-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support knative-internal-tls in net-contour #703
Comments
This issue is stale because it has been open for 90 days with no |
/remove-lifecycle stale |
This issue is stale because it has been open for 90 days with no |
Is this feature being worked upon ?? |
Also from the PR it's important to mention This isn't out yet but should be this month. |
Thanks, this should solve knative/serving#13579 |
Right now this change just does TLS between contour and the backend Knative Services. We're effectively automating this step https://projectcontour.io/docs/v1.23.2/config/upstream-tls/ Between which two components/entities do you want mTLS? |
I am trying to get mTLS setup between contour and the backend Knative Services, the certs are provided by cert-manager, so that the creation and rotation of certificate can happen. |
Contour 1.24.0 is out, I tried bringing it in here: #861 |
Hi @KauzClay. I tried using the above version. The certificates are not yet getting used for communication between two knative user-services. |
Hey @amarflybot can you please explain your setup? Are you expecting traffic from a Knative user pod to another via an address like If so, internal route traffic has not been encrypted yet. So far, the encryption path is just If you made one Ksvc hit the External address of another Ksvc, I would expect that to work. However, if you want encryption from If that isn't the case, I'm curious what you're seeing. |
@amarflybot see also knative/serving#13472. |
My ingress is contour. So I have net-contour installed. I have cert-manager installed, but it does not make http://other-service.ns.svc.cluster.local , encrypted. i.e. it does not change the url to https. Now the traffic goes from one KN service to other KN service, and I would expect this should be encrypted. If this work as getting tracked under this ticket, then I guess I have to wait for next release. I believe the svc.cluster.local is handled in especial way and is it not meant to be encrypted? |
Got it, thanks |
This was completed here: #1110 |
Larger description in the Feature Track document
Summary:
Contour should support calling activator / backends with a known CA key and subject name (provided by the cluster administrator in
config-network
for the All Hops Encrypted alpha).Expected
config-network
keys:activator-ca
-- contains the CA public certificate used to sign the activator TLS certificateactivator-name
-- contains the SAN (Subject Alt Name) used to validate the activator TLS certificateThis probably involves setting the
spec.routes.services[].protocol
andspec.routes.services[].validation
fields on the HTTPProxy object/kind feature-request
The text was updated successfully, but these errors were encountered: