Add NewProxyAutoTLSTransport and DialTLSWithBackOff to support TLS proxy

[nak3]

Part of: knative/serving#12503
PoC: knative/serving#12815

This patch NewProxyAutoTLSTransport which is `NewProxyAutoTransport + TLS config.
Current proxy does not support TLS but it needs for knative/serving#12503.

DialTLSWithBackOff is also DialWithBackOff + TLS config. It needs
newH2Transport which handles HTTP2 with TLS.

/cc @evankanderson @skonto @rhuss

[codecov]

Codecov Report

Merging #2479 (0ffe420) into main (c2f1f3e) will increase coverage by 0.39%.
The diff coverage is 40.54%.

❗ Current head 0ffe420 differs from pull request most recent head 253457e. Consider uploading reports for the commit 253457e to get more accurate results

@@            Coverage Diff             @@
##             main    #2479      +/-   ##
==========================================
+ Coverage   81.32%   81.71%   +0.39%     
==========================================
  Files         163      163              
  Lines        6499     9653    +3154     
==========================================
+ Hits         5285     7888    +2603     
- Misses        981     1529     +548     
- Partials      233      236       +3     

Impacted Files	Coverage Δ
network/h2c.go	16.66% <0.00%> (-8.34%)	⬇️
network/transports.go	71.95% <50.00%> (-14.10%)	⬇️
webhook/certificates/resources/secret.go	81.25% <0.00%> (-4.47%)	⬇️
injection/informers.go	64.70% <0.00%> (-4.05%)	⬇️
metrics/workqueue.go	80.82% <0.00%> (-2.90%)	⬇️
apis/duck/v1alpha1/binding_types.go	90.47% <0.00%> (-2.86%)	⬇️
metrics/config.go	75.55% <0.00%> (-2.80%)	⬇️
webhook/certificates/resources/certs.go	58.92% <0.00%> (-2.70%)	⬇️
configmap/hash-gen/main.go	62.96% <0.00%> (-2.50%)	⬇️
apis/duck/v1/podspec_types.go	93.10% <0.00%> (-2.14%)	⬇️
... and 155 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4f42bf4...253457e. Read the comment docs.

[evankanderson]

Do we want the ability to fall back to non-TLS transport during the transition if TLS is refused?

[nak3]

I think we don't need it for now. AFAIK, the users, who requested this feature, want to use the strictly secure connection and they will complain about the fall-back feature if we added 😅

[evankanderson]

I think we need a transition plan for "current config" to "always secure". We can end up with any of the following transition scenarios:

• Insecure activator -> secure queue-proxy
• Secure activator -> insecure queue-proxy

I think we want to not serve errors during the update process, which means we either need a way to ensure we know the ordering, or have the ability to fall back to insecure during the transition and then "lock the gate" with a second config change

Full disclosure: I'd like to turn this on for every Knative user, all the time, in some future release.

[nak3]

I see. In this case, knative/serving#12815 supports

• Insecure activator -> secure queue-proxy

and so we should ensure the ordering?
Opening both HTTP and HTTPS on queue-proxy is easy to support (actually knative/serving#12815 does) so I am prefer to it rather than adding the ability to fall back to insecure.

Just in case, I verified the scinario Insecure activator -> secure queue-proxy works fine as nak3/serving#41

[nader-ziada]

does this PR need to get in before we cut pkg - 1.4 on April 12th?

[nak3]

Yes, I hope so...

ping @evankanderson @rhuss @skonto could you please review this?

[evankanderson]

I see. In this case, knative/serving#12815 supports

• Insecure activator -> secure queue-proxy

and so we should ensure the ordering?
Opening both HTTP and HTTPS on queue-proxy is easy to support (actually knative/serving#12815 does) so I am prefer to it rather than adding the ability to fall back to insecure.

Just in case, I verified the scinario Insecure activator -> secure queue-proxy works fine as nak3/serving#41

If you want to enforce the ordering, there needs to be a way to enable the queue-proxy serving on both ports while the activator is still only expecting http traffic. What's the configuration that enables that?

(The same problem applies with ingress -> activator, BTW)

[nak3]

I implemented current PRs in serving repos as queue-proxy serves on both ports when certs are deployed. So, actually there is no way to disable to serve HTTP port at the alpha stage. But I think it is fine because the HTTP port is not used when activator initiates the HTTPs request.

The ingress -> activator is same. Activator serves on both HTTP and HTTPS ports.

[evankanderson]

A few more comments, but most should be straightforward.

[evankanderson]

Could this use a localhost address rather than some Internet IP?

Alternately, use one of the documentation IP ranges so our tests aren't accidentally hitting a real IP.

[evankanderson]

(i.e. use 127.200.100.10:8888)

[nak3]

Another PR #2402 is changing it now (and it seems we need a little bit big change for this) so I leave it as it is.

[evankanderson]

My concern was that this is a real IP owned by Oracle, but I'm not going to block this PR on it.

[nak3]

Thank you! Updated.

[evankanderson]

/lgtm
/approve

[evankanderson]

My concern was that this is a real IP owned by Oracle, but I'm not going to block this PR on it.

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson, nak3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• network/OWNERS [evankanderson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment