[RELEASE 0.1] Change our configurations to work with Istio 1.0 validation. by tcnghia · Pull Request #1725 · knative/serving

tcnghia · 2018-07-26T22:31:42Z

Istio has tightened several aspects of its validation in 1.0:

They now require tls.mode to be set when we use HTTPS, and
They now require header names to lowercase.

- Set a default TLS mode. - Change header names to lowercase.

tcnghia · 2018-07-27T03:42:00Z

/assign @mattmoor

mattmoor · 2018-07-27T03:55:35Z

/lgtm
/approve

This LGTM, thanks for putting this together to quickly.

google-prow-robot · 2018-07-27T03:55:39Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mattmoor, tcnghia

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [mattmoor]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

mattmoor · 2018-07-27T03:56:29Z

/hold

For a second set of eyes (I suspect I will need to merge anyways given the branch ACL)

evankanderson

/lgtm

vaikas · 2018-07-27T16:04:40Z

    hosts:
    - "*"
+    tls:
+      mode: PASSTHROUGH


this seems to mean that SNI is used to route, is it always there?

Docs for this option are scant: https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Server.TLSOptions.TLSmode

I'm also curious how this value was chosen. Is it intended to have the same behavior as before?

grantr

LGTM but I'm also curious about tls mode setting.

grantr · 2018-07-27T16:30:53Z

    hosts:
    - "*"
+    tls:
+      mode: PASSTHROUGH


Docs for this option are scant: https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Server.TLSOptions.TLSmode

I'm also curious how this value was chosen. Is it intended to have the same behavior as before?

tcnghia · 2018-07-27T17:29:20Z

@grantr that is the only mode that doesn't require a SSL cert to be set.

We have instructions to update the cert in knative/docs, but we don't provide any default certs. Once we have some sort of automated process to get cert (like LetsEncrypt) we should change this option here.

I already checked these changes into our master yesterday. We could let that bake for a while before applying this patch to have more surety.

tcnghia · 2018-08-01T00:12:07Z

Istio released their 1.0 so I'd like to check this in and create a 0.1.1

mattmoor · 2018-08-01T04:04:30Z

@tcnghia find me tomorrow, and unless someone speaks up we can merge this.

tcnghia · 2018-08-01T16:02:30Z

/hold cancel

mattmoor · 2018-08-02T01:05:19Z

/retest

knative-prow-robot · 2018-08-03T22:58:50Z

@tcnghia: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-knative-serving-integration-tests	`f31d81b`	link	`/test pull-knative-serving-integration-tests`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Change our configurations to work with Istio 1.0 validation.

f31d81b

- Set a default TLS mode. - Change header names to lowercase.

google-prow-robot requested review from grantr and mattmoor July 26, 2018 22:31

google-prow-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 26, 2018

google-prow-robot assigned mattmoor Jul 27, 2018

mattmoor changed the title ~~Change our configurations to work with Istio 1.0 validation.~~ [RELEASE 0.1] Change our configurations to work with Istio 1.0 validation. Jul 27, 2018

google-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 27, 2018

google-prow-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 27, 2018

google-prow-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 27, 2018

evankanderson reviewed Jul 27, 2018

View reviewed changes

google-prow-robot assigned evankanderson Jul 27, 2018

vaikas reviewed Jul 27, 2018

View reviewed changes

grantr approved these changes Jul 27, 2018

View reviewed changes

google-prow-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 1, 2018

tcnghia mentioned this pull request Aug 1, 2018

Use Istio 1.0.0. #1771

Merged

mattmoor merged commit b6bed97 into knative:release-0.1 Aug 3, 2018

Conversation

tcnghia commented Jul 26, 2018 • edited by mattmoor Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tcnghia commented Jul 27, 2018

Uh oh!

mattmoor commented Jul 27, 2018

Uh oh!

google-prow-robot commented Jul 27, 2018

Uh oh!

mattmoor commented Jul 27, 2018

Uh oh!

evankanderson left a comment

Choose a reason for hiding this comment

Uh oh!

vaikas Jul 27, 2018

Choose a reason for hiding this comment

Uh oh!

grantr Jul 27, 2018

Choose a reason for hiding this comment

Uh oh!

grantr left a comment

Choose a reason for hiding this comment

Uh oh!

grantr Jul 27, 2018

Choose a reason for hiding this comment

Uh oh!

tcnghia commented Jul 27, 2018

Uh oh!

tcnghia commented Aug 1, 2018

Uh oh!

mattmoor commented Aug 1, 2018

Uh oh!

tcnghia commented Aug 1, 2018

Uh oh!

mattmoor commented Aug 2, 2018

Uh oh!

knative-prow-robot commented Aug 3, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

tcnghia commented Jul 26, 2018 •

edited by mattmoor

Loading