Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support knative-internal-tls in net-contour #703

Closed
evankanderson opened this issue Jan 13, 2022 · 16 comments · Fixed by #1110
Closed

Support knative-internal-tls in net-contour #703

evankanderson opened this issue Jan 13, 2022 · 16 comments · Fixed by #1110
Assignees
Labels
kind/feature-request lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@evankanderson
Copy link
Contributor

Larger description in the Feature Track document

Summary:

Contour should support calling activator / backends with a known CA key and subject name (provided by the cluster administrator in config-network for the All Hops Encrypted alpha).

Expected config-network keys:

  • activator-ca -- contains the CA public certificate used to sign the activator TLS certificate
  • activator-name -- contains the SAN (Subject Alt Name) used to validate the activator TLS certificate

This probably involves setting the spec.routes.services[].protocol and spec.routes.services[].validation fields on the HTTPProxy object

/kind feature-request

@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 14, 2022
Copy link
Contributor Author

/remove-lifecycle stale

@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 14, 2022
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 14, 2022
@nak3 nak3 reopened this Aug 15, 2022
@nak3 nak3 added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 15, 2022
@dprotaso dprotaso moved this to In Progress in Serving API Roadmap Jan 12, 2023
@amarflybot
Copy link

Is this feature being worked upon ??

@dprotaso
Copy link
Contributor

dprotaso commented Jan 16, 2023

/assign @KauzClay

@KauzClay landed the changes in #819

I believe what's outstanding is an e2e test in the serving repo.

@dprotaso
Copy link
Contributor

Also from the PR it's important to mention Requires Contour 1.24.0 or greater

This isn't out yet but should be this month.

@amarflybot
Copy link

amarflybot commented Jan 17, 2023

Thanks, this should solve knative/serving#13579
@dprotaso Do you think we could have mtls over http, like istio does?

@dprotaso
Copy link
Contributor

@dprotaso Do you think we could have mtls over http, like istio does?

Right now this change just does TLS between contour and the backend Knative Services. We're effectively automating this step https://projectcontour.io/docs/v1.23.2/config/upstream-tls/

Between which two components/entities do you want mTLS?

@amarflybot
Copy link

amarflybot commented Jan 18, 2023

@dprotaso

Between which two components/entities do you want mTLS?

I am trying to get mTLS setup between contour and the backend Knative Services, the certs are provided by cert-manager, so that the creation and rotation of certificate can happen.
Do you mind sharing some docs over how to setup this?

@KauzClay
Copy link
Contributor

KauzClay commented Feb 1, 2023

Contour 1.24.0 is out, I tried bringing it in here: #861

@amarflybot
Copy link

amarflybot commented Feb 20, 2023

Hi @KauzClay. I tried using the above version. The certificates are not yet getting used for communication between two knative user-services.
with internal-encryption=true, the services status changes to IngressNotConfigured : Ingress has not yet been reconciled.

@KauzClay
Copy link
Contributor

KauzClay commented Feb 22, 2023

Hey @amarflybot can you please explain your setup? Are you expecting traffic from a Knative user pod to another via an address like other-ksvc.ns.svc.cluster.local?

If so, internal route traffic has not been encrypted yet. So far, the encryption path is just contour -> activator -> queue proxy.

If you made one Ksvc hit the External address of another Ksvc, I would expect that to work. However, if you want encryption from client -> contour, you would need to enable auto-tls. The certs provided from cert-manager via auto-tls are separate from the certs used in the current implementation of internal-encryption.

If that isn't the case, I'm curious what you're seeing.

@ReToCode
Copy link
Member

@amarflybot see also knative/serving#13472.

@amarflybot
Copy link

amarflybot commented Feb 23, 2023

My ingress is contour. So I have net-contour installed. I have cert-manager installed, but it does not make http://other-service.ns.svc.cluster.local , encrypted. i.e. it does not change the url to https. Now the traffic goes from one KN service to other KN service, and I would expect this should be encrypted. If this work as getting tracked under this ticket, then I guess I have to wait for next release.

I believe the svc.cluster.local is handled in especial way and is it not meant to be encrypted?

@amarflybot
Copy link

@amarflybot see also knative/serving#13472.

Got it, thanks

@dprotaso dprotaso changed the title All Hops Encrypted: Contour Support knative-internal-tls in net-contour Sep 14, 2023
@dprotaso
Copy link
Contributor

dprotaso commented Jul 7, 2024

This was completed here: #1110

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature-request lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants