Internal Encryption fixes

[KauzClay]

Changes

🐛 Fixes #862

• Unencrypt request back to envoy for domainmappings when internal encryption is enabled
• net-contour currently sets the protocol as h2 for services with ports named http2 when internal encryption. This change will set the protocol as h2c if the kingress has domainmapping labels.
• This isn't the perfect fix, but it does at least make domainmappings work properly when using internal encryption. I hope this is enough for the beta stage of these features.

🐛 internal encryption breaks http01 challenges

• Don't encrypt traffic to http challenge endpoint, use http instead
• The current implementation tries to use tls to connect to the http01 challenge endpoint when internal encryption is enabled, auto-tls is enabled, and httpOption is redirected,
• This path is currently hidden by flawed cert-manager behavior that is being addressed here. So long as this fix is included before or in the same release as the cert-manager changes, I don't think anyone will run into this.

Release Note

Fixes issue where DomainMappings do not become ready when Internal Encryption is enabled.

Docs

N/A

[knative-prow]

@KauzClay: The label(s) kind/<kind> cannot be applied, because the repository doesn't have them.

In response to this:

Changes

• unencrypt call back to envoy in domainmappings when internal encryption is enabled
• this is a hack as of now, not a good idea to rely on rewrite hosts to know something is domainmapping

/kind

Fixes # knative/serving#13659

Release Note

TBD

Docs

N/A

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codecov]

Codecov Report

Merging #860 (6dfcff6) into main (6e15300) will increase coverage by 0.08%.
The diff coverage is 91.66%.

❗ Current head 6dfcff6 differs from pull request most recent head d854098. Consider uploading reports for the commit d854098 to get more accurate results

@@            Coverage Diff             @@
##             main     #860      +/-   ##
==========================================
+ Coverage   93.99%   94.08%   +0.08%     
==========================================
  Files           7        7              
  Lines         783      794      +11     
==========================================
+ Hits          736      747      +11     
  Misses         27       27              
  Partials       20       20              

Impacted Files	Coverage Δ
pkg/reconciler/contour/contour.go	85.00% <85.71%> (+0.38%)	⬆️
pkg/reconciler/contour/resources/httpproxy.go	97.81% <100.00%> (+0.04%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[KauzClay]

/assign @dprotaso

[KauzClay]

/assign @evankanderson

Since you were also involved on some of the previous internal-encryption PRs

[KauzClay]

I had to bring in a fair amount of serving code just to use these labels. Maybe there is a better way to import it that doesn't bring in so much?

[evankanderson]

What you probably want to do is to either copy the constants here, or move them into networking. When you have net-contour import serving directly, it makes it hard to cut a release, because the net-contour package can't be cut until the serving package is tagged.

Alternatively, you could look at the OwnerReferences field to see whether the owner is a Knative Route or a DomainMapping.

The third option would be to add some explicit field to the KIngress indicating which type it is.

The fourth option would be to look at the spec.rules -- if there's a single rule with visibility: externalIP, that must be a DomainMapping, because a Route always has an internal mapping: https://github.com/knative/serving/blob/main/pkg/reconciler/route/resources/ingress.go#L141

[KauzClay]

ah okay, thanks for explaining that about importing serving.

I didn't even think about the owner reference, I think I will go for that. It seems the least intrusive but still pretty explicit. Then I can avoid having duplicated constants or adding more fields to the kingress.

[dprotaso]

DomainMapping just sets HostRewrite on the KIngress - https://github.com/knative/networking/blob/2473e65d69206ed544f32e47f994cf3635bebdbe/pkg/apis/networking/v1alpha1/ingress_types.go#L208-L212

You could look at that spec property and the target k8s service (it pointing to a contour's envoy service)

[KauzClay]

ah, well maybe not, the type definition for domainmappings is in the serving repo.

[evankanderson]

I think you can define a constant for DomainMapping here, or add a helper in networking to determine if a KIngress represents a DomainMapping.

It might be more robust, though, to look for the rewriteHeader field and the presence of knative.dev/networking/pkg/http/header.OriginalHostKey as a field in AppendHeaders.

[KauzClay]

okay, I went with the check for rewriteheader + originalhost key, and put in a comment explaining it a bit.

[dprotaso]

This PR makes me realize that we need a special consideration for traffic going through external envoy => internal envoy and ensuring that hop is encrypted - right now we're setting it to h2c.

I wonder if TLS passthrough makes more sense.

[evankanderson]

I wonder if TLS passthrough makes more sense.

I like that, except that we have no KIngress construct to describe this (and it's not clear that we should).

[KauzClay]

/test integration-tests

[KauzClay]

Hey @evankanderson @dprotaso , do you have any other thoughts on this one?

To me it sounds like any actions regarding Dave's comment

This PR makes me realize that we need a special consideration for traffic going through external envoy => internal envoy and ensuring that hop is encrypted - right now we're setting it to h2c.

probably should happen in another PR. Is that what you had in mind?

[dprotaso]

probably should happen in another PR. Is that what you had in mind?

Yeah let's make an new issue and do it as a follow up

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, KauzClay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [KauzClay,dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment