diff --git a/pkg/reconciler/contour/contour.go b/pkg/reconciler/contour/contour.go index d8c891811..49fb44134 100644 --- a/pkg/reconciler/contour/contour.go +++ b/pkg/reconciler/contour/contour.go @@ -189,7 +189,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, ing *v1alpha1.Ingress) r for _, port := range svc.Spec.Ports { if port.Name == networking.ServicePortNameH2C { - if cfg.Network != nil && cfg.Network.InternalEncryption { + if cfg.Network != nil && cfg.Network.InternalEncryption && port.Port != networking.ServiceHTTPPort { serviceToProtocol[name] = resources.InternalEncryptionH2Protocol logger.Debugf("marked an http2 svc %s as h2 for internal encryption", name) } else { diff --git a/pkg/reconciler/contour/contour_test.go b/pkg/reconciler/contour/contour_test.go index 51fb2c3de..902e1c082 100644 --- a/pkg/reconciler/contour/contour_test.go +++ b/pkg/reconciler/contour/contour_test.go @@ -548,7 +548,7 @@ func TestReconcileInternalEncryption(t *testing.T) { Objects: append([]runtime.Object{ ing("dm-name", "ns", withDomainMappingSpec, withContour), mustMakeProbe(t, ing("dm-name", "ns", withDomainMappingSpec, withContour), makeItReady), - }, servicesAndEndpoints...), + }, tlsServiceAndEndpoint...), WantCreates: mustMakeProxiesWithConfig(t, ing("dm-name", "ns", withDomainMappingSpec, withContour), internalEncryptionConfig), WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ Object: ing("dm-name", "ns", withDomainMappingSpec, withContour, func(i *v1alpha1.Ingress) { @@ -800,7 +800,7 @@ var ( &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Namespace: "ns", - Name: tlsServiceName, + Name: tlsRevisionServiceName, }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{{ @@ -811,6 +811,18 @@ var ( }}, }, }, + &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: tlsServiceName, + }, + Spec: corev1.ServiceSpec{ + Ports: []corev1.ServicePort{{ + Name: "http2", + Port: 80, + }}, + }, + }, // Contour Control Plane Services &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -835,7 +847,7 @@ var ( &corev1.Endpoints{ ObjectMeta: metav1.ObjectMeta{ Namespace: "ns", - Name: tlsServiceName, + Name: tlsRevisionServiceName, }, Subsets: []corev1.EndpointSubset{{ Addresses: []corev1.EndpointAddress{{ @@ -847,14 +859,32 @@ var ( }}, }}, }, + &corev1.Endpoints{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: tlsServiceName, + }, + Subsets: []corev1.EndpointSubset{{ + Addresses: []corev1.EndpointAddress{{ + IP: "192.168.1.1", + }}, + Ports: []corev1.EndpointPort{{ + Name: "http2", + Port: 80, + Protocol: corev1.ProtocolTCP, + }}, + }}, + }, } tlsServiceAndEndpoint = append(append([]runtime.Object{}, tlsService...), tlsEndpoint...) - h2cServiceName = "doo" - tlsServiceName = "tlsService" - serviceToProtocol = map[string]string{ - h2cServiceName: "h2c", - tlsServiceName: resources.InternalEncryptionProtocol, + h2cServiceName = "doo" + tlsServiceName = "tlsService" + tlsRevisionServiceName = tlsServiceName + "-00001" + serviceToProtocol = map[string]string{ + h2cServiceName: "h2c", + tlsServiceName: "h2c", + tlsRevisionServiceName: resources.InternalEncryptionProtocol, } ) @@ -1007,7 +1037,7 @@ func withTLSServiceSpec(i *v1alpha1.Ingress) { Paths: []v1alpha1.HTTPIngressPath{{ Splits: []v1alpha1.IngressBackendSplit{{ IngressBackend: v1alpha1.IngressBackend{ - ServiceName: tlsServiceName, + ServiceName: tlsRevisionServiceName, ServiceNamespace: i.Namespace, ServicePort: intstr.FromInt(443), }, @@ -1033,7 +1063,7 @@ func withDomainMappingSpec(i *v1alpha1.Ingress) { "K-Original-Host": "dm.example.com", }, IngressBackend: v1alpha1.IngressBackend{ - ServiceName: "doo", + ServiceName: tlsServiceName, ServiceNamespace: i.Namespace, ServicePort: intstr.FromInt(80), }, diff --git a/pkg/reconciler/contour/resources/httpproxy.go b/pkg/reconciler/contour/resources/httpproxy.go index 42aaed3c4..94e18d65c 100644 --- a/pkg/reconciler/contour/resources/httpproxy.go +++ b/pkg/reconciler/contour/resources/httpproxy.go @@ -32,7 +32,6 @@ import ( "knative.dev/net-contour/pkg/reconciler/contour/config" "knative.dev/networking/pkg/apis/networking/v1alpha1" netcfg "knative.dev/networking/pkg/config" - netheader "knative.dev/networking/pkg/http/header" "knative.dev/networking/pkg/ingress" "knative.dev/pkg/kmeta" "knative.dev/pkg/network" @@ -172,15 +171,11 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc Set: make([]v1.HeaderValue, 0, len(split.AppendHeaders)), } - hasOriginalHostKey := false for key, value := range split.AppendHeaders { postSplitHeaders.Set = append(postSplitHeaders.Set, v1.HeaderValue{ Name: key, Value: value, }) - if key == netheader.OriginalHostKey { - hasOriginalHostKey = true - } } if len(postSplitHeaders.Set) > 0 { sort.Slice(postSplitHeaders.Set, func(i, j int) bool { @@ -193,18 +188,7 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc svc.RequestHeadersPolicy = postSplitHeaders if proto, ok := serviceToProtocol[split.ServiceName]; ok { - //In order for domain mappings to work with internal - //encryption, need to unencrypt traffic back to the envoy. - //See - //https://github.com/knative-sandbox/net-contour/issues/862 - //Can identify domain mappings by the presence of the RewriteHost field on - //the Path in combination with the "K-Original-Host" key in appendHeaders on - //the split - if path.RewriteHost != "" && hasOriginalHostKey { - svc.Protocol = ptr.String("h2c") - } else { - svc.Protocol = ptr.String(proto) - } + svc.Protocol = ptr.String(proto) } if cfg.Network != nil && cfg.Network.InternalEncryption {