Skip to content

Trust DataPlaneUserSAN from Activator to Queue-Proxy#14452

Merged
knative-prow[bot] merged 7 commits into
knative:mainfrom
nak3:fix-14402-main
Oct 17, 2023
Merged

Trust DataPlaneUserSAN from Activator to Queue-Proxy#14452
knative-prow[bot] merged 7 commits into
knative:mainfrom
nak3:fix-14402-main

Conversation

@nak3
Copy link
Copy Markdown
Contributor

@nak3 nak3 commented Sep 27, 2023

Fixes #14402

Proposed Changes

This patch changes activator to trust a new SAN kn-user-<ns> instead of legacy SAN.

Release Note

internal encryption verifies a new SAN `kn-user-<ns>`.

@knative-prow knative-prow Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/API API objects and controllers area/autoscale area/networking labels Sep 27, 2023
@knative-prow knative-prow Bot requested review from jsanin-vmw and skonto September 27, 2023 11:38
@nak3 nak3 mentioned this pull request Sep 27, 2023
Merged
@nak3
Copy link
Copy Markdown
Contributor Author

nak3 commented Sep 27, 2023

/cc @dprotaso @KauzClay @davidhadas @ReToCode

@codecov
Copy link
Copy Markdown

codecov Bot commented Sep 27, 2023
edited
Loading

Codecov Report

Attention: 20 lines in your changes are missing coverage. Please review.

Comparison is base (71085f8) 86.15% compared to head (1187af5) 86.00%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14452      +/-   ##
==========================================
- Coverage   86.15%   86.00%   -0.16%     
==========================================
  Files         196      197       +1     
  Lines       14889    14915      +26     
==========================================
- Hits        12828    12827       -1     
- Misses       1753     1777      +24     
- Partials      308      311       +3
Files Coverage Δ
cmd/activator/main.go 0.00% <0.00%> (ø)
pkg/activator/certificate/tls_context.go 26.92% <26.92%> (ø)

... and 3 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ReToCode
ReToCode reviewed Oct 2, 2023
View reviewed changes
Comment thread pkg/activator/certificate/tls_context.go Outdated

// dialTLSContext handles verify SAN before calling DialTLSWithBackOff.
func dialTLSContext(ctx context.Context, network, addr string, cr *CertCache) (net.Conn, error) {
cr.certificatesMux.Lock()
Copy link
Copy Markdown
Contributor

@ReToCode ReToCode Oct 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

defer unlock?

Copy link
Copy Markdown
Contributor Author

@nak3 nak3 Oct 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At L#47 it unlocks the certificatesMux.
We can use defer but we just want to lock during the cloning (L#45-46) so unlock at L#47 is enough, I think.

@ReToCode
Copy link
Copy Markdown
Contributor

ReToCode commented Oct 2, 2023

Looks nice, thanks Kenjiro.
Not sure if we should do it breaking here or not: knative/pkg#2842.

@knative-prow knative-prow Bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 3, 2023
@nak3 nak3 force-pushed the fix-14402-main branch 2 times, most recently from e24ea72 to 4e61714 Compare October 3, 2023 06:28
@knative-prow knative-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 3, 2023
@dprotaso
Copy link
Copy Markdown
Member

dprotaso commented Oct 16, 2023

knative.dev/pkg upstream changes have landed

@dprotaso
Copy link
Copy Markdown
Member

dprotaso commented Oct 17, 2023

/lgtm
/approve

@knative-prow knative-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Oct 17, 2023
@knative-prow
Copy link
Copy Markdown

knative-prow Bot commented Oct 17, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, nak3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dprotaso dprotaso mentioned this pull request Oct 17, 2023
Closed
@knative-prow knative-prow Bot merged commit 39ee6f7 into knative:main Oct 17, 2023
skonto pushed a commit to skonto/serving that referenced this pull request Oct 17, 2023
@nak3 @skonto
Trust DataPlaneUserSAN from Activator to Queue-Proxy (knative#14452)
accada5 
* Trust DataPlaneUserSAN from Activator to Queue-Proxy

* Fix lint

* Fix plate

* Remove

* Use read lock

* bump pkg

* Use DataPlaneUserSAN instead of DataPlaneUserName
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsanin-vmw jsanin-vmw Awaiting requested review from jsanin-vmw

@skonto skonto Awaiting requested review from skonto

@davidhadas davidhadas Awaiting requested review from davidhadas

@dprotaso dprotaso Awaiting requested review from dprotaso

@KauzClay KauzClay Awaiting requested review from KauzClay

1 more reviewer

@ReToCode ReToCode ReToCode left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@dprotaso dprotaso

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/API API objects and controllers area/autoscale area/networking lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Trust DataPlaneUserSAN from Activator to Queue-Proxy

3 participants

@nak3 @ReToCode @dprotaso