Skip to content

Commit

Permalink
Align the encryption flags (#858)
Browse files Browse the repository at this point in the history
* Align the encryption flags

* Add new annotation to disable `external-domain-tls`

* Use references instead of duplication

* Rename knative-internal-tls to system-internal-tls
  • Loading branch information
ReToCode authored Oct 2, 2023
1 parent c1cae21 commit 05d0964
Show file tree
Hide file tree
Showing 7 changed files with 225 additions and 126 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
This repository contains the Knative Ingress and Certificate CRDs, as well as
their conformance tests. These are our extension points to plugin different
Ingress plugins (Ambassador, Contour, Gloo, Istio, Kong and Kourier), as well as
different AutoTLS plugins (CertManager and Knative's own HTTP01 challenge
different ExternalDomainTLS plugins (CertManager and Knative's own HTTP01 challenge
solver).

# Knative Ingress aka KIngress
Expand Down
77 changes: 37 additions & 40 deletions config/config-network.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ metadata:
app.kubernetes.io/component: networking
app.kubernetes.io/version: devel
annotations:
knative.dev/example-checksum: "cfad3b9a"
knative.dev/example-checksum: "b2698fe8"
data:
_example: |
################################
Expand Down Expand Up @@ -73,7 +73,7 @@ data:
# namespace-wildcard-cert-selector: {}
#
# Useful labels include the "kubernetes.io/metadata.name" label to
# avoid provisioning a certifcate for the "kube-system" namespaces.
# avoid provisioning a certificate for the "kube-system" namespaces.
# Use the following selector to match pre-1.0 behavior of using
# "networking.knative.dev/disableWildcardCert" to exclude namespaces:
#
Expand Down Expand Up @@ -114,16 +114,45 @@ data:
# domain-template above to determine the full URL for the tag.
tag-template: "{{.Tag}}-{{.Name}}"
# Controls whether TLS certificates are automatically provisioned and
# installed in the Knative ingress to terminate external TLS connection.
# 1. Enabled: enabling auto-TLS feature.
# 2. Disabled: disabling auto-TLS feature.
# auto-tls is deprecated and replaced by external-domain-tls
auto-tls: "Disabled"
# Controls whether TLS certificates are automatically provisioned and
# installed in the Knative ingress to terminate TLS connections
# for cluster external domains (like: app.example.com)
# - Enabled: enables the TLS certificate provisioning feature for cluster external domains.
# - Disabled: disables the TLS certificate provisioning feature for cluster external domains.
external-domain-tls: "Disabled"
# Controls weather TLS certificates are automatically provisioned and
# installed in the Knative ingress to terminate TLS connections
# for cluster local domains (like: app.namespace.svc.cluster.local)
# - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains.
# - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing
# for now. Use with caution.
cluster-local-domain-tls: "Disabled"
# internal-encryption is deprecated and replaced by system-internal-tls
internal-encryption: "false"
# system-internal-tls controls weather TLS encryption is used for connections between
# the internal components of Knative:
# - ingress to activator
# - ingress to queue-proxy
# - activator to queue-proxy
#
# Possible values for this flag are:
# - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains.
# - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing
# for now. Use with caution.
system-internal-tls: "Disabled"
# Controls the behavior of the HTTP endpoint for the Knative ingress.
# It requires auto-tls to be enabled.
# 1. Enabled: The Knative ingress will be able to serve HTTP connection.
# 2. Redirected: The Knative ingress will send a 301 redirect for all
# - Enabled: The Knative ingress will be able to serve HTTP connection.
# - Redirected: The Knative ingress will send a 301 redirect for all
# http connections, asking the clients to use HTTPS.
#
# "Disabled" option is deprecated.
Expand Down Expand Up @@ -172,35 +201,3 @@ data:
# fronting Knative with an external loadbalancer that deals with TLS termination and
# Knative doesn't know about that otherwise.
default-external-scheme: "http"
# internal-encryption is deprecated and replaced by dataplane-trust and controlplane-trust
# internal-encryption indicates whether internal traffic is encrypted or not.
#
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing
# for now. Use with caution.
internal-encryption: "false"
# dataplane-trust indicates the level of trust established in the knative data-plane.
# dataplane-trust = "disabled" (the default) - uses no encryption for internal data plane traffic
# Using any other value ensures that the following traffic is encrypted using TLS:
# - ingress to activator
# - ingress to queue-proxy
# - activator to queue-proxy
#
# dataplane-trust = "minimal" ensures data messages are encrypted, Kingress authenticate that the receiver is a Ksvc
# dataplane-trust = "enabled" same as "minimal" and in addition, Kingress authenticate that Ksvc is at the correct namespace
# dataplane-trust = "mutual" same as "enabled" and in addition, Ksvc authenticate that the messages come from the Kingress
# dataplane-trust = "identity" same as "mutual" with Kingress adding a trusted sender identity to the message
#
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
dataplane-trust: "disabled"
# controlplane-trust indicates the level of trust established in the knative control-plane.
# controlplane-trust = "disabled" (the default) - uses no encryption for internal control plane traffic
# Using any other value ensures that control traffic is encrypted using TLS.
#
# controlplane-trust = "enabled" ensures control messages are encrypted using TLS (client authenticate the server)
# controlplane-trust = "mutual" ensures control messages are encrypted using mTLS (client and server authenticate each other)
#
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
controlplane-trust: "disabled"
1 change: 1 addition & 0 deletions pkg/apis/networking/metadata_validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ var (
IngressClassAnnotationKey,
CertificateClassAnnotationKey,
DisableAutoTLSAnnotationKey,
DisableExternalDomainTLSAnnotationKey,
HTTPOptionAnnotationKey,

IngressClassAnnotationAltKey,
Expand Down
5 changes: 5 additions & 0 deletions pkg/apis/networking/metadata_validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,11 @@ func TestValidateObjectMetadata(t *testing.T) {
DisableAutoTLSAnnotationKey: "true",
DisableAutoTLSAnnotationAltKey: "true",
},
}, {
name: "valid disable external-domain-tls annotation key",
annotations: map[string]string{
DisableExternalDomainTLSAnnotationKey: "true",
},
}, {
name: "valid certificate class annotation key",
annotations: map[string]string{
Expand Down
21 changes: 18 additions & 3 deletions pkg/apis/networking/register.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,11 +70,17 @@ const (

// DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
// to indicate that AutoTLS should not be enabled for it.
// Deprecated: use DisableExternalDomainTLSAnnotationKey instead.
DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS"

// DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey
// Deprecated: use DisableExternalDomainTLSAnnotationKey instead.
DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls"

// DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
// to indicate that external-domain-tls should not be enabled for it.
DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls"

// HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
// to indicate the HTTP option of it.
HTTPOptionAnnotationKey = PublicGroupName + "/httpOption"
Expand Down Expand Up @@ -130,9 +136,15 @@ var (
CertificateClassAnnotationAltKey,
}

DisableAutoTLSAnnotation = kmap.KeyPriority{
// Deprecated: use DisableExternalDomainTLSAnnotation instead.
DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation

DisableExternalDomainTLSAnnotation = kmap.KeyPriority{
// backward compatibility
DisableAutoTLSAnnotationKey,
DisableAutoTLSAnnotationAltKey,

DisableExternalDomainTLSAnnotationKey,
}

HTTPProtocolAnnotation = kmap.KeyPriority{
Expand All @@ -153,6 +165,9 @@ func GetHTTPProtocol(annotations map[string]string) (val string) {
return HTTPProtocolAnnotation.Value(annotations)
}

func GetDisableAutoTLS(annotations map[string]string) (val string) {
return DisableAutoTLSAnnotation.Value(annotations)
// Deprecated: use GetDisableExternalDomainTLS instead.
var GetDisableAutoTLS = GetDisableExternalDomainTLS

func GetDisableExternalDomainTLS(annotations map[string]string) (val string) {
return DisableExternalDomainTLSAnnotation.Value(annotations)
}
Loading

0 comments on commit 05d0964

Please sign in to comment.