Internal Encryption fixes

pkg/reconciler/contour/contour_test.go

@@ -542,6 +542,37 @@ func TestReconcileInternalEncryption(t *testing.T) {
 			},
 			Name: "name--ep",
 		}},
+	}, {
+		Name: "first reconcile domainmapping ingress (endpoints probe succeeded)",
+		Key:  "ns/dm-name",
+		Objects: append([]runtime.Object{
+			ing("dm-name", "ns", withDomainMappingSpec, withContour),
+			mustMakeProbe(t, ing("dm-name", "ns", withDomainMappingSpec, withContour), makeItReady),
+		}, servicesAndEndpoints...),
+		WantCreates: mustMakeProxiesWithConfig(t, ing("dm-name", "ns", withDomainMappingSpec, withContour), internalEncryptionConfig),
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: ing("dm-name", "ns", withDomainMappingSpec, withContour, func(i *v1alpha1.Ingress) {
+				// These are the things we expect to change in status.
+				i.Status.InitializeConditions()
+				i.Status.MarkNetworkConfigured()
+				i.Status.MarkLoadBalancerReady(
+					[]v1alpha1.LoadBalancerIngressStatus{{
+						DomainInternal: publicSvc,
+						IP:             publicSvcIP,
+					}},
+					[]v1alpha1.LoadBalancerIngressStatus{{
+						DomainInternal: privateSvc,
+						IP:             privateSvcIP,
+					}})
+			}),
+		}},
+		WantDeletes: []clientgotesting.DeleteActionImpl{{
+			ActionImpl: clientgotesting.ActionImpl{
+				Namespace: "ns",
+				Resource:  v1alpha1.SchemeGroupVersion.WithResource("ingresses"),
+			},
+			Name: "dm-name--ep",
+		}},
 	}}
 
 	table.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, cmw configmap.Watcher) controller.Reconciler {
@@ -988,6 +1019,32 @@ func withTLSServiceSpec(i *v1alpha1.Ingress) {
 	}
 }
 
+func withDomainMappingSpec(i *v1alpha1.Ingress) {
+	i.Spec = v1alpha1.IngressSpec{
+		HTTPOption: v1alpha1.HTTPOptionEnabled,
+		Rules: []v1alpha1.IngressRule{{
+			Hosts:      []string{"dm.example.com"},
+			Visibility: v1alpha1.IngressVisibilityExternalIP,
+			HTTP: &v1alpha1.HTTPIngressRuleValue{
+				Paths: []v1alpha1.HTTPIngressPath{{
+					RewriteHost: "name.ns.svc.cluster.local",
+					Splits: []v1alpha1.IngressBackendSplit{{
+						AppendHeaders: map[string]string{
+							"K-Original-Host": "dm.example.com",
+						},
+						IngressBackend: v1alpha1.IngressBackend{
+							ServiceName:      "doo",
+							ServiceNamespace: i.Namespace,
+							ServicePort:      intstr.FromInt(80),
+						},
+						Percent: 100,
+					}},
+				}},
+			},
+		}},
+	}
+}
+
 func withAnnotation(ann map[string]string) IngressOption {
 	return func(i *v1alpha1.Ingress) {
 		i.Annotations = kmeta.UnionMaps(i.Annotations, ann)

pkg/reconciler/contour/resources/constants.go

@@ -45,6 +45,10 @@ const (
 	//Contour's Envoys to encrypt the traffic to the activator.
 	InternalEncryptionProtocol   = "tls"
 	InternalEncryptionH2Protocol = "h2"
+
+	//HttpChallengePath is the path that gets added to routes when using
+	//auto-TLS with an http01 solver as the issuer.
+	HTTPChallengePath = "/.well-known/acme-challenge"
 )
 
 // These are the annotations which are optionally set in ksvc/ingress

pkg/reconciler/contour/resources/httpproxy.go

@@ -32,6 +32,7 @@ import (
 	"knative.dev/net-contour/pkg/reconciler/contour/config"
 	"knative.dev/networking/pkg/apis/networking/v1alpha1"
 	netcfg "knative.dev/networking/pkg/config"
+	netheader "knative.dev/networking/pkg/http/header"
 	"knative.dev/networking/pkg/ingress"
 	"knative.dev/pkg/kmeta"
 	"knative.dev/pkg/network"
@@ -170,11 +171,16 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc
 				postSplitHeaders := &v1.HeadersPolicy{
 					Set: make([]v1.HeaderValue, 0, len(split.AppendHeaders)),
 				}
+
+				hasOriginalHostKey := false
 				for key, value := range split.AppendHeaders {
 					postSplitHeaders.Set = append(postSplitHeaders.Set, v1.HeaderValue{
 						Name:  key,
 						Value: value,
 					})
+					if key == netheader.OriginalHostKey {
+						hasOriginalHostKey = true
+					}
 				}
 				if len(postSplitHeaders.Set) > 0 {
 					sort.Slice(postSplitHeaders.Set, func(i, j int) bool {
@@ -187,7 +193,18 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc
 				svc.RequestHeadersPolicy = postSplitHeaders
 
 				if proto, ok := serviceToProtocol[split.ServiceName]; ok {
-					svc.Protocol = ptr.String(proto)
+					//In order for domain mappings to work with internal
+					//encryption, need to unencrypt traffic back to the envoy.
+					//See
+					//https://github.com/knative-sandbox/net-contour/issues/862
+					//Can identify domain mappings by the presence of the RewriteHost field on
+					//the Path in combination with the "K-Original-Host" key in appendHeaders on
+					//the split
+					if path.RewriteHost != "" && hasOriginalHostKey {
+						svc.Protocol = ptr.String("h2c")
+					} else {
+						svc.Protocol = ptr.String(proto)
+					}
 				}
 
 				if cfg.Network != nil && cfg.Network.InternalEncryption {
@@ -197,6 +214,12 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc
 					}
 				}
 
+				if strings.Contains(path.Path, HTTPChallengePath) {
+					//make sure http01 challenge doesn't get encrypted or use http2
+					svc.Protocol = nil
+					svc.UpstreamValidation = nil
+				}
+
 				svcs = append(svcs, svc)
 			}