From 83bc270a5be2e5a4125302a064e0cded3e180598 Mon Sep 17 00:00:00 2001 From: David Hadas Date: Sun, 4 Jun 2023 14:42:30 +0300 Subject: [PATCH 1/5] continue trust work --- pkg/queue/sharedmain/cache.go | 145 ++++++++++++++++++ pkg/queue/sharedmain/main.go | 12 +- .../autoscaling/config/store_test.go | 10 +- pkg/reconciler/autoscaling/kpa/kpa.go | 3 +- pkg/reconciler/autoscaling/kpa/kpa_test.go | 4 +- pkg/reconciler/revision/resources/deploy.go | 3 +- pkg/reconciler/revision/resources/queue.go | 3 + pkg/reconciler/revision/revision.go | 3 +- pkg/reconciler/route/resources/ingress.go | 5 +- .../route/resources/ingress_test.go | 2 +- test/e2e/autoscale_test.go | 2 +- 11 files changed, 177 insertions(+), 15 deletions(-) create mode 100644 pkg/queue/sharedmain/cache.go diff --git a/pkg/queue/sharedmain/cache.go b/pkg/queue/sharedmain/cache.go new file mode 100644 index 000000000000..8f83d3af6cc6 --- /dev/null +++ b/pkg/queue/sharedmain/cache.go @@ -0,0 +1,145 @@ +/* +Copyright 2018 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package sharedmain + +import ( + "context" + "crypto/tls" + "crypto/x509" + "encoding/pem" + "fmt" + "os" + "sync" + "time" + + "go.uber.org/zap" + + "knative.dev/control-protocol/pkg/certificates" + netcfg "knative.dev/networking/pkg/config" + "knative.dev/pkg/logging" +) + +type CertCache struct { + logger *zap.SugaredLogger + trustConfig netcfg.Trust + + certificate *tls.Certificate + ServerTLSConf tls.Config + + certificatesMux sync.RWMutex + caCerts []*x509.Certificate + caLastUpdate time.Time +} + +func (cr *CertCache) init() { + cr.ServerTLSConf.MinVersion = tls.VersionTLS12 + cr.ServerTLSConf.ClientCAs = x509.NewCertPool() + cr.ServerTLSConf.GetCertificate = cr.GetCertificate + switch cr.trustConfig { + case netcfg.TrustIdentity, netcfg.TrustMutual: + cr.ServerTLSConf.ClientAuth = tls.RequireAndVerifyClientCert + cr.ServerTLSConf.VerifyConnection = func(cs tls.ConnectionState) error { + if len(cs.PeerCertificates) == 0 { + // Should never happen on a server side + cr.logger.Info("mTLS: Failed to verify client connection. Certificate is missing\n") + return fmt.Errorf("mTLS: Failed to verify client connection. Certificate is missing") + } + for _, match := range cs.PeerCertificates[0].DNSNames { + // Activator currently supports a single routingId which is the default "0" + // Working with other routingId is not yet implemented + if match == certificates.DataPlaneRoutingName("0") { + return nil + } + //Until all ingresses work with updated dataplane certificates - allow also any legacy certificate + if match == certificates.LegacyFakeDnsName { + return nil + } + } + + cr.logger.Info("mTLS: Failed to verify client connection for DNSNames: %v\n", cs.PeerCertificates[0].DNSNames) + return fmt.Errorf("mTLS: Failed to verify client connection for DNSNames: %v", cs.PeerCertificates[0].DNSNames) + } + } +} + +// NewCertCache starts secretInformer. +func NewCertCache(ctx context.Context, trust netcfg.Trust) *CertCache { + cr := &CertCache{ + logger: logging.FromContext(ctx), + trustConfig: trust, + } + cr.init() + + cr.updateCache() + + return cr +} + +func (cr *CertCache) updateCache() { + info, err := os.Stat(caPath) + if err != nil { + cr.logger.Warnw("failed to stat secret ca", zap.Error(err)) + return + } + if cr.caLastUpdate == info.ModTime() { + return + } + cr.logger.Info("Secret reloaded") + + cr.certificatesMux.Lock() + defer cr.certificatesMux.Unlock() + + cr.caLastUpdate = info.ModTime() + + //caPath + caBlock, err := os.ReadFile(caPath) + if err != nil { + cr.logger.Warnw("failed to parse secret ca", zap.Error(err)) + return + } + block, _ := pem.Decode(caBlock) + if block == nil { + cr.logger.Warnw("failed to parse CA") + return + } + ca, err := x509.ParseCertificate(block.Bytes) + if err != nil { + cr.logger.Warnw("failed to parse CA", zap.Error(err)) + return + } + + cert, err := tls.LoadX509KeyPair(certPath, keyPath) + if err != nil { + cr.logger.Warnw("failed to parse secret", zap.Error(err)) + return + } + + cr.certificate = &cert + for _, usedCa := range cr.caCerts { + if usedCa.Equal(ca) { + return + } + } + cr.caCerts = append(cr.caCerts, ca) + cr.ServerTLSConf.ClientCAs.AddCert(ca) +} + +// GetCertificate returns the cached certificates. +func (cr *CertCache) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) { + cr.updateCache() + return cr.certificate, nil +} diff --git a/pkg/queue/sharedmain/main.go b/pkg/queue/sharedmain/main.go index a28d88775e4b..ea1bb0f1d98e 100644 --- a/pkg/queue/sharedmain/main.go +++ b/pkg/queue/sharedmain/main.go @@ -33,6 +33,7 @@ import ( "k8s.io/apimachinery/pkg/types" "knative.dev/control-protocol/pkg/certificates" + netcfg "knative.dev/networking/pkg/config" netstats "knative.dev/networking/pkg/http/stats" pkglogging "knative.dev/pkg/logging" "knative.dev/pkg/logging/logkey" @@ -65,6 +66,9 @@ const ( // keyPath is the path for the server certificate key mounted by queue-proxy. keyPath = queue.CertDirectory + "/" + certificates.PrivateKeyName + // caPath is the path for the server certificate ca mounted by queue-proxy. + caPath = queue.CertDirectory + "/" + certificates.CaCertName + // PodInfoAnnotationsPath is an exported path for the annotations file // This path is used by QP Options (Extensions). PodInfoAnnotationsPath = queue.PodInfoDirectory + "/" + queue.PodInfoAnnotationsFilename @@ -126,6 +130,9 @@ type Env struct { // ServingPodIP is the pod ip address ServingPodIP string `split_words:"true" required:"true"` + + // TrustConfig is the level of Trust used + TrustConfig string `split_words:"true" required:"true"` } // Defaults provides Options (QP Extensions) with the default bahaviour of QP @@ -250,9 +257,11 @@ func Main(opts ...Option) error { "admin": adminServer(":"+strconv.Itoa(networking.QueueAdminPort), adminHandler), } + var certCache *CertCache if tlsEnabled { // Drop admin http server since the admin TLS server is listening on the same port delete(httpServers, "admin") + certCache = NewCertCache(d.Ctx, netcfg.Trust(d.Env.TrustConfig)) } else { tlsServers = map[string]*http.Server{} } @@ -271,9 +280,10 @@ func Main(opts ...Option) error { } for name, server := range tlsServers { go func(name string, s *http.Server) { + s.TLSConfig = &certCache.ServerTLSConf // Don't forward ErrServerClosed as that indicates we're already shutting down. logger.Info("Starting tls server ", name, s.Addr) - if err := s.ListenAndServeTLS(certPath, keyPath); err != nil && !errors.Is(err, http.ErrServerClosed) { + if err := s.ListenAndServeTLS("", ""); err != nil && !errors.Is(err, http.ErrServerClosed) { errCh <- fmt.Errorf("%s server failed to serve: %w", name, err) } }(name, server) diff --git a/pkg/reconciler/autoscaling/config/store_test.go b/pkg/reconciler/autoscaling/config/store_test.go index 06681f0efd07..6de86bbf9029 100644 --- a/pkg/reconciler/autoscaling/config/store_test.go +++ b/pkg/reconciler/autoscaling/config/store_test.go @@ -66,17 +66,17 @@ func TestStoreImmutableConfig(t *testing.T) { config := store.Load() config.Autoscaler.MaxScaleUpRate = 100.0 config.Deployment.ProgressDeadline = 3 * time.Minute - config.Network.InternalEncryption = true + config.Network.DataplaneTrust = netcfg.TrustMinimal newConfig := store.Load() if newConfig.Autoscaler.MaxScaleUpRate == 100.0 { - t.Error("Autoscaler config is not