Add additional encryption config flags + labels

[ReToCode]

Changes

• In preparation for [cluster-local-domain-tls] extend our Knative internal CA to sign cluster-local certificates serving#14216
• Add CertificateTypeLabelKey label with values CertificateType to indicate different types of a KnativeCertificate
• Drop deprecated and now unused ServingInternalCertName (checked in all repos in knative + knative-extensions)
• Add helper method GetIngressTLSForVisibility to Ingress to filter cluster-local and external-ip TLS blocks.

/kind enhancement

Example of KnativeIngress with TLS block for cluster-local-domain-tls:

apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
  name: helloworld
  namespace: default
spec:
  httpOption: Enabled
  rules:
  - hosts:
    - helloworld.default
    - helloworld.default.svc
    - helloworld.default.svc.cluster.local
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ClusterLocal
  - hosts:
    - helloworld.default.10.89.0.200.sslip.io
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
  tls:
  - hosts:
    - helloworld.default
    - helloworld.default.svc
    - helloworld.default.svc.cluster.local
    secretName: route-ba07ea4e-2548-4632-9187-e615c876cffc-local
    secretNamespace: default

[ReToCode]

PTAL:

/assign @dprotaso
/assign @nak3
/assign @skonto
/assign @KauzClay

[codecov]

Codecov Report

Attention: 3 lines in your changes are missing coverage. Please review.

Comparison is base (25da91b) 82.14% compared to head (db5cba2) 82.18%.
Report is 1 commits behind head on main.

Files	Patch %	Lines
pkg/apis/networking/v1alpha1/ingress_helpers.go	85.71%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #891      +/-   ##
==========================================
+ Coverage   82.14%   82.18%   +0.04%     
==========================================
  Files          45       46       +1     
  Lines        1725     1746      +21     
==========================================
+ Hits         1417     1435      +18     
- Misses        266      268       +2     
- Partials       42       43       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[nak3]

/lgtm
/hold

Thank you!
For knative-extensions/net-istio, I think we need to add IngressTLS.Vibility in the unit test.
/hold for other reviewers. Please feel free to unhold if no one will take a look.

[ReToCode]

For knative-extensions/net-istio, I think we need to add IngressTLS.Vibility in the unit test.

👍 I'll do that as a follow-up

[dprotaso]

Add visibility to KnativeIngress.TLS (see example below)

Why does the ingress need this?

[ReToCode]

Why does the ingress need this?

Hm, thinking about it based on your question, it is probably not totally necessary. But without having it, each net-* solution would need to compare the tls section with the hosts list to find out if the tls config is relevant for a cluster-local domain or an external domain. In net-kourier, we use this flag to distinguish which listener to configure:

• https://github.com/knative-extensions/net-kourier/pull/1156/files#diff-ba0933c476bd2d5262d8a049d818bfdb85e4367bd9fe4e44e6344e59d3245745R116
• https://github.com/knative-extensions/net-kourier/pull/1156/files#diff-e42194f399f5b50c7552aef224c002778531fdf92f11ae4be81e85ba6968b0a9R73

[nak3]

Should we restructure the spec.tls and spec.rules at this time? For example,

option a) merge `spec.tls` into `spec.rules` like:

apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
  name: helloworld
  namespace: default
spec:
  httpOption: Enabled
  rules:
  - hosts:
    - helloworld.default
    - helloworld.default.svc
    - helloworld.default.svc.cluster.local
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ClusterLocal
    secretName: some-local-secret  # optional - omitting means no TLS.
    secretNamespace: default
  - hosts:
    - helloworld.default.10.89.0.200.sslip.io
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ExternalIP
    secretName: route-ba07ea4e-2548-4632-9187-e615c876cffc-local # optional - omitting means no TLS.
    secretNamespace: default

option b) drop `spec.tls.hosts[]` and use the `spec.tls.visibility` as a key like:

apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
  name: helloworld
  namespace: default
spec:
  httpOption: Enabled
  rules:
  - hosts:
    - helloworld.default
    - helloworld.default.svc
    - helloworld.default.svc.cluster.local
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ClusterLocal
  - hosts:
    - helloworld.default.10.89.0.200.sslip.io
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ExternalIP
  tls:
  - visibility: ExternalIP
    secretName: secret-for-external
    secretNamespace: default
  - visibility: ClusterLocal
    secretName: route-ba07ea4e-2548-4632-9187-e615c876cffc-local
    secretNamespace: default

Also, httpOption might be better to apply for local and external respectively.

