[WIP] Add certificate reconciler for internal certs

cmd/activator/main.go

@@ -40,6 +40,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 
+	"knative.dev/control-protocol/pkg/certificates"
 	network "knative.dev/networking/pkg"
 	netcfg "knative.dev/networking/pkg/config"
 	netprobe "knative.dev/networking/pkg/http/probe"
@@ -173,7 +174,7 @@ func main() {
 			pool = x509.NewCertPool()
 		}
 
-		if ok := pool.AppendCertsFromPEM(caSecret.Data["ca.crt"]); !ok {
+		if ok := pool.AppendCertsFromPEM(caSecret.Data[certificates.SecretCaCertKey]); !ok {
 			logger.Fatalw("Failed to append ca cert to the RootCAs")
 		}
 
@@ -283,7 +284,7 @@ func main() {
 		if err != nil {
 			logger.Fatalw("failed to get secret", zap.Error(err))
 		}
-		cert, err := tls.X509KeyPair(secret.Data["tls.crt"], secret.Data["tls.key"])
+		cert, err := tls.X509KeyPair(secret.Data[certificates.SecretCertKey], secret.Data[certificates.SecretPKKey])
 		if err != nil {
 			logger.Fatalw("failed to load certs", zap.Error(err))
 		}

cmd/controller/main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	// The set of controllers this controller process runs.
+	certificate "knative.dev/control-protocol/pkg/certificates/reconciler"
 	"knative.dev/serving/pkg/reconciler/configuration"
 	"knative.dev/serving/pkg/reconciler/gc"
 	"knative.dev/serving/pkg/reconciler/labeler"
@@ -41,6 +42,7 @@ var ctors = []injection.ControllerConstructor{
 	service.NewController,
 	gc.NewController,
 	nscert.NewController,
+	certificate.NewControllerFactory("serving"),
 }
 
 func main() {

cmd/queue/main.go

@@ -33,6 +33,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/types"
 
+	"knative.dev/control-protocol/pkg/certificates"
 	netheader "knative.dev/networking/pkg/http/header"
 	netproxy "knative.dev/networking/pkg/http/proxy"
 	netstats "knative.dev/networking/pkg/http/stats"
@@ -66,10 +67,10 @@ const (
 	drainSleepDuration = 30 * time.Second
 
 	// certPath is the path for the server certificate mounted by queue-proxy.
-	certPath = queue.CertDirectory + "/tls.crt"
+	certPath = queue.CertDirectory + "/" + certificates.SecretCertKey
 
 	// keyPath is the path for the server certificate key mounted by queue-proxy.
-	keyPath = queue.CertDirectory + "/tls.key"
+	keyPath = queue.CertDirectory + "/" + certificates.SecretPKKey
 )
 
 type config struct {

config/core/300-secret.yaml

@@ -0,0 +1,27 @@
+# Copyright 2022 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: serving-ctrl-ca
+  namespace: knative-serving
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: server-certs
+  namespace: knative-serving
+  labels:
+    serving-ctrl: "data-plane"

go.mod

@@ -34,6 +34,7 @@ require (
 	k8s.io/code-generator v0.23.5
 	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf
 	knative.dev/caching v0.0.0-20220524205104-c7b5b7d2835e
+	knative.dev/control-protocol v0.0.0-20220603013701-cb8fe429469c
 	knative.dev/hack v0.0.0-20220524153203-12d3e2a7addc
 	knative.dev/networking v0.0.0-20220524205304-22d1b933cf73
 	knative.dev/pkg v0.0.0-20220524202603-19adf798efb8

go.sum

@@ -296,6 +296,8 @@ github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2u
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudevents/conformance v0.2.0/go.mod h1:rHKDwylBH89Rns6U3wL9ww8bg9/4GbwRCDNuyoC6bcc=
+github.com/cloudevents/sdk-go/v2 v2.4.1/go.mod h1:MZiMwmAh5tGj+fPFvtHv9hKurKqXtdB9haJYMJ/7GJY=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -856,6 +858,7 @@ github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:
 github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
@@ -2244,12 +2247,15 @@ k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19V
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 knative.dev/caching v0.0.0-20220524205104-c7b5b7d2835e h1:IiBNMvIAMEVAweBxootmBHystWDT8q+FLT/ng5V6I78=
 knative.dev/caching v0.0.0-20220524205104-c7b5b7d2835e/go.mod h1:yYNZINwZnAthrLT5Cib64oSDqBDya4Cd2q+It9XJOwI=
+knative.dev/control-protocol v0.0.0-20220603013701-cb8fe429469c h1:3X+gmG/lQUhces9I0mKE0rO8zFaPTmd0V3DqrL2yStY=
+knative.dev/control-protocol v0.0.0-20220603013701-cb8fe429469c/go.mod h1:xGSvy0ogMiGuzDvOY0sMGqraCnFzepAPz3YNV5Bv22g=
 knative.dev/hack v0.0.0-20220524153203-12d3e2a7addc h1:gqxyFRgwJDioT4DmRYezz6z2j/wvFZVUbl6c9KeMj6I=
 knative.dev/hack v0.0.0-20220524153203-12d3e2a7addc/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
 knative.dev/networking v0.0.0-20220524205304-22d1b933cf73 h1:TNa2x1vLb8vGa+i0lrqFAkRwQp8+Bt1iHdKI6ZV4KDY=
 knative.dev/networking v0.0.0-20220524205304-22d1b933cf73/go.mod h1:oIETD09Q4GSOXjdBdiPc0eEQxMwmjH7/gdhfg+sgdW8=
 knative.dev/pkg v0.0.0-20220524202603-19adf798efb8 h1:7vZxPKJsJ4LkJTLiTy48nfykzfDi69OS4GKRs0qeSM4=
 knative.dev/pkg v0.0.0-20220524202603-19adf798efb8/go.mod h1:pApypeWDkGrsMkUDkV6StWXS4CXhwGWuJEID9GGZY0Y=
+knative.dev/reconciler-test v0.0.0-20220524205904-f750f80bfc7e/go.mod h1:/ps2aEdmtjId+pUGJuuADQN4IucIp4rI7KnrYEahOgE=
 mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
 mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=

test/config/tls/config-network.yaml

@@ -21,9 +21,9 @@ metadata:
     app.kubernetes.io/version: devel
     serving.knative.dev/release: devel
 data:
-  activator-ca: "serving-ca"
-  activator-san: "knative"
+  activator-ca: "server-certs"
+  activator-san: "data-plane.knative.dev"
   activator-cert-secret: "server-certs"
-  queue-proxy-ca: "serving-ca"
-  queue-proxy-san: "knative"
+  queue-proxy-ca: "server-certs"
+  queue-proxy-san: "data-plane.knative.dev"
   queue-proxy-cert-secret: "server-certs"

test/config/tls/secret.yaml

@@ -0,0 +1,29 @@
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: server-certs
+  namespace: serving-tests-alt
+  labels:
+    serving-ctrl: "data-plane"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: server-certs
+  namespace: serving-tests
+  labels:
+    serving-ctrl: "data-plane"

test/e2e-common.sh

@@ -359,12 +359,14 @@ function install() {
   fi
 
   if (( ENABLE_TLS )); then
-    echo "Generate certificates"
-    bash ${REPO_ROOT_DIR}/test/generate-cert.sh
+    echo "Deploy server certificates into user(test) namespaces"
+    kubectl apply -f ${REPO_ROOT_DIR}/test/config/tls/secret.yaml
 
     echo "Patch to activator to serve TLS"
     kubectl apply -n ${SYSTEM_NAMESPACE} -f ${REPO_ROOT_DIR}/test/config/tls/config-network.yaml
     kubectl delete pod -n ${SYSTEM_NAMESPACE} -l app=activator
+
+    kubectl wait --timeout=60s --for=condition=Available deployment  -n ${SYSTEM_NAMESPACE} activator
   fi
 }
 

test/ha/ha.go

@@ -37,7 +37,7 @@ import (
 const (
 	// NumControllerReconcilers is the number of controllers run by ./cmd/controller/main.go.
 	// It is exported so the tests from cmd/controller/main.go can ensure we keep it in sync.
-	NumControllerReconcilers = 8
+	NumControllerReconcilers = 9
 )
 
 func createPizzaPlanetService(t *testing.T, fopt ...rtesting.ServiceOption) (test.ResourceNames, *v1test.ResourceObjects) {