatorCertKey = config.ActivatorCertKey - - // QueueProxyCAKey is the config for the secret name, which stores CA public certificate used - // to sign the queue-proxy TLS certificate. - // - // Deprecated: use knative.dev/networking/pkg/config.QueueProxyCAKey - QueueProxyCAKey = config.QueueProxyCAKey - - // QueueProxySANKey is the config for the SAN used to validate the queue-proxy TLS certificate. - // - // Deprecated: use knative.dev/networking/pkg/config.QueueProxySANKey - QueueProxySANKey = config.QueueProxySANKey - - // QueueProxyCertKey is the config for the secret name, which stores certificates - // to serve the TLS traffic from activator to queue-proxy. - // - // Deprecated: use knative.dev/networking/pkg/config.QueueProxyCertKey - QueueProxyCertKey = config.QueueProxyCertKey ) // DomainTemplateValues are the available properties people can choose from