From bc7c9d18736e6a72686d67b4a4725b257f2833d0 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Tue, 3 Oct 2023 01:22:52 -0400 Subject: [PATCH] use new encryption flags from https://github.com/knative/networking/pull/858 (#958) * use new internal TLS names * update deps --- go.mod | 2 +- go.sum | 4 +- pkg/reconciler/contour/contour.go | 5 +- pkg/reconciler/contour/contour_test.go | 2 +- pkg/reconciler/contour/resources/httpproxy.go | 2 +- .../contour/resources/httpproxy_test.go | 2 +- .../networking/config/config-network.yaml | 77 +++++----- .../apis/networking/metadata_validation.go | 1 + .../pkg/apis/networking/register.go | 21 ++- .../networking/pkg/certificates/constants.go | 44 +++--- .../networking/pkg/config/config.go | 143 +++++++++--------- vendor/modules.txt | 2 +- 12 files changed, 161 insertions(+), 144 deletions(-) diff --git a/go.mod b/go.mod index 1930fa143..3d52fe87e 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( k8s.io/apimachinery v0.27.1 k8s.io/client-go v0.26.5 knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 - knative.dev/networking v0.0.0-20230926123909-c382f81bd011 + knative.dev/networking v0.0.0-20231002132535-463dc388389e knative.dev/pkg v0.0.0-20230926133247-0f52db700d63 sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index e47c78d2c..bac5f956c 100644 --- a/go.sum +++ b/go.sum @@ -705,8 +705,8 @@ k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPB k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 h1:e6r9J1YopzSh6tDCpyKhVBfRUlZ2r0KRo9wupRjdRF4= knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/networking v0.0.0-20230926123909-c382f81bd011 h1:FUbAMo0hVK49wJcUTEJfyMQhPCOwoKBEpphCeHrpAiE= -knative.dev/networking v0.0.0-20230926123909-c382f81bd011/go.mod h1:q3caOSuP1eAzp6Aef8iPcbjnoufxxopv3yeOPOB1yrc= +knative.dev/networking v0.0.0-20231002132535-463dc388389e h1:IifOH0ZKyU+QtY97+GUoopC+vyFMlee6cOw+wxK7cxc= +knative.dev/networking v0.0.0-20231002132535-463dc388389e/go.mod h1:U9yqeTf2NtTY5aexYLbE4LAoIt/FAsnoERbnejJKlgI= knative.dev/pkg v0.0.0-20230926133247-0f52db700d63 h1:L0O5LRuKFkdwuR+MrDLGjrXgaQv9+7xse+kC7EboshI= knative.dev/pkg v0.0.0-20230926133247-0f52db700d63/go.mod h1:NzXHwtuwTWXyMD1KbL2ONwLk8cLROLYTtujCTTG7xQs= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/pkg/reconciler/contour/contour.go b/pkg/reconciler/contour/contour.go index 8b37dbbf7..112e29b2b 100644 --- a/pkg/reconciler/contour/contour.go +++ b/pkg/reconciler/contour/contour.go @@ -40,7 +40,6 @@ import ( "knative.dev/net-contour/pkg/reconciler/contour/resources/names" "knative.dev/networking/pkg/apis/networking" "knative.dev/networking/pkg/apis/networking/v1alpha1" - netcfg "knative.dev/networking/pkg/config" "knative.dev/networking/pkg/status" "knative.dev/pkg/kmp" "knative.dev/pkg/logging" @@ -190,14 +189,14 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, ing *v1alpha1.Ingress) r for _, port := range svc.Spec.Ports { if port.Name == networking.ServicePortNameH2C { - if cfg.Network != nil && (cfg.Network.DataplaneTrust != netcfg.TrustDisabled) { + if cfg.Network != nil && cfg.Network.SystemInternalTLSEnabled() { serviceToProtocol[name] = resources.InternalEncryptionH2Protocol logger.Debugf("marked an http2 svc %s as h2 for internal encryption", name) } else { serviceToProtocol[name] = "h2c" } break - } else if cfg.Network != nil && (cfg.Network.DataplaneTrust != netcfg.TrustDisabled) { + } else if cfg.Network != nil && cfg.Network.SystemInternalTLSEnabled() { serviceToProtocol[name] = resources.InternalEncryptionProtocol logger.Debugf("marked a svc %s as tls for internal encryption", name) break diff --git a/pkg/reconciler/contour/contour_test.go b/pkg/reconciler/contour/contour_test.go index a18b328e3..f9febb767 100644 --- a/pkg/reconciler/contour/contour_test.go +++ b/pkg/reconciler/contour/contour_test.go @@ -723,7 +723,7 @@ var ( Network: &netconfig.Config{ // Right now, any trust configuration which is not Disabled should be equivalent to what we used to have as "internal-encryption=enabled" // TODO: Expand test coverage when more trust states are implemented - DataplaneTrust: netconfig.TrustMinimal, + SystemInternalTLS: netconfig.EncryptionEnabled, }, } ) diff --git a/pkg/reconciler/contour/resources/httpproxy.go b/pkg/reconciler/contour/resources/httpproxy.go index e18d5a2e4..cdd20475f 100644 --- a/pkg/reconciler/contour/resources/httpproxy.go +++ b/pkg/reconciler/contour/resources/httpproxy.go @@ -207,7 +207,7 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc } } - if cfg.Network != nil && (cfg.Network.DataplaneTrust != netcfg.TrustDisabled) { + if cfg.Network != nil && cfg.Network.SystemInternalTLSEnabled() { svc.UpstreamValidation = &v1.UpstreamValidation{ CACertificate: fmt.Sprintf("%s/%s", system.Namespace(), netcfg.ServingRoutingCertName), SubjectName: certificates.LegacyFakeDnsName, diff --git a/pkg/reconciler/contour/resources/httpproxy_test.go b/pkg/reconciler/contour/resources/httpproxy_test.go index 7289cbd96..c18581d82 100644 --- a/pkg/reconciler/contour/resources/httpproxy_test.go +++ b/pkg/reconciler/contour/resources/httpproxy_test.go @@ -2367,7 +2367,7 @@ func TestMakeProxiesInternalEncryption(t *testing.T) { Network: &netcfg.Config{ // Right now, any trust configuration which is not Disabled should be equivalent to what we used to have as "internal-encryption=enabled" // TODO: Expand test coverage when more trust states are implemented - DataplaneTrust: netcfg.TrustMinimal, + SystemInternalTLS: netcfg.EncryptionEnabled, }, } diff --git a/vendor/knative.dev/networking/config/config-network.yaml b/vendor/knative.dev/networking/config/config-network.yaml index 8f3a73998..132418014 100644 --- a/vendor/knative.dev/networking/config/config-network.yaml +++ b/vendor/knative.dev/networking/config/config-network.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: networking app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "cfad3b9a" + knative.dev/example-checksum: "b2698fe8" data: _example: | ################################ @@ -73,7 +73,7 @@ data: # namespace-wildcard-cert-selector: {} # # Useful labels include the "kubernetes.io/metadata.name" label to - # avoid provisioning a certifcate for the "kube-system" namespaces. + # avoid provisioning a certificate for the "kube-system" namespaces. # Use the following selector to match pre-1.0 behavior of using # "networking.knative.dev/disableWildcardCert" to exclude namespaces: # @@ -114,16 +114,45 @@ data: # domain-template above to determine the full URL for the tag. tag-template: "{{.Tag}}-{{.Name}}" - # Controls whether TLS certificates are automatically provisioned and - # installed in the Knative ingress to terminate external TLS connection. - # 1. Enabled: enabling auto-TLS feature. - # 2. Disabled: disabling auto-TLS feature. + # auto-tls is deprecated and replaced by external-domain-tls auto-tls: "Disabled" + # Controls whether TLS certificates are automatically provisioned and + # installed in the Knative ingress to terminate TLS connections + # for cluster external domains (like: app.example.com) + # - Enabled: enables the TLS certificate provisioning feature for cluster external domains. + # - Disabled: disables the TLS certificate provisioning feature for cluster external domains. + external-domain-tls: "Disabled" + + # Controls weather TLS certificates are automatically provisioned and + # installed in the Knative ingress to terminate TLS connections + # for cluster local domains (like: app.namespace.svc.cluster.local) + # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains. + # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains. + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + cluster-local-domain-tls: "Disabled" + + # internal-encryption is deprecated and replaced by system-internal-tls + internal-encryption: "false" + + # system-internal-tls controls weather TLS encryption is used for connections between + # the internal components of Knative: + # - ingress to activator + # - ingress to queue-proxy + # - activator to queue-proxy + # + # Possible values for this flag are: + # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains. + # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains. + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + system-internal-tls: "Disabled" + # Controls the behavior of the HTTP endpoint for the Knative ingress. # It requires auto-tls to be enabled. - # 1. Enabled: The Knative ingress will be able to serve HTTP connection. - # 2. Redirected: The Knative ingress will send a 301 redirect for all + # - Enabled: The Knative ingress will be able to serve HTTP connection. + # - Redirected: The Knative ingress will send a 301 redirect for all # http connections, asking the clients to use HTTPS. # # "Disabled" option is deprecated. @@ -172,35 +201,3 @@ data: # fronting Knative with an external loadbalancer that deals with TLS termination and # Knative doesn't know about that otherwise. default-external-scheme: "http" - - # internal-encryption is deprecated and replaced by dataplane-trust and controlplane-trust - # internal-encryption indicates whether internal traffic is encrypted or not. - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - internal-encryption: "false" - - # dataplane-trust indicates the level of trust established in the knative data-plane. - # dataplane-trust = "disabled" (the default) - uses no encryption for internal data plane traffic - # Using any other value ensures that the following traffic is encrypted using TLS: - # - ingress to activator - # - ingress to queue-proxy - # - activator to queue-proxy - # - # dataplane-trust = "minimal" ensures data messages are encrypted, Kingress authenticate that the receiver is a Ksvc - # dataplane-trust = "enabled" same as "minimal" and in addition, Kingress authenticate that Ksvc is at the correct namespace - # dataplane-trust = "mutual" same as "enabled" and in addition, Ksvc authenticate that the messages come from the Kingress - # dataplane-trust = "identity" same as "mutual" with Kingress adding a trusted sender identity to the message - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution. - dataplane-trust: "disabled" - - # controlplane-trust indicates the level of trust established in the knative control-plane. - # controlplane-trust = "disabled" (the default) - uses no encryption for internal control plane traffic - # Using any other value ensures that control traffic is encrypted using TLS. - # - # controlplane-trust = "enabled" ensures control messages are encrypted using TLS (client authenticate the server) - # controlplane-trust = "mutual" ensures control messages are encrypted using mTLS (client and server authenticate each other) - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution. - controlplane-trust: "disabled" diff --git a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go index 85f69717f..fbd6c155f 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go @@ -29,6 +29,7 @@ var ( IngressClassAnnotationKey, CertificateClassAnnotationKey, DisableAutoTLSAnnotationKey, + DisableExternalDomainTLSAnnotationKey, HTTPOptionAnnotationKey, IngressClassAnnotationAltKey, diff --git a/vendor/knative.dev/networking/pkg/apis/networking/register.go b/vendor/knative.dev/networking/pkg/apis/networking/register.go index f7bdd81d7..e88e9b5c0 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/register.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/register.go @@ -70,11 +70,17 @@ const ( // DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate that AutoTLS should not be enabled for it. + // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS" // DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey + // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls" + // DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping + // to indicate that external-domain-tls should not be enabled for it. + DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls" + // HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate the HTTP option of it. HTTPOptionAnnotationKey = PublicGroupName + "/httpOption" @@ -130,9 +136,15 @@ var ( CertificateClassAnnotationAltKey, } - DisableAutoTLSAnnotation = kmap.KeyPriority{ + // Deprecated: use DisableExternalDomainTLSAnnotation instead. + DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation + + DisableExternalDomainTLSAnnotation = kmap.KeyPriority{ + // backward compatibility DisableAutoTLSAnnotationKey, DisableAutoTLSAnnotationAltKey, + + DisableExternalDomainTLSAnnotationKey, } HTTPProtocolAnnotation = kmap.KeyPriority{ @@ -153,6 +165,9 @@ func GetHTTPProtocol(annotations map[string]string) (val string) { return HTTPProtocolAnnotation.Value(annotations) } -func GetDisableAutoTLS(annotations map[string]string) (val string) { - return DisableAutoTLSAnnotation.Value(annotations) +// Deprecated: use GetDisableExternalDomainTLS instead. +var GetDisableAutoTLS = GetDisableExternalDomainTLS + +func GetDisableExternalDomainTLS(annotations map[string]string) (val string) { + return DisableExternalDomainTLSAnnotation.Value(annotations) } diff --git a/vendor/knative.dev/networking/pkg/certificates/constants.go b/vendor/knative.dev/networking/pkg/certificates/constants.go index 04a1d7747..195e269c1 100644 --- a/vendor/knative.dev/networking/pkg/certificates/constants.go +++ b/vendor/knative.dev/networking/pkg/certificates/constants.go @@ -20,41 +20,39 @@ import "strings" const ( Organization = "knative.dev" - //nolint:all + + // nolint:all LegacyFakeDnsName = "data-plane." + Organization - //nolint:all - // Deprecated: FakeDnsName is deprecated. Please use the DataPlaneRoutingName or DataPlaneUserName function. - FakeDnsName = LegacyFakeDnsName - dataPlaneUserPrefix = "kn-user-" - dataPlaneRoutingPrefix = "kn-routing-" - ControlPlaneName = "kn-control" - - //These keys are meant to line up with cert-manager, see - //https://cert-manager.io/docs/usage/certificate/#additional-certificate-output-formats + + // nolint:all + // Deprecated: FakeDnsName is deprecated. + // Please use the DataPlaneRoutingSAN for calls to the Activator + // and the DataPlaneUserSAN function for calls to a Knative-Service via Queue-Proxy. + FakeDnsName = LegacyFakeDnsName + + dataPlaneUserPrefix = "kn-user-" + DataPlaneRoutingSAN = "kn-routing" + + // These keys are meant to line up with cert-manager, see + // https://cert-manager.io/docs/usage/certificate/#additional-certificate-output-formats CaCertName = "ca.crt" CertName = "tls.crt" PrivateKeyName = "tls.key" - //These should be able to be deprecated some time in the future when the new names are fully adopted + // These should be able to be deprecated some time in the future when the new names are fully adopted // #nosec + // Deprecated: please use CaCertName instead. SecretCaCertKey = "ca-cert.pem" // #nosec + // Deprecated: please use CertName instead. SecretCertKey = "public-cert.pem" // #nosec + // Deprecated: please use PrivateKeyName instead. SecretPKKey = "private-key.pem" ) -// DataPlaneRoutingName constructs a san for a data-plane-routing certificate -// Accepts a routingId - a unique identifier used as part of the san (default is "0" used when an empty routingId is provided) -func DataPlaneRoutingName(routingID string) string { - if routingID == "" { - routingID = "0" - } - return dataPlaneRoutingPrefix + strings.ToLower(routingID) -} - -// DataPlaneUserName constructs a san for a data-plane-user certificate -// Accepts a namespace - the namespace for which the certificate was created -func DataPlaneUserName(namespace string) string { +// DataPlaneUserSAN constructs a SAN for a data-plane-user certificate in the +// target namespace of a Knative Service. +func DataPlaneUserSAN(namespace string) string { return dataPlaneUserPrefix + strings.ToLower(namespace) } diff --git a/vendor/knative.dev/networking/pkg/config/config.go b/vendor/knative.dev/networking/pkg/config/config.go index f27c7865e..028937067 100644 --- a/vendor/knative.dev/networking/pkg/config/config.go +++ b/vendor/knative.dev/networking/pkg/config/config.go @@ -70,17 +70,12 @@ const ( // ServingInternalCertName is the name of secret contains certificates in serving // system namespace. // - // Deprecated: ServingInternalCertName is deprecated. - // (use ServingControlCertName or ServingRoutingCertName instead) + // Deprecated: ServingInternalCertName is deprecated. Use ServingRoutingCertName instead. ServingInternalCertName = "knative-serving-certs" // ServingRoutingCertName is the name of secret contains certificates for Routing data in serving // system namespace. (Used by Ingress GWs and Activator) ServingRoutingCertName = "routing-serving-certs" - - // ServingControlCertName is the name of secret contains certificates for Control data in serving - // system namespace. (Used by Autoscaler and Ingress control for example) - ServingControlCertName = "control-serving-certs" ) // Config Keys @@ -92,8 +87,17 @@ const ( // AutoTLSKey is the name of the configuration entry // that specifies enabling auto-TLS or not. + // Deprecated: please use ExternalDomainTLSKey. AutoTLSKey = "auto-tls" + // ExternalDomainTLSKey is the name of the configuration entry + // that specifies if external-domain-tls is enabled or not. + ExternalDomainTLSKey = "external-domain-tls" + + // ClusterLocalDomainTLSKey is the name of the configuration entry + // that specifies if cluster-local-domain-tls is enabled or not. + ClusterLocalDomainTLSKey = "cluster-local-domain-tls" + // DefaultCertificateClassKey is the name of the configuration entry // that specifies the default Certificate. DefaultCertificateClassKey = "certificate-class" @@ -134,39 +138,26 @@ const ( // hostname for a Route's tag. TagTemplateKey = "tag-template" - // InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and ControlplaneTrustKey. // InternalEncryptionKey is the name of the configuration whether // internal traffic is encrypted or not. + // Deprecated: please use SystemInternalTLSKey. InternalEncryptionKey = "internal-encryption" - // DataplaneTrustKey is the name of the configuration entry - // defining the level of trust used for data plane traffic. - DataplaneTrustKey = "dataplane-trust" - - // ControlplaneTrustKey is the name of the configuration entry - // defining the level of trust used for control plane traffic. - ControlplaneTrustKey = "controlplane-trust" + // SystemInternalTLSKey is the name of the configuration whether + // traffic between Knative system components is encrypted or not. + SystemInternalTLSKey = "system-internal-tls" ) -// HTTPProtocol indicates a type of HTTP endpoint behavior -// that Knative ingress could take. -type Trust string +// EncryptionConfig indicates the encryption configuration +// used for TLS connections. +type EncryptionConfig string const ( - // TrustDisabled - TLS not used - TrustDisabled Trust = "disabled" - - // TrustMinimal - TLS used. We verify that the server is using Knative certificates - TrustMinimal Trust = "minimal" + // EncryptionDisabled - TLS not used. + EncryptionDisabled EncryptionConfig = "disabled" - // TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace - TrustEnabled Trust = "enabled" - - // TrustMutual - same as TrustEnabled and we also verify the identity of the client. - TrustMutual Trust = "mutual" - - // TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message. - TrustIdentity Trust = "identity" + // EncryptionEnabled - TLS used. The client verifies the servers certificate. + EncryptionEnabled EncryptionConfig = "enabled" ) // HTTPProtocol indicates a type of HTTP endpoint behavior @@ -244,8 +235,12 @@ type Config struct { TagTemplate string // AutoTLS specifies if auto-TLS is enabled or not. + // Deprecated: please use ExternalDomainTLS instead. AutoTLS bool + // ExternalDomainTLS specifies if external-domain-tls is enabled or not. + ExternalDomainTLS bool + // HTTPProtocol specifics the behavior of HTTP endpoint of Knative // ingress. HTTPProtocol HTTPProtocol @@ -293,15 +288,15 @@ type Config struct { // not enabled. Defaults to "http". DefaultExternalScheme string - // Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust // InternalEncryption specifies whether internal traffic is encrypted or not. + // Deprecated: please use SystemInternalTLSKey instead. InternalEncryption bool - // DataplaneTrust specifies the level of trust used for date plane. - DataplaneTrust Trust + // SystemInternalTLS specifies whether knative internal traffic is encrypted or not. + SystemInternalTLS EncryptionConfig - // ControlplaneTrust specifies the level of trust used for control plane. - ControlplaneTrust Trust + // ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not. + ClusterLocalDomainTLS EncryptionConfig } func defaultConfig() *Config { @@ -311,14 +306,15 @@ func defaultConfig() *Config { DomainTemplate: DefaultDomainTemplate, TagTemplate: DefaultTagTemplate, AutoTLS: false, + ExternalDomainTLS: false, NamespaceWildcardCertSelector: nil, HTTPProtocol: HTTPEnabled, AutocreateClusterDomainClaims: false, DefaultExternalScheme: "http", MeshCompatibilityMode: MeshCompatibilityModeAuto, InternalEncryption: false, - DataplaneTrust: TrustDisabled, - ControlplaneTrust: TrustDisabled, + SystemInternalTLS: EncryptionDisabled, + ClusterLocalDomainTLS: EncryptionDisabled, } } @@ -383,12 +379,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { } templateCache.Add(nc.TagTemplate, t) + // external-domain-tls and auto-tls if val, ok := data["autoTLS"]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } if val, ok := data[AutoTLSKey]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } + if val, ok := data[ExternalDomainTLSKey]; ok { + nc.ExternalDomainTLS = strings.EqualFold(val, "enabled") + + // The new key takes precedence, but we support compatibility + // for code that has not updated to the new field yet. + nc.AutoTLS = nc.ExternalDomainTLS + } else { + // backward compatibility: if the new key is not set, use the value from the old key + nc.ExternalDomainTLS = nc.AutoTLS + } var httpProtocol string if val, ok := data["httpProtocol"]; ok { @@ -410,52 +417,52 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey]) } - switch strings.ToLower(data[DataplaneTrustKey]) { - case "", string(TrustDisabled): - // If DataplaneTrus is not set in the config-network, default is already - // set to TrustDisabled. + switch strings.ToLower(data[SystemInternalTLSKey]) { + case "", string(EncryptionDisabled): + // If SystemInternalTLSKey is not set in the config-network, default is already + // set to EncryptionDisabled. if nc.InternalEncryption { // Backward compatibility - nc.DataplaneTrust = TrustMinimal + nc.SystemInternalTLS = EncryptionEnabled } - case string(TrustMinimal): - nc.DataplaneTrust = TrustMinimal - case string(TrustEnabled): - nc.DataplaneTrust = TrustEnabled - case string(TrustMutual): - nc.DataplaneTrust = TrustMutual - case string(TrustIdentity): - nc.DataplaneTrust = TrustIdentity + case string(EncryptionEnabled): + nc.SystemInternalTLS = EncryptionEnabled + + // The new key takes precedence, but we support compatibility + // for code that has not updated to the new field yet. + nc.InternalEncryption = true default: - return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey]) + return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", + SystemInternalTLSKey, data[SystemInternalTLSKey]) } - switch strings.ToLower(data[ControlplaneTrustKey]) { - case "", string(TrustDisabled): - // If ControlplaneTrust is not set in the config-network, default is already - // set to TrustDisabled. - case string(TrustEnabled): - nc.ControlplaneTrust = TrustEnabled - case string(TrustMutual): - nc.ControlplaneTrust = TrustMutual + switch strings.ToLower(data[ClusterLocalDomainTLSKey]) { + case "", string(EncryptionDisabled): + // If ClusterLocalDomainTLSKey is not set in the config-network, default is already + // set to EncryptionDisabled. + case string(EncryptionEnabled): + nc.ClusterLocalDomainTLS = EncryptionEnabled default: - return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey]) + return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", + ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey]) } return nc, nil } -// InternalTLSEnabled returns whether or not InternalEncyrption is enabled. -// Currently only DataplaneTrust is considered. +// InternalTLSEnabled returns whether InternalEncryption is enabled or not. +// Deprecated: please use SystemInternalTLSEnabled() func (c *Config) InternalTLSEnabled() bool { - return tlsEnabled(c.DataplaneTrust) + return tlsEnabled(c.SystemInternalTLS) +} + +// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not. +func (c *Config) SystemInternalTLSEnabled() bool { + return tlsEnabled(c.SystemInternalTLS) } -func tlsEnabled(trust Trust) bool { - return trust == TrustMinimal || - trust == TrustEnabled || - trust == TrustMutual || - trust == TrustIdentity +func tlsEnabled(encryptionConfig EncryptionConfig) bool { + return encryptionConfig == EncryptionEnabled } // GetDomainTemplate returns the golang Template from the config map diff --git a/vendor/modules.txt b/vendor/modules.txt index df754973d..ec2153550 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -892,7 +892,7 @@ k8s.io/utils/trace # knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 ## explicit; go 1.18 knative.dev/hack -# knative.dev/networking v0.0.0-20230926123909-c382f81bd011 +# knative.dev/networking v0.0.0-20231002132535-463dc388389e ## explicit; go 1.18 knative.dev/networking/config knative.dev/networking/pkg