immuable") + t.Error("Autoscaler config is not immutable") } if newConfig.Deployment.ProgressDeadline == 3*time.Minute { - t.Error("Deployment config is not immuable") + t.Error("Deployment config is not immutable") } - if newConfig.Network.InternalEncryption { - t.Error("Network config is not immuable") + if newConfig.Network.DataplaneTrust != netcfg.TrustDisabled { + t.Error("Network config is not immutable") } } diff --git a/pkg/reconciler/autoscaling/kpa/kpa.go b/pkg/reconciler/autoscaling/kpa/kpa.go index e155aa56b737..013022d2df49 100644 --- a/pkg/reconciler/autoscaling/kpa/kpa.go +++ b/pkg/reconciler/autoscaling/kpa/kpa.go @@ -25,6 +25,7 @@ import ( "go.uber.org/zap" nv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" + netcfg "knative.dev/networking/pkg/config" "knative.dev/pkg/logging" pkgmetrics "knative.dev/pkg/metrics" "knative.dev/pkg/ptr" @@ -128,7 +129,7 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, pa *autoscalingv1alpha1. // When activator CA is enabled, force activator always in path. // TODO: This is a temporary state and to be fixed. // See also issues/11906 and issues/12797. - case config.FromContext(ctx).Network.InternalEncryption: + case config.FromContext(ctx).Network.DataplaneTrust != netcfg.TrustDisabled: mode = nv1alpha1.SKSOperationModeProxy // If the want == -1 and PA is inactive that implies the autoscaler diff --git a/pkg/reconciler/autoscaling/kpa/kpa_test.go b/pkg/reconciler/autoscaling/kpa/kpa_test.go index 59541f50ff7f..b12a56cb3a6b 100644 --- a/pkg/reconciler/autoscaling/kpa/kpa_test.go +++ b/pkg/reconciler/autoscaling/kpa/kpa_test.go @@ -128,7 +128,7 @@ func initialScaleZeroASConfig() *autoscalerconfig.Config { func activatorCertsNetConfig() *netcfg.Config { nc, _ := netcfg.NewConfigFromMap(map[string]string{ - netcfg.InternalEncryptionKey: "true", + netcfg.DataplaneTrustKey: "minimal", }) return nc } @@ -140,7 +140,7 @@ func defaultConfig() *config.Config { deployment.ProgressDeadlineKey: progressDeadline.String(), }) networkConfig, _ := netcfg.NewConfigFromMap(map[string]string{ - netcfg.InternalEncryptionKey: "false", + netcfg.DataplaneTrustKey: "disabled", }) return &config.Config{ diff --git a/pkg/reconciler/revision/resources/deploy.go b/pkg/reconciler/revision/resources/deploy.go index 8ba95784dc12..e701ab24a5fc 100644 --- a/pkg/reconciler/revision/resources/deploy.go +++ b/pkg/reconciler/revision/resources/deploy.go @@ -23,6 +23,7 @@ import ( "strings" "time" + netcfg "knative.dev/networking/pkg/config" netheader "knative.dev/networking/pkg/http/header" "knative.dev/pkg/kmeta" "knative.dev/pkg/ptr" @@ -193,7 +194,7 @@ func makePodSpec(rev *v1.Revision, cfg *config.Config) (*corev1.PodSpec, error) extraVolumes = append(extraVolumes, *tokenVolume) } - if cfg.Network.InternalEncryption { + if cfg.Network.DataplaneTrust != netcfg.TrustDisabled { queueContainer.VolumeMounts = append(queueContainer.VolumeMounts, varCertVolumeMount) extraVolumes = append(extraVolumes, certVolume(networking.ServingCertName)) } diff --git a/pkg/reconciler/revision/resources/queue.go b/pkg/reconciler/revision/resources/queue.go index 9fe5511ae8da..c6cb905f42ad 100644 --- a/pkg/reconciler/revision/resources/queue.go +++ b/pkg/reconciler/revision/resources/queue.go @@ -310,6 +310,9 @@ func makeQueueContainer(rev *v1.Revision, cfg *config.Config) (*corev1.Container FieldPath: "status.podIP", }, }, + }, { + Name: "TRUST_CONFIG", + Value: string(cfg.Network.DataplaneTrust), }, { Name: "SERVING_LOGGING_CONFIG", Value: cfg.Logging.LoggingConfig, diff --git a/pkg/reconciler/revision/revision.go b/pkg/reconciler/revision/revision.go index 69fa9275807f..c546b668a15e 100644 --- a/pkg/reconciler/revision/revision.go +++ b/pkg/reconciler/revision/revision.go @@ -32,6 +32,7 @@ import ( "k8s.io/client-go/kubernetes" appsv1listers "k8s.io/client-go/listers/apps/v1" cachingclientset "knative.dev/caching/pkg/client/clientset/versioned" + netcfg "knative.dev/networking/pkg/config" clientset "knative.dev/serving/pkg/client/clientset/versioned" revisionreconciler "knative.dev/serving/pkg/client/injection/reconciler/serving/v1/revision" @@ -139,7 +140,7 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, rev *v1.Revision) pkgrec } // Deploy certificate when internal-encryption is enabled. - if config.FromContext(ctx).Network.InternalEncryption { + if config.FromContext(ctx).Network.DataplaneTrust != netcfg.TrustDisabled { if err := c.reconcileSecret(ctx, rev); err != nil { return err } diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go index 588a37cfeb41..64bb51020887 100644 --- a/pkg/reconciler/route/resources/ingress.go +++ b/pkg/reconciler/route/resources/ingress.go @@ -29,6 +29,7 @@ import ( "knative.dev/networking/pkg/apis/networking" netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" + netcfg "knative.dev/networking/pkg/config" netheader "knative.dev/networking/pkg/http/header" ingress "knative.dev/networking/pkg/ingress" "knative.dev/pkg/kmeta" @@ -149,7 +150,7 @@ func makeIngressSpec( return netv1alpha1.IngressSpec{}, err } rule := makeIngressRule(domains, r.Namespace, - visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.InternalEncryption) + visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.DataplaneTrust != netcfg.TrustDisabled) if featuresConfig.TagHeaderBasedRouting == apicfg.Enabled { if rule.HTTP.Paths[0].AppendHeaders == nil { rule.HTTP.Paths[0].AppendHeaders = make(map[string]string, 1) @@ -171,7 +172,7 @@ func makeIngressSpec( // Since names are sorted `DefaultTarget == ""` is the first one, // so just pass the subslice. rule.HTTP.Paths = append( - makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.InternalEncryption, names[1:]), rule.HTTP.Paths...) + makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.DataplaneTrust != netcfg.TrustDisabled, names[1:]), rule.HTTP.Paths...) } else { // If a request is routed by a tag-attached hostname instead of the tag header, // the request may not have the tag header "Knative-Serving-Tag", diff --git a/pkg/reconciler/route/resources/ingress_test.go b/pkg/reconciler/route/resources/ingress_test.go index 89dd75eac635..2c6c7085b77e 100644 --- a/pkg/reconciler/route/resources/ingress_test.go +++ b/pkg/reconciler/route/resources/ingress_test.go @@ -1427,6 +1427,6 @@ func testContextWithHTTPOption() context.Context { func testContextWithActivatorCA() context.Context { cfg := testConfig() - cfg.Network.InternalEncryption = true + cfg.Network.DataplaneTrust = netcfg.TrustMinimal return config.ToContext(context.Background(), cfg) } diff --git a/test/e2e/autoscale_test.go b/test/e2e/autoscale_test.go index f5ac77059a3e..9b9ddce33a36 100644 --- a/test/e2e/autoscale_test.go +++ b/test/e2e/autoscale_test.go @@ -173,7 +173,7 @@ func TestTargetBurstCapacity(t *testing.T) { if err != nil { t.Fatal("Fail to get ConfigMap config-network:", err) } - if strings.EqualFold(cm.Data[netcfg.InternalEncryptionKey], "true") { + if !strings.EqualFold(cm.Data[netcfg.DataplaneTrustKey], netcfg.TrustDisabled) { // TODO: Remove this when https://github.com/knative/serving/issues/12797 was done. t.Skip("Skipping TestTargetBurstCapacity as activator-ca is specified. See issue/12797.") } From 31f8e8377e5c5694d05953b46349e445218e8dc3 Mon Sep 17 00:00:00 2001 From: David Hadas Date: Sun, 4 Jun 2023 15:14:42 +0300 Subject: [PATCH 2/5] fix tests --- pkg/reconciler/revision/resources/deploy_test.go | 4 ++++ pkg/reconciler/revision/resources/queue_test.go | 8 +++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/reconciler/revision/resources/deploy_test.go b/pkg/reconciler/revision/resources/deploy_test.go index 6f32ef88d2fe..15be9bdfd763 100644 --- a/pkg/reconciler/revision/resources/deploy_test.go +++ b/pkg/reconciler/revision/resources/deploy_test.go @@ -129,6 +129,10 @@ var ( ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{FieldPath: "status.podIP"}, }, + }, { + Name: "TRUST_CONFIG", + Value: "disabled", + // No logging configuration }, { Name: "SERVING_LOGGING_CONFIG", // No logging configuration diff --git a/pkg/reconciler/revision/resources/queue_test.go b/pkg/reconciler/revision/resources/queue_test.go index 8c4f33a2721c..be930cd52f60 100644 --- a/pkg/reconciler/revision/resources/queue_test.go +++ b/pkg/reconciler/revision/resources/queue_test.go @@ -998,9 +998,11 @@ func revConfig() *config.Config { Defaults: defaults, Features: &apicfg.Features{}, }, - Deployment: &deploymentConfig, - Logging: &logConfig, - Network: &netcfg.Config{}, + Deployment: &deploymentConfig, + Logging: &logConfig, + Network: &netcfg.Config{ + DataplaneTrust: "disabled", + }, Observability: &obsConfig, Tracing: &traceConfig, } From aa0451e18e357f878138c883e43e71bc3b8ebd35 Mon Sep 17 00:00:00 2001 From: David Hadas Date: Sun, 4 Jun 2023 15:57:56 +0300 Subject: [PATCH 3/5] fix tests --- pkg/reconciler/revision/resources/queue_test.go | 6 +++++- pkg/reconciler/revision/table_test.go | 4 +++- pkg/reconciler/route/resources/service_test.go | 1 + 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/pkg/reconciler/revision/resources/queue_test.go b/pkg/reconciler/revision/resources/queue_test.go index be930cd52f60..617142da1df0 100644 --- a/pkg/reconciler/revision/resources/queue_test.go +++ b/pkg/reconciler/revision/resources/queue_test.go @@ -410,7 +410,10 @@ func TestMakeQueueContainer(t *testing.T) { } } cfg := &config.Config{ - Tracing: &traceConfig, + Tracing: &traceConfig, + Network: &netcfg.Config{ + DataplaneTrust: "disabled", + }, Logging: &test.lc, Observability: &test.oc, Deployment: &test.dc, @@ -929,6 +932,7 @@ var defaultEnv = map[string]string{ "TRACING_CONFIG_DEBUG": "false", "TRACING_CONFIG_SAMPLE_RATE": "0", "TRACING_CONFIG_ZIPKIN_ENDPOINT": "", + "TRUST_CONFIG": "disabled", "USER_PORT": strconv.Itoa(v1.DefaultUserPort), "ROOT_CA": "", } diff --git a/pkg/reconciler/revision/table_test.go b/pkg/reconciler/revision/table_test.go index 026854c90267..c9806d666c5c 100644 --- a/pkg/reconciler/revision/table_test.go +++ b/pkg/reconciler/revision/table_test.go @@ -892,6 +892,8 @@ func reconcilerTestConfig() *config.Config { }, Logging: &logging.Config{}, Tracing: &tracingconfig.Config{}, - Network: &netcfg.Config{}, + Network: &netcfg.Config{ + DataplaneTrust: netcfg.TrustDisabled, + }, } } diff --git a/pkg/reconciler/route/resources/service_test.go b/pkg/reconciler/route/resources/service_test.go index 684b06c7990e..a17e7972bd73 100644 --- a/pkg/reconciler/route/resources/service_test.go +++ b/pkg/reconciler/route/resources/service_test.go @@ -419,6 +419,7 @@ func testConfig() *config.Config { DefaultIngressClass: "test-ingress-class", DomainTemplate: netcfg.DefaultDomainTemplate, TagTemplate: netcfg.DefaultTagTemplate, + DataplaneTrust: netcfg.TrustDisabled, }, Features: &apiConfig.Features{ MultiContainer: apiConfig.Disabled, From 7eabd641bf9e51ed813b1f7f30c123ac8ae0f244 Mon Sep 17 00:00:00 2001 From: David Hadas Date: Sun, 4 Jun 2023 16:08:13 +0300 Subject: [PATCH 4/5] fix tests --- test/e2e/autoscale_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/autoscale_test.go b/test/e2e/autoscale_test.go index 9b9ddce33a36..86c3d133e52a 100644 --- a/test/e2e/autoscale_test.go +++ b/test/e2e/autoscale_test.go @@ -173,7 +173,7 @@ func TestTargetBurstCapacity(t *testing.T) { if err != nil { t.Fatal("Fail to get ConfigMap config-network:", err) } - if !strings.EqualFold(cm.Data[netcfg.DataplaneTrustKey], netcfg.TrustDisabled) { + if !strings.EqualFold(cm.Data[netcfg.DataplaneTrustKey], string(netcfg.TrustDisabled)) { // TODO: Remove this when https://github.com/knative/serving/issues/12797 was done. t.Skip("Skipping TestTargetBurstCapacity as activator-ca is specified. See issue/12797.") } From d8ec34f73483db52c22f60f56017d6751003f427 Mon Sep 17 00:00:00 2001 From: David Hadas Date: Sun, 4 Jun 2023 21:22:50 +0300 Subject: [PATCH 5/5] move changes for deprcated internalEncryption to a seperate PR --- pkg/reconciler/autoscaling/config/store_test.go | 10 +++++----- pkg/reconciler/autoscaling/kpa/kpa.go | 3 +-- pkg/reconciler/autoscaling/kpa/kpa_test.go | 4 ++-- pkg/reconciler/route/resources/ingress.go | 5 ++--- pkg/reconciler/route/resources/ingress_test.go | 2 +- pkg/reconciler/route/resources/service_test.go | 1 - test/e2e/autoscale_test.go | 2 +- 7 files changed, 12 insertions(+), 15 deletions(-) diff --git a/pkg/reconciler/autoscaling/config/store_test.go b/pkg/reconciler/autoscaling/config/store_test.go index 6de86bbf9029..06681f0efd07 100644 --- a/pkg/reconciler/autoscaling/config/store_test.go +++ b/pkg/reconciler/autoscaling/config/store_test.go @@ -66,17 +66,17 @@ func TestStoreImmutableConfig(t *testing.T) { config := store.Load() config.Autoscaler.MaxScaleUpRate = 100.0 config.Deployment.ProgressDeadline = 3 * time.Minute - config.Network.DataplaneTrust = netcfg.TrustMinimal + config.Network.InternalEncryption = true newConfig := store.Load() if newConfig.Autoscaler.MaxScaleUpRate == 100.0 { - t.Error("Autoscaler config is not immutable") + t.Error("Autoscaler config is not immuable") } if newConfig.Deployment.ProgressDeadline == 3*time.Minute { - t.Error("Deployment config is not immutable") + t.Error("Deployment config is not immuable") } - if newConfig.Network.DataplaneTrust != netcfg.TrustDisabled { - t.Error("Network config is not immutable") + if newConfig.Network.InternalEncryption { + t.Error("Network config is not immuable") } } diff --git a/pkg/reconciler/autoscaling/kpa/kpa.go b/pkg/reconciler/autoscaling/kpa/kpa.go index 013022d2df49..e155aa56b737 100644 --- a/pkg/reconciler/autoscaling/kpa/kpa.go +++ b/pkg/reconciler/autoscaling/kpa/kpa.go @@ -25,7 +25,6 @@ import ( "go.uber.org/zap" nv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" - netcfg "knative.dev/networking/pkg/config" "knative.dev/pkg/logging" pkgmetrics "knative.dev/pkg/metrics" "knative.dev/pkg/ptr" @@ -129,7 +128,7 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, pa *autoscalingv1alpha1. // When activator CA is enabled, force activator always in path. // TODO: This is a temporary state and to be fixed. // See also issues/11906 and issues/12797. - case config.FromContext(ctx).Network.DataplaneTrust != netcfg.TrustDisabled: + case config.FromContext(ctx).Network.InternalEncryption: mode = nv1alpha1.SKSOperationModeProxy // If the want == -1 and PA is inactive that implies the autoscaler diff --git a/pkg/reconciler/autoscaling/kpa/kpa_test.go b/pkg/reconciler/autoscaling/kpa/kpa_test.go index b12a56cb3a6b..59541f50ff7f 100644 --- a/pkg/reconciler/autoscaling/kpa/kpa_test.go +++ b/pkg/reconciler/autoscaling/kpa/kpa_test.go @@ -128,7 +128,7 @@ func initialScaleZeroASConfig() *autoscalerconfig.Config { func activatorCertsNetConfig() *netcfg.Config { nc, _ := netcfg.NewConfigFromMap(map[string]string{ - netcfg.DataplaneTrustKey: "minimal", + netcfg.InternalEncryptionKey: "true", }) return nc } @@ -140,7 +140,7 @@ func defaultConfig() *config.Config { deployment.ProgressDeadlineKey: progressDeadline.String(), }) networkConfig, _ := netcfg.NewConfigFromMap(map[string]string{ - netcfg.DataplaneTrustKey: "disabled", + netcfg.InternalEncryptionKey: "false", }) return &config.Config{ diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go index 64bb51020887..588a37cfeb41 100644 --- a/pkg/reconciler/route/resources/ingress.go +++ b/pkg/reconciler/route/resources/ingress.go @@ -29,7 +29,6 @@ import ( "knative.dev/networking/pkg/apis/networking" netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" - netcfg "knative.dev/networking/pkg/config" netheader "knative.dev/networking/pkg/http/header" ingress "knative.dev/networking/pkg/ingress" "knative.dev/pkg/kmeta" @@ -150,7 +149,7 @@ func makeIngressSpec( return netv1alpha1.IngressSpec{}, err } rule := makeIngressRule(domains, r.Namespace, - visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.DataplaneTrust != netcfg.TrustDisabled) + visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.InternalEncryption) if featuresConfig.TagHeaderBasedRouting == apicfg.Enabled { if rule.HTTP.Paths[0].AppendHeaders == nil { rule.HTTP.Paths[0].AppendHeaders = make(map[string]string, 1) @@ -172,7 +171,7 @@ func makeIngressSpec( // Since names are sorted `DefaultTarget == ""` is the first one, // so just pass the subslice. rule.HTTP.Paths = append( - makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.DataplaneTrust != netcfg.TrustDisabled, names[1:]), rule.HTTP.Paths...) + makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.InternalEncryption, names[1:]), rule.HTTP.Paths...) } else { // If a request is routed by a tag-attached hostname instead of the tag header, // the request may not have the tag header "Knative-Serving-Tag", diff --git a/pkg/reconciler/route/resources/ingress_test.go b/pkg/reconciler/route/resources/ingress_test.go index 2c6c7085b77e..89dd75eac635 100644 --- a/pkg/reconciler/route/resources/ingress_test.go +++ b/pkg/reconciler/route/resources/ingress_test.go @@ -1427,6 +1427,6 @@ func testContextWithHTTPOption() context.Context { func testContextWithActivatorCA() context.Context { cfg := testConfig() - cfg.Network.DataplaneTrust = netcfg.TrustMinimal + cfg.Network.InternalEncryption = true return config.ToContext(context.Background(), cfg) } diff --git a/pkg/reconciler/route/resources/service_test.go b/pkg/reconciler/route/resources/service_test.go index a17e7972bd73..684b06c7990e 100644 --- a/pkg/reconciler/route/resources/service_test.go +++ b/pkg/reconciler/route/resources/service_test.go @@ -419,7 +419,6 @@ func testConfig() *config.Config { DefaultIngressClass: "test-ingress-class", DomainTemplate: netcfg.DefaultDomainTemplate, TagTemplate: netcfg.DefaultTagTemplate, - DataplaneTrust: netcfg.TrustDisabled, }, Features: &apiConfig.Features{ MultiContainer: apiConfig.Disabled, diff --git a/test/e2e/autoscale_test.go b/test/e2e/autoscale_test.go index 86c3d133e52a..f5ac77059a3e 100644 --- a/test/e2e/autoscale_test.go +++ b/test/e2e/autoscale_test.go @@ -173,7 +173,7 @@ func TestTargetBurstCapacity(t *testing.T) { if err != nil { t.Fatal("Fail to get ConfigMap config-network:", err) } - if !strings.EqualFold(cm.Data[netcfg.DataplaneTrustKey], string(netcfg.TrustDisabled)) { + if strings.EqualFold(cm.Data[netcfg.InternalEncryptionKey], "true") { // TODO: Remove this when https://github.com/knative/serving/issues/12797 was done. t.Skip("Skipping TestTargetBurstCapacity as activator-ca is specified. See issue/12797.") }