From 7f1ff38ae6519f88df63fae653bd840e3ded5011 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Thu, 14 Sep 2023 10:42:15 -0400 Subject: [PATCH] use new internal encryption keys --- pkg/reconciler/autoscaling/config/store_test.go | 4 ++-- pkg/reconciler/autoscaling/kpa/kpa.go | 3 +-- pkg/reconciler/autoscaling/kpa/kpa_test.go | 4 ++-- pkg/reconciler/route/resources/ingress.go | 5 ++--- pkg/reconciler/route/resources/ingress_test.go | 2 +- pkg/reconciler/route/resources/service_test.go | 2 +- test/e2e/autoscale_test.go | 4 ++-- 7 files changed, 11 insertions(+), 13 deletions(-) diff --git a/pkg/reconciler/autoscaling/config/store_test.go b/pkg/reconciler/autoscaling/config/store_test.go index 6de86bbf9029..b0cdfb1347d0 100644 --- a/pkg/reconciler/autoscaling/config/store_test.go +++ b/pkg/reconciler/autoscaling/config/store_test.go @@ -66,7 +66,7 @@ func TestStoreImmutableConfig(t *testing.T) { config := store.Load() config.Autoscaler.MaxScaleUpRate = 100.0 config.Deployment.ProgressDeadline = 3 * time.Minute - config.Network.DataplaneTrust = netcfg.TrustMinimal + config.Network.KnativeInternalTLS = netcfg.EncryptionEnabled newConfig := store.Load() if newConfig.Autoscaler.MaxScaleUpRate == 100.0 { @@ -76,7 +76,7 @@ func TestStoreImmutableConfig(t *testing.T) { t.Error("Deployment config is not immutable") } - if newConfig.Network.DataplaneTrust != netcfg.TrustDisabled { + if newConfig.Network.KnativeInternalTLS != netcfg.EncryptionDisabled { t.Error("Network config is not immutable") } } diff --git a/pkg/reconciler/autoscaling/kpa/kpa.go b/pkg/reconciler/autoscaling/kpa/kpa.go index 013022d2df49..d05aeb2e9aed 100644 --- a/pkg/reconciler/autoscaling/kpa/kpa.go +++ b/pkg/reconciler/autoscaling/kpa/kpa.go @@ -25,7 +25,6 @@ import ( "go.uber.org/zap" nv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" - netcfg "knative.dev/networking/pkg/config" "knative.dev/pkg/logging" pkgmetrics "knative.dev/pkg/metrics" "knative.dev/pkg/ptr" @@ -129,7 +128,7 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, pa *autoscalingv1alpha1. // When activator CA is enabled, force activator always in path. // TODO: This is a temporary state and to be fixed. // See also issues/11906 and issues/12797. - case config.FromContext(ctx).Network.DataplaneTrust != netcfg.TrustDisabled: + case config.FromContext(ctx).Network.KnativeInternalTLSEnabled(): mode = nv1alpha1.SKSOperationModeProxy // If the want == -1 and PA is inactive that implies the autoscaler diff --git a/pkg/reconciler/autoscaling/kpa/kpa_test.go b/pkg/reconciler/autoscaling/kpa/kpa_test.go index b12a56cb3a6b..a9f88b2ec803 100644 --- a/pkg/reconciler/autoscaling/kpa/kpa_test.go +++ b/pkg/reconciler/autoscaling/kpa/kpa_test.go @@ -128,7 +128,7 @@ func initialScaleZeroASConfig() *autoscalerconfig.Config { func activatorCertsNetConfig() *netcfg.Config { nc, _ := netcfg.NewConfigFromMap(map[string]string{ - netcfg.DataplaneTrustKey: "minimal", + netcfg.KnativeInternalTLSKey: "enabled", }) return nc } @@ -140,7 +140,7 @@ func defaultConfig() *config.Config { deployment.ProgressDeadlineKey: progressDeadline.String(), }) networkConfig, _ := netcfg.NewConfigFromMap(map[string]string{ - netcfg.DataplaneTrustKey: "disabled", + netcfg.KnativeInternalTLSKey: "disabled", }) return &config.Config{ diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go index 64bb51020887..151663317f6e 100644 --- a/pkg/reconciler/route/resources/ingress.go +++ b/pkg/reconciler/route/resources/ingress.go @@ -29,7 +29,6 @@ import ( "knative.dev/networking/pkg/apis/networking" netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" - netcfg "knative.dev/networking/pkg/config" netheader "knative.dev/networking/pkg/http/header" ingress "knative.dev/networking/pkg/ingress" "knative.dev/pkg/kmeta" @@ -150,7 +149,7 @@ func makeIngressSpec( return netv1alpha1.IngressSpec{}, err } rule := makeIngressRule(domains, r.Namespace, - visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.DataplaneTrust != netcfg.TrustDisabled) + visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.KnativeInternalTLSEnabled()) if featuresConfig.TagHeaderBasedRouting == apicfg.Enabled { if rule.HTTP.Paths[0].AppendHeaders == nil { rule.HTTP.Paths[0].AppendHeaders = make(map[string]string, 1) @@ -172,7 +171,7 @@ func makeIngressSpec( // Since names are sorted `DefaultTarget == ""` is the first one, // so just pass the subslice. rule.HTTP.Paths = append( - makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.DataplaneTrust != netcfg.TrustDisabled, names[1:]), rule.HTTP.Paths...) + makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.KnativeInternalTLSEnabled(), names[1:]), rule.HTTP.Paths...) } else { // If a request is routed by a tag-attached hostname instead of the tag header, // the request may not have the tag header "Knative-Serving-Tag", diff --git a/pkg/reconciler/route/resources/ingress_test.go b/pkg/reconciler/route/resources/ingress_test.go index 2c6c7085b77e..f348ff009f53 100644 --- a/pkg/reconciler/route/resources/ingress_test.go +++ b/pkg/reconciler/route/resources/ingress_test.go @@ -1427,6 +1427,6 @@ func testContextWithHTTPOption() context.Context { func testContextWithActivatorCA() context.Context { cfg := testConfig() - cfg.Network.DataplaneTrust = netcfg.TrustMinimal + cfg.Network.KnativeInternalTLS = netcfg.EncryptionEnabled return config.ToContext(context.Background(), cfg) } diff --git a/pkg/reconciler/route/resources/service_test.go b/pkg/reconciler/route/resources/service_test.go index a17e7972bd73..835a2ba2fa17 100644 --- a/pkg/reconciler/route/resources/service_test.go +++ b/pkg/reconciler/route/resources/service_test.go @@ -419,7 +419,7 @@ func testConfig() *config.Config { DefaultIngressClass: "test-ingress-class", DomainTemplate: netcfg.DefaultDomainTemplate, TagTemplate: netcfg.DefaultTagTemplate, - DataplaneTrust: netcfg.TrustDisabled, + KnativeInternalTLS: netcfg.EncryptionEnabled, }, Features: &apiConfig.Features{ MultiContainer: apiConfig.Disabled, diff --git a/test/e2e/autoscale_test.go b/test/e2e/autoscale_test.go index bf4d985401ef..fa13d6c3763e 100644 --- a/test/e2e/autoscale_test.go +++ b/test/e2e/autoscale_test.go @@ -175,8 +175,8 @@ func TestTargetBurstCapacity(t *testing.T) { } // TODO: Remove this when "activator always stay in path" is eliminated. - dataplaneTrustMode := cm.Data[netcfg.DataplaneTrustKey] - if (dataplaneTrustMode != "" && !strings.EqualFold(dataplaneTrustMode, string(netcfg.TrustDisabled))) || strings.EqualFold(cm.Data[netcfg.InternalEncryptionKey], "true") { + dataplaneTrustMode := cm.Data[netcfg.KnativeInternalTLSKey] + if (dataplaneTrustMode != "" && !strings.EqualFold(dataplaneTrustMode, string(netcfg.EncryptionDisabled))) || strings.EqualFold(cm.Data[netcfg.InternalEncryptionKey], "true") { t.Skip("Skipping TestTargetBurstCapacity as activator always stay in path.") }