From 94e6ffafe51d8213fd7f1e9e20ffb4d3090566d5 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Tue, 15 Aug 2023 10:14:17 -0400 Subject: [PATCH 1/5] allow activator configstore to track network config --- pkg/activator/config/store.go | 16 +++++++++++++--- pkg/activator/config/store_test.go | 14 ++++++++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/pkg/activator/config/store.go b/pkg/activator/config/store.go index ade9962cb766..e155d3e671d8 100644 --- a/pkg/activator/config/store.go +++ b/pkg/activator/config/store.go @@ -20,6 +20,7 @@ import ( "context" "go.uber.org/atomic" + netcfg "knative.dev/networking/pkg/config" "knative.dev/pkg/configmap" tracingconfig "knative.dev/pkg/tracing/config" ) @@ -29,6 +30,7 @@ type cfgKey struct{} // Config is the configuration for the activator. type Config struct { Tracing *tracingconfig.Config + Network *netcfg.Config } // FromContext obtains a Config injected into the passed context. @@ -51,15 +53,23 @@ func NewStore(logger configmap.Logger, onAfterStore ...func(name string, value i // Append an update function to run after a ConfigMap has updated to update the // current state of the Config. onAfterStore = append(onAfterStore, func(_ string, _ interface{}) { - s.current.Store(&Config{ - Tracing: s.UntypedLoad(tracingconfig.ConfigName).(*tracingconfig.Config).DeepCopy(), - }) + c := &Config{} + tracing := s.UntypedLoad(tracingconfig.ConfigName) + if tracing != nil { + c.Tracing = tracing.(*tracingconfig.Config).DeepCopy() + } + network := s.UntypedLoad(netcfg.ConfigMapName) + if network != nil { + c.Network = network.(*netcfg.Config).DeepCopy() + } + s.current.Store(c) }) s.UntypedStore = configmap.NewUntypedStore( "activator", logger, configmap.Constructors{ tracingconfig.ConfigName: tracingconfig.NewTracingConfigFromConfigMap, + netcfg.ConfigMapName: netcfg.NewConfigFromConfigMap, }, onAfterStore..., ) diff --git a/pkg/activator/config/store_test.go b/pkg/activator/config/store_test.go index 94c84658f358..4c6c843ea18c 100644 --- a/pkg/activator/config/store_test.go +++ b/pkg/activator/config/store_test.go @@ -22,6 +22,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + netcfg "knative.dev/networking/pkg/config" ltesting "knative.dev/pkg/logging/testing" tracingconfig "knative.dev/pkg/tracing/config" ) @@ -35,10 +36,20 @@ var tracingConfig = &corev1.ConfigMap{ }, } +var networkingConfig = &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: netcfg.ConfigMapName, + }, + Data: map[string]string{ + "dataplane-trust": "Disabled", + }, +} + func TestStore(t *testing.T) { logger := ltesting.TestLogger(t) store := NewStore(logger) store.OnConfigChanged(tracingConfig) + store.OnConfigChanged(networkingConfig) ctx := store.ToContext(context.Background()) cfg := FromContext(ctx) @@ -46,6 +57,9 @@ func TestStore(t *testing.T) { if got, want := cfg.Tracing.Backend, tracingconfig.None; got != want { t.Fatalf("Tracing.Backend = %v, want %v", got, want) } + if got, want := cfg.Network.DataplaneTrust, netcfg.TrustDisabled; got != want { + t.Fatalf("Networking.DataplaneTrust = %v, want %v", got, want) + } newConfig := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ From f7aefdfc86d992c6678e23d0532de2e140f57f9a Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Tue, 15 Aug 2023 10:16:13 -0400 Subject: [PATCH 2/5] add new security mode metrics tag --- pkg/metrics/key.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/metrics/key.go b/pkg/metrics/key.go index cc9dbc805c50..e5afc5050664 100644 --- a/pkg/metrics/key.go +++ b/pkg/metrics/key.go @@ -61,6 +61,9 @@ const ( // LabelResponseTimeout is the label timeout. LabelResponseTimeout = metricskey.LabelResponseTimeout + // LabelSecurityMode is the label for Security Mode Knative is configured to use (see dataplane-trust in config-networking). + LabelSecurityMode = "security_mode" + // ValueUnknown is the default value if the field is unknown, e.g. project will be unknown if Knative // is not running on GKE. ValueUnknown = metricskey.ValueUnknown @@ -77,4 +80,5 @@ var ( ResponseCodeKey = tag.MustNewKey(LabelResponseCode) ResponseCodeClassKey = tag.MustNewKey(LabelResponseCodeClass) RouteTagKey = tag.MustNewKey(LabelRouteTag) + SecurityMode = tag.MustNewKey(LabelSecurityMode) ) From d8163f10fd258b65e830c2d58d18b93ddd051fc8 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Tue, 15 Aug 2023 10:16:48 -0400 Subject: [PATCH 3/5] activator now adds security mode tag to metrics * based on security mode from config in context --- pkg/activator/handler/handler_test.go | 1 + pkg/activator/handler/metric_handler.go | 5 ++++ pkg/activator/handler/metric_handler_test.go | 24 ++++++++++++++++++++ pkg/activator/handler/metrics.go | 6 ++--- 4 files changed, 33 insertions(+), 3 deletions(-) diff --git a/pkg/activator/handler/handler_test.go b/pkg/activator/handler/handler_test.go index c206b46304dc..42d7d55df8f5 100644 --- a/pkg/activator/handler/handler_test.go +++ b/pkg/activator/handler/handler_test.go @@ -326,6 +326,7 @@ func revision(namespace, name string) *v1.Revision { func setupConfigStore(t testing.TB, logger *zap.SugaredLogger) *activatorconfig.Store { configStore := activatorconfig.NewStore(logger) configStore.OnConfigChanged(tracingConfig(false)) + configStore.OnConfigChanged(networkConfig(false)) return configStore } diff --git a/pkg/activator/handler/metric_handler.go b/pkg/activator/handler/metric_handler.go index 8c3b058f3135..984bc6a3989f 100644 --- a/pkg/activator/handler/metric_handler.go +++ b/pkg/activator/handler/metric_handler.go @@ -20,8 +20,10 @@ import ( "net/http" "time" + "go.opencensus.io/tag" pkgmetrics "knative.dev/pkg/metrics" "knative.dev/serving/pkg/activator" + activatorconfig "knative.dev/serving/pkg/activator/config" "knative.dev/serving/pkg/apis/serving" pkghttp "knative.dev/serving/pkg/http" "knative.dev/serving/pkg/metrics" @@ -46,6 +48,9 @@ func (h *MetricHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { reporterCtx, _ := metrics.PodRevisionContext(h.podName, activator.Name, rev.Namespace, rev.Labels[serving.ServiceLabelKey], rev.Labels[serving.ConfigurationLabelKey], rev.Name) + securityMode := activatorconfig.FromContext(r.Context()).Network.DataplaneTrust + reporterCtx, _ = tag.New(reporterCtx, tag.Upsert(metrics.SecurityMode, string(securityMode))) + start := time.Now() rr := pkghttp.NewResponseRecorder(w, http.StatusOK) diff --git a/pkg/activator/handler/metric_handler_test.go b/pkg/activator/handler/metric_handler_test.go index a7ab19204d29..8086755f68da 100644 --- a/pkg/activator/handler/metric_handler_test.go +++ b/pkg/activator/handler/metric_handler_test.go @@ -26,10 +26,15 @@ import ( "testing" "go.opencensus.io/resource" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + netcfg "knative.dev/networking/pkg/config" + "knative.dev/pkg/logging" "knative.dev/pkg/metrics/metricstest" _ "knative.dev/pkg/metrics/testing" "knative.dev/serving/pkg/activator" + activatorconfig "knative.dev/serving/pkg/activator/config" "knative.dev/serving/pkg/apis/serving" "knative.dev/serving/pkg/metrics" ) @@ -108,13 +113,19 @@ func TestRequestMetricHandler(t *testing.T) { metrics.LabelContainerName: activator.Name, metrics.LabelResponseCode: strconv.Itoa(labelCode), metrics.LabelResponseCodeClass: strconv.Itoa(labelCode/100) + "xx", + metrics.LabelSecurityMode: string(netcfg.TrustDisabled), } metricstest.AssertMetric(t, metricstest.IntMetric(requestCountM.Name(), 1, wantTags).WithResource(wantResource)) metricstest.AssertMetricExists(t, responseTimeInMsecM.Name()) }() + cm := networkConfig(false) + reqCtx := WithRevisionAndID(context.Background(), rev, types.NamespacedName{Namespace: testNamespace, Name: testRevName}) + configStore := activatorconfig.NewStore(logging.FromContext(reqCtx)) + configStore.OnConfigChanged(cm) + reqCtx = configStore.ToContext(reqCtx) handler.ServeHTTP(resp, req.WithContext(reqCtx)) }) } @@ -148,3 +159,16 @@ func BenchmarkMetricHandler(b *testing.B) { }) }) } + +func networkConfig(internalTLSEnabled bool) *corev1.ConfigMap { + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: netcfg.ConfigMapName, + }, + Data: map[string]string{}, + } + if internalTLSEnabled { + cm.Data["dataplane-trust"] = string(netcfg.TrustEnabled) + } + return cm +} diff --git a/pkg/activator/handler/metrics.go b/pkg/activator/handler/metrics.go index 1d2a5c52766a..b0ad63f61fdc 100644 --- a/pkg/activator/handler/metrics.go +++ b/pkg/activator/handler/metrics.go @@ -57,19 +57,19 @@ func register() { Description: "Concurrent requests that are routed to Activator", Measure: requestConcurrencyM, Aggregation: view.LastValue(), - TagKeys: []tag.Key{metrics.PodKey, metrics.ContainerKey}, + TagKeys: []tag.Key{metrics.PodKey, metrics.ContainerKey, metrics.SecurityMode}, }, &view.View{ Description: "The number of requests that are routed to Activator", Measure: requestCountM, Aggregation: view.Count(), - TagKeys: []tag.Key{metrics.PodKey, metrics.ContainerKey, metrics.ResponseCodeKey, metrics.ResponseCodeClassKey}, + TagKeys: []tag.Key{metrics.PodKey, metrics.ContainerKey, metrics.ResponseCodeKey, metrics.ResponseCodeClassKey, metrics.SecurityMode}, }, &view.View{ Description: "The response time in millisecond", Measure: responseTimeInMsecM, Aggregation: defaultLatencyDistribution, - TagKeys: []tag.Key{metrics.PodKey, metrics.ContainerKey, metrics.ResponseCodeKey, metrics.ResponseCodeClassKey}, + TagKeys: []tag.Key{metrics.PodKey, metrics.ContainerKey, metrics.ResponseCodeKey, metrics.ResponseCodeClassKey, metrics.SecurityMode}, }, ); err != nil { panic(err) From 66171151e378de649c88b89230805ab1264d3f77 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Tue, 15 Aug 2023 10:17:51 -0400 Subject: [PATCH 4/5] queue adds security mode tag to metrics * security mode set as env var based on config from reconciler --- pkg/queue/request_metric.go | 21 ++++++++++++------- pkg/queue/request_metric_test.go | 20 +++++++++++------- pkg/queue/sharedmain/main.go | 6 +++++- .../revision/resources/deploy_test.go | 6 ++++++ pkg/reconciler/revision/resources/queue.go | 3 +++ .../revision/resources/queue_test.go | 14 +++++++++++++ 6 files changed, 53 insertions(+), 17 deletions(-) diff --git a/pkg/queue/request_metric.go b/pkg/queue/request_metric.go index 6f43a01bc3e8..098ce14d5079 100644 --- a/pkg/queue/request_metric.go +++ b/pkg/queue/request_metric.go @@ -25,6 +25,7 @@ import ( "go.opencensus.io/stats/view" "go.opencensus.io/tag" + netcfg "knative.dev/networking/pkg/config" netheader "knative.dev/networking/pkg/http/header" pkgmetrics "knative.dev/pkg/metrics" pkghttp "knative.dev/serving/pkg/http" @@ -62,8 +63,9 @@ var ( ) type requestMetricsHandler struct { - next http.Handler - statsCtx context.Context + next http.Handler + statsCtx context.Context + securityMode netcfg.Trust } type appRequestMetricsHandler struct { @@ -74,8 +76,8 @@ type appRequestMetricsHandler struct { // NewRequestMetricsHandler creates an http.Handler that emits request metrics. func NewRequestMetricsHandler(next http.Handler, - ns, service, config, rev, pod string) (http.Handler, error) { - keys := []tag.Key{metrics.PodKey, metrics.ContainerKey, metrics.ResponseCodeKey, metrics.ResponseCodeClassKey, metrics.RouteTagKey} + ns, service, config, rev, pod string, securityMode netcfg.Trust) (http.Handler, error) { + keys := []tag.Key{metrics.PodKey, metrics.ContainerKey, metrics.ResponseCodeKey, metrics.ResponseCodeClassKey, metrics.RouteTagKey, metrics.SecurityMode} if err := pkgmetrics.RegisterResourceView( &view.View{ Description: "The number of requests that are routed to queue-proxy", @@ -99,8 +101,9 @@ func NewRequestMetricsHandler(next http.Handler, } return &requestMetricsHandler{ - next: next, - statsCtx: ctx, + next: next, + statsCtx: ctx, + securityMode: securityMode, }, nil } @@ -108,6 +111,8 @@ func (h *requestMetricsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request rr := pkghttp.NewResponseRecorder(w, http.StatusOK) startTime := time.Now() + ctx, _ := tag.New(h.statsCtx, tag.Upsert(metrics.SecurityMode, string(h.securityMode))) + defer func() { // Filter probe requests for revision metrics. if netheader.IsProbe(r) { @@ -119,13 +124,13 @@ func (h *requestMetricsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request latency := time.Since(startTime) routeTag := GetRouteTagNameFromRequest(r) if err != nil { - ctx := metrics.AugmentWithResponseAndRouteTag(h.statsCtx, + ctx = metrics.AugmentWithResponseAndRouteTag(ctx, http.StatusInternalServerError, routeTag) pkgmetrics.RecordBatch(ctx, requestCountM.M(1), responseTimeInMsecM.M(float64(latency.Milliseconds()))) panic(err) } - ctx := metrics.AugmentWithResponseAndRouteTag(h.statsCtx, + ctx = metrics.AugmentWithResponseAndRouteTag(ctx, rr.ResponseCode, routeTag) pkgmetrics.RecordBatch(ctx, requestCountM.M(1), responseTimeInMsecM.M(float64(latency.Milliseconds()))) diff --git a/pkg/queue/request_metric_test.go b/pkg/queue/request_metric_test.go index 79bd841d4fdb..cc9f4b6ea6ae 100644 --- a/pkg/queue/request_metric_test.go +++ b/pkg/queue/request_metric_test.go @@ -27,6 +27,7 @@ import ( "knative.dev/pkg/metrics/metricstest" "knative.dev/serving/pkg/metrics" + netcfg "knative.dev/networking/pkg/config" _ "knative.dev/pkg/metrics/testing" ) @@ -34,7 +35,7 @@ const targetURI = "http://example.com" func TestNewRequestMetricsHandlerFailure(t *testing.T) { t.Cleanup(reset) - if _, err := NewRequestMetricsHandler(nil /*next*/, "a", "b", "c", "d", "shøüld fail"); err == nil { + if _, err := NewRequestMetricsHandler(nil /*next*/, "a", "b", "c", "d", "shøüld fail", netcfg.TrustDisabled); err == nil { t.Error("Should get error when tag value is not ascii") } } @@ -42,7 +43,7 @@ func TestNewRequestMetricsHandlerFailure(t *testing.T) { func TestRequestMetricsHandler(t *testing.T) { defer reset() baseHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}) - handler, err := NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod") + handler, err := NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod", netcfg.TrustDisabled) if err != nil { t.Fatal("Failed to create handler:", err) } @@ -57,6 +58,7 @@ func TestRequestMetricsHandler(t *testing.T) { metrics.LabelResponseCode: "200", metrics.LabelResponseCodeClass: "2xx", "route_tag": disabledTagName, + metrics.LabelSecurityMode: string(netcfg.TrustDisabled), } wantResource := &resource.Resource{ Type: "knative_revision", @@ -81,7 +83,7 @@ func TestRequestMetricsHandler(t *testing.T) { func TestRequestMetricsHandlerWithEnablingTagOnRequestMetrics(t *testing.T) { defer reset() baseHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}) - handler, err := NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod") + handler, err := NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod", netcfg.TrustDisabled) if err != nil { t.Fatal("Failed to create handler:", err) } @@ -98,6 +100,7 @@ func TestRequestMetricsHandlerWithEnablingTagOnRequestMetrics(t *testing.T) { metrics.LabelResponseCode: "200", metrics.LabelResponseCodeClass: "2xx", metrics.LabelRouteTag: "test-tag", + metrics.LabelSecurityMode: string(netcfg.TrustDisabled), } wantResource := &resource.Resource{ Type: "knative_revision", @@ -113,7 +116,7 @@ func TestRequestMetricsHandlerWithEnablingTagOnRequestMetrics(t *testing.T) { // Testing for default route reset() - handler, _ = NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod") + handler, _ = NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod", netcfg.TrustDisabled) req.Header.Del(netheader.RouteTagKey) req.Header.Set(netheader.DefaultRouteKey, "true") handler.ServeHTTP(resp, req) @@ -121,7 +124,7 @@ func TestRequestMetricsHandlerWithEnablingTagOnRequestMetrics(t *testing.T) { metricstest.AssertMetric(t, metricstest.IntMetric("request_count", 1, wantTags).WithResource(wantResource)) reset() - handler, _ = NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod") + handler, _ = NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod", netcfg.TrustDisabled) req.Header.Set(netheader.RouteTagKey, "test-tag") req.Header.Set(netheader.DefaultRouteKey, "true") handler.ServeHTTP(resp, req) @@ -129,7 +132,7 @@ func TestRequestMetricsHandlerWithEnablingTagOnRequestMetrics(t *testing.T) { metricstest.AssertMetric(t, metricstest.IntMetric("request_count", 1, wantTags).WithResource(wantResource)) reset() - handler, _ = NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod") + handler, _ = NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod", netcfg.TrustDisabled) req.Header.Set(netheader.RouteTagKey, "test-tag") req.Header.Set(netheader.DefaultRouteKey, "false") handler.ServeHTTP(resp, req) @@ -149,7 +152,7 @@ func TestRequestMetricsHandlerPanickingHandler(t *testing.T) { baseHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { panic("no!") }) - handler, err := NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod") + handler, err := NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod", netcfg.TrustDisabled) if err != nil { t.Fatal("Failed to create handler:", err) } @@ -166,6 +169,7 @@ func TestRequestMetricsHandlerPanickingHandler(t *testing.T) { metrics.LabelResponseCode: "500", metrics.LabelResponseCodeClass: "5xx", "route_tag": disabledTagName, + metrics.LabelSecurityMode: string(netcfg.TrustDisabled), } wantResource := &resource.Resource{ Type: "knative_revision", @@ -292,7 +296,7 @@ func TestAppRequestMetricsHandler(t *testing.T) { func BenchmarkRequestMetricsHandler(b *testing.B) { baseHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}) - handler, _ := NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod") + handler, _ := NewRequestMetricsHandler(baseHandler, "ns", "svc", "cfg", "rev", "pod", netcfg.TrustDisabled) req := httptest.NewRequest(http.MethodPost, "http://example.com", nil) b.Run("sequential", func(b *testing.B) { diff --git a/pkg/queue/sharedmain/main.go b/pkg/queue/sharedmain/main.go index 0400d416457a..8bb26af0b84d 100644 --- a/pkg/queue/sharedmain/main.go +++ b/pkg/queue/sharedmain/main.go @@ -33,6 +33,7 @@ import ( "k8s.io/apimachinery/pkg/types" "knative.dev/networking/pkg/certificates" + netcfg "knative.dev/networking/pkg/config" netstats "knative.dev/networking/pkg/http/stats" pkglogging "knative.dev/pkg/logging" "knative.dev/pkg/logging/logkey" @@ -104,6 +105,9 @@ type config struct { TracingConfigSampleRate float64 `split_words:"true"` // optional TracingConfigZipkinEndpoint string `split_words:"true"` // optional + // SecurityMode is the trust level for internal encryption, see config-networking.data.dataplane-trust + SecurityMode netcfg.Trust `split_words:"true" required:"true"` + Env } @@ -395,7 +399,7 @@ func requestLogHandler(logger *zap.SugaredLogger, currentHandler http.Handler, e func requestMetricsHandler(logger *zap.SugaredLogger, currentHandler http.Handler, env config) http.Handler { h, err := queue.NewRequestMetricsHandler(currentHandler, env.ServingNamespace, - env.ServingService, env.ServingConfiguration, env.ServingRevision, env.ServingPod) + env.ServingService, env.ServingConfiguration, env.ServingRevision, env.ServingPod, env.SecurityMode) if err != nil { logger.Errorw("Error setting up request metrics reporter. Request metrics will be unavailable.", zap.Error(err)) return currentHandler diff --git a/pkg/reconciler/revision/resources/deploy_test.go b/pkg/reconciler/revision/resources/deploy_test.go index eac04c49e412..6b2cf6ba20ea 100644 --- a/pkg/reconciler/revision/resources/deploy_test.go +++ b/pkg/reconciler/revision/resources/deploy_test.go @@ -43,6 +43,7 @@ import ( "knative.dev/serving/pkg/deployment" "knative.dev/serving/pkg/queue" + netcfg "knative.dev/networking/pkg/config" _ "knative.dev/pkg/metrics/testing" . "knative.dev/serving/pkg/testing/v1" ) @@ -188,6 +189,9 @@ var ( }, { Name: "ENABLE_HTTP2_AUTO_DETECTION", Value: "false", + }, { + Name: "SECURITY_MODE", + Value: "", }, { Name: "ROOT_CA", Value: "", @@ -529,6 +533,7 @@ func TestMakePodSpec(t *testing.T) { defaults *apicfg.Defaults dc deployment.Config fc apicfg.Features + nc netcfg.Config want *corev1.PodSpec }{{ name: "user-defined user port, queue proxy have PORT env", @@ -1348,6 +1353,7 @@ func TestMakePodSpec(t *testing.T) { cfg.Observability = &test.oc cfg.Deployment = &test.dc cfg.Features = &test.fc + cfg.Network = &test.nc if test.defaults != nil { cfg.Defaults = test.defaults } diff --git a/pkg/reconciler/revision/resources/queue.go b/pkg/reconciler/revision/resources/queue.go index 01263613c74c..e066c3b119e0 100644 --- a/pkg/reconciler/revision/resources/queue.go +++ b/pkg/reconciler/revision/resources/queue.go @@ -413,6 +413,9 @@ func makeQueueContainer(rev *v1.Revision, cfg *config.Config) (*corev1.Container }, { Name: "ENABLE_HTTP2_AUTO_DETECTION", Value: strconv.FormatBool(cfg.Features.AutoDetectHTTP2 == apicfg.Enabled), + }, { + Name: "SECURITY_MODE", + Value: string(cfg.Network.DataplaneTrust), }, { Name: "ROOT_CA", Value: cfg.Deployment.QueueSidecarRootCA, diff --git a/pkg/reconciler/revision/resources/queue_test.go b/pkg/reconciler/revision/resources/queue_test.go index f8998a549dcb..776a9d91f601 100644 --- a/pkg/reconciler/revision/resources/queue_test.go +++ b/pkg/reconciler/revision/resources/queue_test.go @@ -417,6 +417,18 @@ func TestMakeQueueContainer(t *testing.T) { "ENABLE_HTTP2_AUTO_DETECTION": "false", }) }), + }, { + name: "SecurityMode set", + rev: revision("bar", "foo", + withContainers(containers)), + nc: netcfg.Config{ + DataplaneTrust: netcfg.TrustEnabled, + }, + want: queueContainer(func(c *corev1.Container) { + c.Env = env(map[string]string{ + "SECURITY_MODE": "enabled", + }) + }), }} for _, test := range tests { @@ -434,6 +446,7 @@ func TestMakeQueueContainer(t *testing.T) { Logging: &test.lc, Observability: &test.oc, Deployment: &test.dc, + Network: &test.nc, Config: &apicfg.Config{ Features: &test.fc, }, @@ -1049,6 +1062,7 @@ var defaultEnv = map[string]string{ "REVISION_TIMEOUT_SECONDS": "45", "REVISION_RESPONSE_START_TIMEOUT_SECONDS": "0", "REVISION_IDLE_TIMEOUT_SECONDS": "0", + "SECURITY_MODE": "", "SERVING_CONFIGURATION": "", "SERVING_ENABLE_PROBE_REQUEST_LOG": "false", "SERVING_ENABLE_REQUEST_LOG": "false", From b6e8c104e2779101744cea11a8ac0fb1e425cc07 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Tue, 15 Aug 2023 10:29:17 -0400 Subject: [PATCH 5/5] refactor: use new helper function for determined tls --- cmd/activator/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/activator/main.go b/cmd/activator/main.go index 86ecba021f53..8a1921f3e9c6 100644 --- a/cmd/activator/main.go +++ b/cmd/activator/main.go @@ -158,8 +158,8 @@ func main() { logger.Fatalw("Failed to construct network config", zap.Error(err)) } - // Enable TLS against queue-proxy when internal-encryption is enabled. - tlsEnabled := networkConfig.InternalEncryption + // Enable TLS against queue-proxy when dataplane-trust != disabled. + tlsEnabled := networkConfig.InternalTLSEnabled() var certCache *certificate.CertCache