diff --git a/openshift/release/artifacts/2-serving-core.yaml b/openshift/release/artifacts/2-serving-core.yaml index 12cac6d40adc..0bd375e6035f 100644 --- a/openshift/release/artifacts/2-serving-core.yaml +++ b/openshift/release/artifacts/2-serving-core.yaml @@ -4440,6 +4440,39 @@ data: loglevel.net-istio-controller: "info" loglevel.net-contour-controller: "info" +--- +# Copyright 2022 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + # Do not drop -ctrl-ca suffix as control-protocol requires it. + # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go + name: serving-certs-ctrl-ca + namespace: knative-serving +# The data is populated when internal-encryption is enabled. +--- +apiVersion: v1 +kind: Secret +metadata: + name: knative-serving-certs + namespace: knative-serving + labels: + serving-certs-ctrl: "data-plane" +# The data is populated when internal-encryption is enabled. + --- # Copyright 2018 The Knative Authors # @@ -4616,53 +4649,15 @@ data: # Knative doesn't know about that otherwise. default-external-scheme: "http" - # The CA public certificate used to sign the activator TLS certificate. - # It is specified by the secret name, which has the "ca.crt" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - activator-ca: "" - - # The SAN (Subject Alt Name) used to validate the activator TLS certificate. - # It must be set when "activator-ca" is specified. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - activator-san: "" - - # The server certificates to serve the TLS traffic from ingress to activator. - # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - activator-cert-secret: "" - - # The CA public certificate used to sign the queue-proxy TLS certificate. - # It is specified by the secret name, which has the "ca.crt" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - queue-proxy-ca: "" - - # The SAN (Subject Alt Name) used to validate the activator TLS certificate. - # It must be set when "queue-proxy-ca" is specified. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - queue-proxy-san: "" - - # The server certificates to serve the TLS traffic from activator to queue-proxy. - # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. - # Use an empty value to disable the feature (default). + # internal-encryption indicates whether internal traffic is encrypted or not. + # If this is "true", the following traffic are encrypted: + # - ingress to activator + # - ingress to queue-proxy + # - activator to queue-proxy # # NOTE: This flag is in an alpha state and is mostly here to enable internal testing # for now. Use with caution. - queue-proxy-cert-secret: "" + internal-encryption: "false" --- # Copyright 2018 The Knative Authors diff --git a/openshift/release/download_release_artifacts.sh b/openshift/release/download_release_artifacts.sh index 3b24bd11c5a0..f846eb05804b 100755 --- a/openshift/release/download_release_artifacts.sh +++ b/openshift/release/download_release_artifacts.sh @@ -50,3 +50,6 @@ git apply "${manifest_path}/002-openshift-serving-role.patch" # TODO: Remove this once upstream fixed https://github.com/knative/operator/issues/376. # See also https://issues.redhat.com/browse/SRVKS-670. git apply "${manifest_path}/003-serving-pdb.patch" + +# Add internal-tls patch. The backport will conflict with the downloaded manifest. +git apply "${manifest_path}/004-internal-tls.patch" diff --git a/openshift/release/knative-serving-ci.yaml b/openshift/release/knative-serving-ci.yaml index 57cba3f035c2..e8c87f6e9318 100644 --- a/openshift/release/knative-serving-ci.yaml +++ b/openshift/release/knative-serving-ci.yaml @@ -3486,6 +3486,38 @@ spec: description: URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} type: string --- +# Copyright 2022 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + # Do not drop -ctrl-ca suffix as control-protocol requires it. + # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go + name: serving-certs-ctrl-ca + namespace: knative-serving +# The data is populated when internal-encryption is enabled. +--- +apiVersion: v1 +kind: Secret +metadata: + name: knative-serving-certs + namespace: knative-serving + labels: + serving-certs-ctrl: "data-plane" +# The data is populated when internal-encryption is enabled. +--- # Copyright 2018 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -4463,7 +4495,7 @@ metadata: app.kubernetes.io/component: networking app.kubernetes.io/version: "v1.2.0" annotations: - knative.dev/example-checksum: "d0b91f80" + knative.dev/example-checksum: "73d96d1b" data: _example: | ################################ @@ -4614,53 +4646,15 @@ data: # Knative doesn't know about that otherwise. default-external-scheme: "http" - # The CA public certificate used to sign the activator TLS certificate. - # It is specified by the secret name, which has the "ca.crt" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - activator-ca: "" - - # The SAN (Subject Alt Name) used to validate the activator TLS certificate. - # It must be set when "activator-ca" is specified. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - activator-san: "" - - # The server certificates to serve the TLS traffic from ingress to activator. - # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - activator-cert-secret: "" - - # The CA public certificate used to sign the queue-proxy TLS certificate. - # It is specified by the secret name, which has the "ca.crt" data field. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - queue-proxy-ca: "" - - # The SAN (Subject Alt Name) used to validate the activator TLS certificate. - # It must be set when "queue-proxy-ca" is specified. - # Use an empty value to disable the feature (default). - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - queue-proxy-san: "" - - # The server certificates to serve the TLS traffic from activator to queue-proxy. - # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. - # Use an empty value to disable the feature (default). + # internal-encryption indicates whether internal traffic is encrypted or not. + # If this is "true", the following traffic are encrypted: + # - ingress to activator + # - ingress to queue-proxy + # - activator to queue-proxy # # NOTE: This flag is in an alpha state and is mostly here to enable internal testing # for now. Use with caution. - queue-proxy-cert-secret: "" + internal-encryption: "false" --- # Copyright 2018 The Knative Authors # diff --git a/openshift/release/manifest-patches/004-internal-tls.patch b/openshift/release/manifest-patches/004-internal-tls.patch new file mode 100644 index 000000000000..fb2ee25eaa8d --- /dev/null +++ b/openshift/release/manifest-patches/004-internal-tls.patch @@ -0,0 +1,104 @@ +diff --git a/openshift/release/artifacts/2-serving-core.yaml b/openshift/release/artifacts/2-serving-core.yaml +index 12cac6d40..0bd375e60 100644 +--- a/openshift/release/artifacts/2-serving-core.yaml ++++ b/openshift/release/artifacts/2-serving-core.yaml +@@ -4440,6 +4440,39 @@ data: + loglevel.net-istio-controller: "info" + loglevel.net-contour-controller: "info" + ++--- ++# Copyright 2022 The Knative Authors ++# ++# Licensed under the Apache License, Version 2.0 (the "License"); ++# you may not use this file except in compliance with the License. ++# You may obtain a copy of the License at ++# ++# https://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++apiVersion: v1 ++kind: Secret ++metadata: ++ # Do not drop -ctrl-ca suffix as control-protocol requires it. ++ # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go ++ name: serving-certs-ctrl-ca ++ namespace: knative-serving ++# The data is populated when internal-encryption is enabled. ++--- ++apiVersion: v1 ++kind: Secret ++metadata: ++ name: knative-serving-certs ++ namespace: knative-serving ++ labels: ++ serving-certs-ctrl: "data-plane" ++# The data is populated when internal-encryption is enabled. ++ + --- + # Copyright 2018 The Knative Authors + # +@@ -4616,53 +4649,15 @@ data: + # Knative doesn't know about that otherwise. + default-external-scheme: "http" + +- # The CA public certificate used to sign the activator TLS certificate. +- # It is specified by the secret name, which has the "ca.crt" data field. +- # Use an empty value to disable the feature (default). +- # +- # NOTE: This flag is in an alpha state and is mostly here to enable internal testing +- # for now. Use with caution. +- activator-ca: "" +- +- # The SAN (Subject Alt Name) used to validate the activator TLS certificate. +- # It must be set when "activator-ca" is specified. +- # Use an empty value to disable the feature (default). +- # +- # NOTE: This flag is in an alpha state and is mostly here to enable internal testing +- # for now. Use with caution. +- activator-san: "" +- +- # The server certificates to serve the TLS traffic from ingress to activator. +- # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. +- # Use an empty value to disable the feature (default). +- # +- # NOTE: This flag is in an alpha state and is mostly here to enable internal testing +- # for now. Use with caution. +- activator-cert-secret: "" +- +- # The CA public certificate used to sign the queue-proxy TLS certificate. +- # It is specified by the secret name, which has the "ca.crt" data field. +- # Use an empty value to disable the feature (default). +- # +- # NOTE: This flag is in an alpha state and is mostly here to enable internal testing +- # for now. Use with caution. +- queue-proxy-ca: "" +- +- # The SAN (Subject Alt Name) used to validate the activator TLS certificate. +- # It must be set when "queue-proxy-ca" is specified. +- # Use an empty value to disable the feature (default). +- # +- # NOTE: This flag is in an alpha state and is mostly here to enable internal testing +- # for now. Use with caution. +- queue-proxy-san: "" +- +- # The server certificates to serve the TLS traffic from activator to queue-proxy. +- # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field. +- # Use an empty value to disable the feature (default). ++ # internal-encryption indicates whether internal traffic is encrypted or not. ++ # If this is "true", the following traffic are encrypted: ++ # - ingress to activator ++ # - ingress to queue-proxy ++ # - activator to queue-proxy + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. +- queue-proxy-cert-secret: "" ++ internal-encryption: "false" + + --- + # Copyright 2018 The Knative Authors