use h2c when ports named http2 use port 80

knative-extensions · May 25, 2023 · 340ab10 · 340ab10
1 parent fad133d
commit 340ab10
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 22 deletions.
diff --git a/pkg/reconciler/contour/contour.go b/pkg/reconciler/contour/contour.go
@@ -189,7 +189,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, ing *v1alpha1.Ingress) r
 		for _, port := range svc.Spec.Ports {
 
 			if port.Name == networking.ServicePortNameH2C {
-				if cfg.Network != nil && cfg.Network.InternalEncryption {
+				if cfg.Network != nil && cfg.Network.InternalEncryption && port.Port != networking.ServiceHTTPPort {
 					serviceToProtocol[name] = resources.InternalEncryptionH2Protocol
 					logger.Debugf("marked an http2 svc %s as h2 for internal encryption", name)
 				} else {

diff --git a/pkg/reconciler/contour/contour_test.go b/pkg/reconciler/contour/contour_test.go
@@ -548,7 +548,7 @@ func TestReconcileInternalEncryption(t *testing.T) {
 		Objects: append([]runtime.Object{
 			ing("dm-name", "ns", withDomainMappingSpec, withContour),
 			mustMakeProbe(t, ing("dm-name", "ns", withDomainMappingSpec, withContour), makeItReady),
-		}, servicesAndEndpoints...),
+		}, tlsServiceAndEndpoint...),
 		WantCreates: mustMakeProxiesWithConfig(t, ing("dm-name", "ns", withDomainMappingSpec, withContour), internalEncryptionConfig),
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: ing("dm-name", "ns", withDomainMappingSpec, withContour, func(i *v1alpha1.Ingress) {
@@ -800,7 +800,7 @@ var (
 		&corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: "ns",
-				Name:      tlsServiceName,
+				Name:      tlsRevisionServiceName,
 			},
 			Spec: corev1.ServiceSpec{
 				Ports: []corev1.ServicePort{{
@@ -811,6 +811,18 @@ var (
 				}},
 			},
 		},
+		&corev1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "ns",
+				Name:      tlsServiceName,
+			},
+			Spec: corev1.ServiceSpec{
+				Ports: []corev1.ServicePort{{
+					Name: "http2",
+					Port: 80,
+				}},
+			},
+		},
 		// Contour Control Plane Services
 		&corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
@@ -835,7 +847,7 @@ var (
 		&corev1.Endpoints{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: "ns",
-				Name:      tlsServiceName,
+				Name:      tlsRevisionServiceName,
 			},
 			Subsets: []corev1.EndpointSubset{{
 				Addresses: []corev1.EndpointAddress{{
@@ -847,14 +859,32 @@ var (
 				}},
 			}},
 		},
+		&corev1.Endpoints{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "ns",
+				Name:      tlsServiceName,
+			},
+			Subsets: []corev1.EndpointSubset{{
+				Addresses: []corev1.EndpointAddress{{
+					IP: "192.168.1.1",
+				}},
+				Ports: []corev1.EndpointPort{{
+					Name:     "http2",
+					Port:     80,
+					Protocol: corev1.ProtocolTCP,
+				}},
+			}},
+		},
 	}
 	tlsServiceAndEndpoint = append(append([]runtime.Object{}, tlsService...), tlsEndpoint...)
 
-	h2cServiceName    = "doo"
-	tlsServiceName    = "tlsService"
-	serviceToProtocol = map[string]string{
-		h2cServiceName: "h2c",
-		tlsServiceName: resources.InternalEncryptionProtocol,
+	h2cServiceName         = "doo"
+	tlsServiceName         = "tlsService"
+	tlsRevisionServiceName = tlsServiceName + "-00001"
+	serviceToProtocol      = map[string]string{
+		h2cServiceName:         "h2c",
+		tlsServiceName:         "h2c",
+		tlsRevisionServiceName: resources.InternalEncryptionProtocol,
 	}
 )
 
@@ -1007,7 +1037,7 @@ func withTLSServiceSpec(i *v1alpha1.Ingress) {
 				Paths: []v1alpha1.HTTPIngressPath{{
 					Splits: []v1alpha1.IngressBackendSplit{{
 						IngressBackend: v1alpha1.IngressBackend{
-							ServiceName:      tlsServiceName,
+							ServiceName:      tlsRevisionServiceName,
 							ServiceNamespace: i.Namespace,
 							ServicePort:      intstr.FromInt(443),
 						},
@@ -1033,7 +1063,7 @@ func withDomainMappingSpec(i *v1alpha1.Ingress) {
 							"K-Original-Host": "dm.example.com",
 						},
 						IngressBackend: v1alpha1.IngressBackend{
-							ServiceName:      "doo",
+							ServiceName:      tlsServiceName,
 							ServiceNamespace: i.Namespace,
 							ServicePort:      intstr.FromInt(80),
 						},

diff --git a/pkg/reconciler/contour/resources/httpproxy.go b/pkg/reconciler/contour/resources/httpproxy.go
@@ -188,17 +188,7 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc
 				svc.RequestHeadersPolicy = postSplitHeaders
 
 				if proto, ok := serviceToProtocol[split.ServiceName]; ok {
-					//In order for domain mappings to work with internal
-					//encryption, need to unencrypt traffic back to the envoy.
-					//See
-					//https://github.com/knative-sandbox/net-contour/issues/862
-					//Can identify domain mappings by the presence of the
-					//RewriteHost field on the Path
-					if path.RewriteHost != "" {
-						svc.Protocol = ptr.String("h2c")
-					} else {
-						svc.Protocol = ptr.String(proto)
-					}
+					svc.Protocol = ptr.String(proto)
 				}
 
 				if cfg.Network != nil && cfg.Network.InternalEncryption {