Skip to content

Commit

Permalink
Align the encryption flags
Browse files Browse the repository at this point in the history
  • Loading branch information
ReToCode committed Sep 18, 2023
1 parent 50368a7 commit 06ba58e
Show file tree
Hide file tree
Showing 3 changed files with 200 additions and 122 deletions.
77 changes: 37 additions & 40 deletions config/config-network.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ metadata:
app.kubernetes.io/component: networking
app.kubernetes.io/version: devel
annotations:
knative.dev/example-checksum: "cfad3b9a"
knative.dev/example-checksum: "8cbfa515"
data:
_example: |
################################
Expand Down Expand Up @@ -73,7 +73,7 @@ data:
# namespace-wildcard-cert-selector: {}
#
# Useful labels include the "kubernetes.io/metadata.name" label to
# avoid provisioning a certifcate for the "kube-system" namespaces.
# avoid provisioning a certificate for the "kube-system" namespaces.
# Use the following selector to match pre-1.0 behavior of using
# "networking.knative.dev/disableWildcardCert" to exclude namespaces:
#
Expand Down Expand Up @@ -114,16 +114,45 @@ data:
# domain-template above to determine the full URL for the tag.
tag-template: "{{.Tag}}-{{.Name}}"
# Controls whether TLS certificates are automatically provisioned and
# installed in the Knative ingress to terminate external TLS connection.
# 1. Enabled: enabling auto-TLS feature.
# 2. Disabled: disabling auto-TLS feature.
# auto-tls is deprecated and replaced by external-domain-tls
auto-tls: "Disabled"
# Controls whether TLS certificates are automatically provisioned and
# installed in the Knative ingress to terminate TLS connections
# for cluster external domains (like: app.example.com)
# - Enabled: enables the TLS certificate provisioning feature for cluster external domains.
# - Disabled: disables the TLS certificate provisioning feature for cluster external domains.
external-domain-tls: "Disabled"
# Controls weather TLS certificates are automatically provisioned and
# installed in the Knative ingress to terminate TLS connections
# for cluster local domains (like: app.namespace.svc.cluster.local)
# - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains.
# - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing
# for now. Use with caution.
cluster-local-domain-tls: "Disabled"
# internal-encryption is deprecated and replaced by knative-internal-tls
internal-encryption: "false"
# knative-internal-tls controls weather TLS encryption is used for connections between
# the internal components of Knative:
# - ingress to activator
# - ingress to queue-proxy
# - activator to queue-proxy
#
# Possible values for this flag are:
# - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains.
# - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing
# for now. Use with caution.
knative-internal-tls: "Disabled"
# Controls the behavior of the HTTP endpoint for the Knative ingress.
# It requires auto-tls to be enabled.
# 1. Enabled: The Knative ingress will be able to serve HTTP connection.
# 2. Redirected: The Knative ingress will send a 301 redirect for all
# - Enabled: The Knative ingress will be able to serve HTTP connection.
# - Redirected: The Knative ingress will send a 301 redirect for all
# http connections, asking the clients to use HTTPS.
#
# "Disabled" option is deprecated.
Expand Down Expand Up @@ -172,35 +201,3 @@ data:
# fronting Knative with an external loadbalancer that deals with TLS termination and
# Knative doesn't know about that otherwise.
default-external-scheme: "http"
# internal-encryption is deprecated and replaced by dataplane-trust and controlplane-trust
# internal-encryption indicates whether internal traffic is encrypted or not.
#
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing
# for now. Use with caution.
internal-encryption: "false"
# dataplane-trust indicates the level of trust established in the knative data-plane.
# dataplane-trust = "disabled" (the default) - uses no encryption for internal data plane traffic
# Using any other value ensures that the following traffic is encrypted using TLS:
# - ingress to activator
# - ingress to queue-proxy
# - activator to queue-proxy
#
# dataplane-trust = "minimal" ensures data messages are encrypted, Kingress authenticate that the receiver is a Ksvc
# dataplane-trust = "enabled" same as "minimal" and in addition, Kingress authenticate that Ksvc is at the correct namespace
# dataplane-trust = "mutual" same as "enabled" and in addition, Ksvc authenticate that the messages come from the Kingress
# dataplane-trust = "identity" same as "mutual" with Kingress adding a trusted sender identity to the message
#
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
dataplane-trust: "disabled"
# controlplane-trust indicates the level of trust established in the knative control-plane.
# controlplane-trust = "disabled" (the default) - uses no encryption for internal control plane traffic
# Using any other value ensures that control traffic is encrypted using TLS.
#
# controlplane-trust = "enabled" ensures control messages are encrypted using TLS (client authenticate the server)
# controlplane-trust = "mutual" ensures control messages are encrypted using mTLS (client and server authenticate each other)
#
# NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
controlplane-trust: "disabled"
136 changes: 74 additions & 62 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,17 @@ const (

// AutoTLSKey is the name of the configuration entry
// that specifies enabling auto-TLS or not.
// Deprecated: please use ExternalDomainTLSKey.
AutoTLSKey = "auto-tls"

// ExternalDomainTLSKey is the name of the configuration entry
// that specifies if external-domain-tls is enabled or not.
ExternalDomainTLSKey = "external-domain-tls"

// ClusterLocalDomainTLSKey is the name of the configuration entry
// that specifies if cluster-local-domain-tls is enabled or not.
ClusterLocalDomainTLSKey = "cluster-local-domain-tls"

// DefaultCertificateClassKey is the name of the configuration entry
// that specifies the default Certificate.
DefaultCertificateClassKey = "certificate-class"
Expand Down Expand Up @@ -134,39 +143,26 @@ const (
// hostname for a Route's tag.
TagTemplateKey = "tag-template"

// InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and ControlplaneTrustKey.
// InternalEncryptionKey is the name of the configuration whether
// internal traffic is encrypted or not.
// Deprecated: please use KnativeInternalTLSKey.
InternalEncryptionKey = "internal-encryption"

// DataplaneTrustKey is the name of the configuration entry
// defining the level of trust used for data plane traffic.
DataplaneTrustKey = "dataplane-trust"

// ControlplaneTrustKey is the name of the configuration entry
// defining the level of trust used for control plane traffic.
ControlplaneTrustKey = "controlplane-trust"
// KnativeInternalTLSKey is the name of the configuration whether
// knative internal traffic is encrypted or not.
KnativeInternalTLSKey = "knative-internal-tls"
)

// HTTPProtocol indicates a type of HTTP endpoint behavior
// that Knative ingress could take.
type Trust string
// EncryptionConfig indicates the encryption configuration
// used for TLS connections.
type EncryptionConfig string

const (
// TrustDisabled - TLS not used
TrustDisabled Trust = "disabled"

// TrustMinimal - TLS used. We verify that the server is using Knative certificates
TrustMinimal Trust = "minimal"

// TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace
TrustEnabled Trust = "enabled"
// EncryptionDisabled - TLS not used.
EncryptionDisabled EncryptionConfig = "disabled"

// TrustMutual - same as TrustEnabled and we also verify the identity of the client.
TrustMutual Trust = "mutual"

// TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message.
TrustIdentity Trust = "identity"
// EncryptionEnabled - TLS used. The client verifies the servers certificate.
EncryptionEnabled EncryptionConfig = "enabled"
)

// HTTPProtocol indicates a type of HTTP endpoint behavior
Expand Down Expand Up @@ -244,8 +240,12 @@ type Config struct {
TagTemplate string

// AutoTLS specifies if auto-TLS is enabled or not.
// Deprecated: please use ExternalDomainTLS instead.
AutoTLS bool

// ExternalDomainTLS specifies if external-domain-tls is enabled or not.
ExternalDomainTLS bool

// HTTPProtocol specifics the behavior of HTTP endpoint of Knative
// ingress.
HTTPProtocol HTTPProtocol
Expand Down Expand Up @@ -293,15 +293,15 @@ type Config struct {
// not enabled. Defaults to "http".
DefaultExternalScheme string

// Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust
// InternalEncryption specifies whether internal traffic is encrypted or not.
// Deprecated: please use KnativeInternalTLSKey instead.
InternalEncryption bool

// DataplaneTrust specifies the level of trust used for date plane.
DataplaneTrust Trust
// KnativeInternalTLS specifies whether knative internal traffic is encrypted or not.
KnativeInternalTLS EncryptionConfig

// ControlplaneTrust specifies the level of trust used for control plane.
ControlplaneTrust Trust
// ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not.
ClusterLocalDomainTLS EncryptionConfig
}

func defaultConfig() *Config {
Expand All @@ -311,14 +311,15 @@ func defaultConfig() *Config {
DomainTemplate: DefaultDomainTemplate,
TagTemplate: DefaultTagTemplate,
AutoTLS: false,
ExternalDomainTLS: false,
NamespaceWildcardCertSelector: nil,
HTTPProtocol: HTTPEnabled,
AutocreateClusterDomainClaims: false,
DefaultExternalScheme: "http",
MeshCompatibilityMode: MeshCompatibilityModeAuto,
InternalEncryption: false,
DataplaneTrust: TrustDisabled,
ControlplaneTrust: TrustDisabled,
KnativeInternalTLS: EncryptionDisabled,
ClusterLocalDomainTLS: EncryptionDisabled,
}
}

Expand Down Expand Up @@ -383,12 +384,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
}
templateCache.Add(nc.TagTemplate, t)

// external-domain-tls and auto-tls
if val, ok := data["autoTLS"]; ok {
nc.AutoTLS = strings.EqualFold(val, "enabled")
}
if val, ok := data[AutoTLSKey]; ok {
nc.AutoTLS = strings.EqualFold(val, "enabled")
}
if val, ok := data[ExternalDomainTLSKey]; ok {
nc.ExternalDomainTLS = strings.EqualFold(val, "enabled")

// The new key takes precedence, but we support compatibility
// for code that has not updated to the new field yet.
nc.AutoTLS = nc.ExternalDomainTLS
} else {
// backward compatibility: if the new key is not set, use the value from the old key
nc.ExternalDomainTLS = nc.AutoTLS
}

var httpProtocol string
if val, ok := data["httpProtocol"]; ok {
Expand All @@ -410,52 +422,52 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey])
}

switch strings.ToLower(data[DataplaneTrustKey]) {
case "", string(TrustDisabled):
// If DataplaneTrus is not set in the config-network, default is already
// set to TrustDisabled.
switch strings.ToLower(data[KnativeInternalTLSKey]) {
case "", string(EncryptionDisabled):
// If KnativeInternalTLSKey is not set in the config-network, default is already
// set to EncryptionDisabled.
if nc.InternalEncryption {
// Backward compatibility
nc.DataplaneTrust = TrustMinimal
nc.KnativeInternalTLS = EncryptionEnabled
}
case string(TrustMinimal):
nc.DataplaneTrust = TrustMinimal
case string(TrustEnabled):
nc.DataplaneTrust = TrustEnabled
case string(TrustMutual):
nc.DataplaneTrust = TrustMutual
case string(TrustIdentity):
nc.DataplaneTrust = TrustIdentity
case string(EncryptionEnabled):
nc.KnativeInternalTLS = EncryptionEnabled

// The new key takes precedence, but we support compatibility
// for code that has not updated to the new field yet.
nc.InternalEncryption = true
default:
return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey])
return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
KnativeInternalTLSKey, data[KnativeInternalTLSKey])
}

switch strings.ToLower(data[ControlplaneTrustKey]) {
case "", string(TrustDisabled):
// If ControlplaneTrust is not set in the config-network, default is already
// set to TrustDisabled.
case string(TrustEnabled):
nc.ControlplaneTrust = TrustEnabled
case string(TrustMutual):
nc.ControlplaneTrust = TrustMutual
switch strings.ToLower(data[ClusterLocalDomainTLSKey]) {
case "", string(EncryptionDisabled):
// If ClusterLocalDomainTLSKey is not set in the config-network, default is already
// set to EncryptionDisabled.
case string(EncryptionEnabled):
nc.ClusterLocalDomainTLS = EncryptionEnabled
default:
return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey])
return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey])
}

return nc, nil
}

// InternalTLSEnabled returns whether or not InternalEncyrption is enabled.
// Currently only DataplaneTrust is considered.
// InternalTLSEnabled returns whether InternalEncryption is enabled or not.
// Deprecated: please use KnativeInternalTLSEnabled()
func (c *Config) InternalTLSEnabled() bool {
return tlsEnabled(c.DataplaneTrust)
return tlsEnabled(c.KnativeInternalTLS)
}

// KnativeInternalTLSEnabled returns whether KnativeInternalTLS is enabled or not.
func (c *Config) KnativeInternalTLSEnabled() bool {
return tlsEnabled(c.KnativeInternalTLS)
}

func tlsEnabled(trust Trust) bool {
return trust == TrustMinimal ||
trust == TrustEnabled ||
trust == TrustMutual ||
trust == TrustIdentity
func tlsEnabled(encryptionConfig EncryptionConfig) bool {
return encryptionConfig == EncryptionEnabled
}

// GetDomainTemplate returns the golang Template from the config map
Expand Down
Loading

0 comments on commit 06ba58e

Please sign in to comment.