Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix DomainMappings when internal-encryption is enabled #878

Closed
wants to merge 2 commits into from
Closed

Fix DomainMappings when internal-encryption is enabled #878

wants to merge 2 commits into from

Conversation

KauzClay
Copy link
Contributor

@KauzClay KauzClay commented Feb 23, 2023
edited
Loading

Changes

  • 🐛 Fix bug
  • Set proto to h2c when ports named http2 use port 80, even when internal encryption is on.
  • the previous fix in Internal Encryption fixes #860 expected the K-Original-Host header to be present in the appendheaders section. However, it turns out that isn't added to the endpoint probe. This means that the ep would use h2 on port 80 when it was for DomainMappings.
  • Instead of adding the k-original-host header to the endpoint probes, or only checking for the rewriteHost field, I think the solution I'm proposing in the PR is simpler, and gets at the root of the problem: traffic to port 80 shouldn't try to be encrypted.
  • See this discussion for more context: Internal Encryption fixes #860 (comment)

/kind bug

Fixes #862

Release Note

Fixes issue where DomainMappings do not become ready when Internal Encryption is enabled.

Docs

N/A

@knative-prow knative-prow bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/bug Categorizes issue or PR as related to a bug. labels Feb 23, 2023
@knative-prow
Copy link

knative-prow bot commented Feb 23, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: KauzClay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 23, 2023
@codecov
Copy link

codecov bot commented Feb 23, 2023
edited
Loading

Codecov Report

Merging #878 (340ab10) into main (60d558f) will increase coverage by 0.15%.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##             main     #878      +/-   ##
==========================================
+ Coverage   93.89%   94.04%   +0.15%     
==========================================
  Files           7        7              
  Lines         802      789      -13     
==========================================
- Hits          753      742      -11     
+ Misses         28       27       -1     
+ Partials       21       20       -1
Impacted Files Coverage Δ
pkg/reconciler/contour/contour.go 84.61% <0.00%> (-1.71%) ⬇️
pkg/reconciler/contour/resources/httpproxy.go 97.82% <100.00%> (+2.35%) ⬆️

@KauzClay KauzClay force-pushed the ck-860-round-2 branch 2 times, most recently from 5556f33 to 516bc1b Compare February 23, 2023 21:46
@knative-prow knative-prow bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 23, 2023
@KauzClay KauzClay mentioned this pull request Feb 23, 2023
Closed
@KauzClay KauzClay changed the title [wip] only check for rewrite host when setting proto on httpproxy Fix DomainMappings when internal-encryption is enabled Feb 23, 2023
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 23, 2023
@KauzClay
Copy link
Contributor Author

KauzClay commented Mar 7, 2023

/assign @dprotaso

@dprotaso
Copy link
Contributor

traffic to port 80 shouldn't try to be encrypted.

Right now the queue proxy will spin up two http servers (TLS & non-TLS) - but long term I don't think we should continue to spin up the non-TLS server when internal encryption is on.

So I wonder if the right thing to do here is to make sure we start probing the TLS ports as a solution vs. continuing to probe on an unencrypted port 80

@KauzClay
Copy link
Contributor Author

KauzClay commented Mar 14, 2023
edited
Loading

traffic to port 80 shouldn't try to be encrypted.

Right now the queue proxy will spin up two http servers (TLS & non-TLS) - but long term I don't think we should continue to spin up the non-TLS server when internal encryption is on.

So I wonder if the right thing to do here is to make sure we start probing the TLS ports as a solution vs. continuing to probe on an unencrypted port 80

@dprotaso Maybe I misunderstood when I was poking at it, but the trouble I've run into is that when using a domain mapping, the service that gets probed is that top level service that points to the envoy. So if we update that service to have a 443 entry, then we also need the envoy to listen on 443. And then that starts creeping into the territory of adding TLS for internal routes.

My cluster is all messed up right now, but once I fix it I'll try to get a better example of what I'm trying to say

All that to say, I didn't know how to make a change do the right thing without spilling into a substantial change. And my goal for this PR was just to get the current broken implementation into a workable state.

@dprotaso
Copy link
Contributor

The service that gets probed is that top level service that points to the envoy.
...
So if we update that service to have a 443 entry, then we also need the envoy to listen on 443. And then that starts creeping into the territory of adding TLS for internal routes.

When internal TLS is turned on everything goes through the activator so I believe that would be the target of the probing. I believe TLS for internal routes should 'just work'

And my goal for this PR was just to get the current broken implementation into a workable state.

We do want all the hops encrypted though so that would included traffic from external proxy => internal proxy. I'm flexble on the path we take to get there so let me know what you think.

@dprotaso
Copy link
Contributor

dprotaso commented Mar 14, 2023 via email

@KauzClay
only check for rewrite host when setting proto
fad133d 
* the K-Original-Host header doesn't get set on the endpoint probe, so the previous check would use h2 on port 80 for the probe
@KauzClay
use h2c when ports named http2 use port 80
340ab10
@KauzClay
Copy link
Contributor Author

KauzClay commented Jun 1, 2023
edited
Loading

kinda left this one hanging, but, I think the work to add https to clusterLocal routes here (knative-extensions/net-certmanager#538) might help in this scenario.

As that moves forward, I assume there will be net-* changes required too. I'll see if I can do the net-contour one, and maybe that will help move this one along.

@knative-prow-robot knative-prow-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 1, 2023
@knative-prow-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Reopen with /reopen. Mark as fresh by adding the
comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 31, 2023
@KauzClay KauzClay closed this Sep 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dprotaso dprotaso

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enabling Internal Encryption breaks DomainMappings when using Contour
3 participants
@KauzClay @dprotaso @knative-prow-robot