[ReToCode]

Hm, not sure if option b) would work. Note we can have multiple entries for both visibilities with different certificates:
Here an example with tags:

apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
  labels:
    serving.knative.dev/route: helloworld
    serving.knative.dev/routeNamespace: default
    serving.knative.dev/service: helloworld
  name: helloworld
  namespace: default
spec:
  httpOption: Enabled
  rules:
  - hosts:
    - helloworld.default
    - helloworld.default.svc
    - helloworld.default.svc.cluster.local
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ClusterLocal
  - hosts:
    - helloworld.default.192.168.105.100.sslip.io
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ExternalIP
  - hosts:
    - latest-helloworld.default
    - latest-helloworld.default.svc
    - latest-helloworld.default.svc.cluster.local
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ClusterLocal
  - hosts:
    - latest-helloworld.default.192.168.105.100.sslip.io
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: helloworld-00001
          percent: 100
          serviceName: helloworld-00001
          serviceNamespace: default
          servicePort: 443
    visibility: ExternalIP
  tls:
  - hosts:
    - helloworld.default
    - helloworld.default.svc
    - helloworld.default.svc.cluster.local
    secretName: route-9f44405d-74a9-496b-a43d-effdf98bd6ca-local
    secretNamespace: default
    visibility: ClusterLocal
  - hosts:
    - latest-helloworld.default
    - latest-helloworld.default.svc
    - latest-helloworld.default.svc.cluster.local
    secretName: route-9f44405d-74a9-496b-a43d-effdf98bd6ca-147587726-local
    secretNamespace: default
    visibility: ClusterLocal

Option a) seems nice, but not sure if we want to change it that much, as this will impact all net-* implementations, regardless of their current state of implementing the new features. Also it might have a reason why it has been done that way in the first place? WDYT @dprotaso ?

[nak3]

I just realized that another concern of ths PR. Current net-* implementaitons does a simple loop against spec.TLS or len(ing.Spec.TLS) > 0. So if we added the cluster local TLS, it will break external TLS without their support of cluster local TLS?
Do you have a plan how to manage it like filter it by spec.TLS.Visiblity or we just document that "Do NOT enable (do not touch) cluster local TLS for net-{istio, contour}"?

• net-istio
  https://github.com/knative-extensions/net-istio/blob/e07187e33415e9c04a7c7ce473c083791e870feb/pkg/reconciler/ingress/resources/gateway.go#L306

• net-contour
  https://github.com/knative-extensions/net-contour/blob/c5932aa6c79e79f3d482dfe2b8d8c87811eca9ce/pkg/reconciler/contour/resources/httpproxy.go#L107
  https://github.com/knative-extensions/net-contour/blob/c5932aa6c79e79f3d482dfe2b8d8c87811eca9ce/pkg/reconciler/contour/resources/kingress.go#L138

[ReToCode]

That is a good point @nak3 , but I think not one that we can omit without introducing a totally new field here. The flag is still marked as alpha, so I'd vote to add the hint as you say. As long as this feature is not finished, it should not be enabled in a real environment. Then the cluster-local TLS entries will not occur.

I'll add this filter changes as issues to our tracking umbrella.

[dprotaso]

I think I'd like to avoid API changes to our internal Ingress resource - since we'd have to support multiple versions while we perform a migration.

Given that the TLS stanza just maps host names to a secret I think I'd rather just create helper functions in this repo that implementations can use to reduce complexity.

[ReToCode]

/hold I'm doing some testing with kourier + serving and add a test for the new function.

[skonto]

Should we restructure the spec.tls and spec.rules at this time? For example,

I would vote for that too. It seems there is a lot of repetition of info here.

[dprotaso]

I would vote for that too. It seems there is a lot of repetition of info here.

You could argue that you get more repetition if you have a TLS block within the rules block. If you didn't have wildcard certs then you'd have to repeat the entire rule many times (eg. appendHeaders)

[skonto]

You could argue that you get more repetition if you have a TLS block within the rules block.

We could have it under rules, my thinking was optimize based on what is common in practice:

spec:
  rules:
  - hosts:
    - helloworld.default
    - helloworld.default.svc
    - helloworld.default.svc.cluster.local
    tls:   

Not sure if we are describing the same thing.

[ReToCode]

@skonto @dprotaso I don't think we ever have a * in king. It seems to be only in the kcert, see:

• king domain-mapping with tls
• king with namespace wildcards
• kcert with wildcard

But anyway, I added GetIngressTLSForVisibility on Ingress and updated the PR description above. With this there are no changes to the API, we only need to make sure the net-* repos use the new method before one enables cluster-local-domain-tls. Full test run with kourier, net-certmanager is in Serving, see here. Can you take another look?

[dprotaso]

Can you update the commit message - it doesn't match the contents of the commit

[dprotaso]

What are the corresponding values?

[ReToCode]

Added a comment to link to config.CertificateType. Is there a better way to do this?

[dprotaso]

This shouldn't be an equal comparison but tls.Hosts.Contains(host)

In theory KIngress can express different TLS certs for different hosts that are in the same rules block

[ReToCode]

I see, switched it to check if every host in Rules.Hosts is contained in TLS.Hosts. Also added a test case for this.

[dprotaso]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, ReToCode

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ReToCode,dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment