From 20d0251b47cdd1aaafd0224a441b502ac23c3fd0 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Mon, 30 Jan 2023 10:26:58 -0500 Subject: [PATCH 1/4] domain mapping use 443 when internal encryption enabled --- pkg/reconciler/domainmapping/reconciler.go | 4 +- .../domainmapping/resources/ingress.go | 14 +- .../domainmapping/resources/ingress_test.go | 212 +++++++++++++++++- pkg/reconciler/domainmapping/table_test.go | 160 ++++++++++++- 4 files changed, 375 insertions(+), 15 deletions(-) diff --git a/pkg/reconciler/domainmapping/reconciler.go b/pkg/reconciler/domainmapping/reconciler.go index f849bee83b29..76c492c8fa8d 100644 --- a/pkg/reconciler/domainmapping/reconciler.go +++ b/pkg/reconciler/domainmapping/reconciler.go @@ -127,9 +127,11 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, dm *v1alpha1.DomainMappi return err } + networkConfig := config.FromContext(ctx).Network + // Reconcile the Ingress resource corresponding to the requested Mapping. logger.Debugf("Mapping %s to ref %s/%s (host: %q, svc: %q)", url, dm.Spec.Ref.Namespace, dm.Spec.Ref.Name, targetHost, targetBackendSvc) - desired := resources.MakeIngress(dm, targetBackendSvc, targetHost, ingressClass, httpOption, tls, acmeChallenges...) + desired := resources.MakeIngress(dm, targetBackendSvc, targetHost, ingressClass, httpOption, tls, networkConfig.InternalEncryption, acmeChallenges...) ingress, err := r.reconcileIngress(ctx, dm, desired) if err != nil { return err diff --git a/pkg/reconciler/domainmapping/resources/ingress.go b/pkg/reconciler/domainmapping/resources/ingress.go index f9f3b287426b..9b2006894e71 100644 --- a/pkg/reconciler/domainmapping/resources/ingress.go +++ b/pkg/reconciler/domainmapping/resources/ingress.go @@ -35,8 +35,18 @@ import ( // backend is always in the same namespace also (as this is required by // KIngress). The created ingress will contain a RewriteHost rule to cause the // given hostName to be used as the host. -func MakeIngress(dm *servingv1alpha1.DomainMapping, backendServiceName, hostName, ingressClass string, httpOption netv1alpha1.HTTPOption, tls []netv1alpha1.IngressTLS, acmeChallenges ...netv1alpha1.HTTP01Challenge) *netv1alpha1.Ingress { +func MakeIngress(dm *servingv1alpha1.DomainMapping, backendServiceName, hostName, ingressClass string, httpOption netv1alpha1.HTTPOption, tls []netv1alpha1.IngressTLS, encryption bool, acmeChallenges ...netv1alpha1.HTTP01Challenge) *netv1alpha1.Ingress { paths, hosts := routeresources.MakeACMEIngressPaths(acmeChallenges, sets.NewString(dm.GetName())) + + var servicePort intstr.IntOrString + + if encryption { + //fmt.Println("setting port to 443") + servicePort = intstr.FromInt(netapi.ServiceHTTPSPort) + //servicePort = intstr.FromInt(80) + } else { + servicePort = intstr.FromInt(80) + } return &netv1alpha1.Ingress{ ObjectMeta: metav1.ObjectMeta{ Name: kmeta.ChildName(dm.GetName(), ""), @@ -69,7 +79,7 @@ func MakeIngress(dm *servingv1alpha1.DomainMapping, backendServiceName, hostName IngressBackend: netv1alpha1.IngressBackend{ ServiceNamespace: dm.Namespace, ServiceName: backendServiceName, - ServicePort: intstr.FromInt(80), + ServicePort: servicePort, }, }}, }}...), diff --git a/pkg/reconciler/domainmapping/resources/ingress_test.go b/pkg/reconciler/domainmapping/resources/ingress_test.go index 781e7e0107c5..85db7b60cfc9 100644 --- a/pkg/reconciler/domainmapping/resources/ingress_test.go +++ b/pkg/reconciler/domainmapping/resources/ingress_test.go @@ -235,7 +235,217 @@ func TestMakeIngress(t *testing.T) { got := *MakeIngress(&tc.dm, "the-target-svc", "the-rewrite-host", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, - tc.tls, tc.acmeChallenges...) + tc.tls, false, tc.acmeChallenges...) + if diff := cmp.Diff(tc.want, got); diff != "" { + t.Errorf("Unexpected Ingress (-want, +got):\n%s", diff) + } + }) + } + +} + +func TestMakeIngressInternalEncryption(t *testing.T) { + for _, tc := range []struct { + name string + dm v1alpha1.DomainMapping + want netv1alpha1.Ingress + tls []netv1alpha1.IngressTLS + acmeChallenges []netv1alpha1.HTTP01Challenge + }{{ + name: "basic", + dm: v1alpha1.DomainMapping{ + ObjectMeta: metav1.ObjectMeta{ + Name: "mapping.com", + Namespace: "the-namespace", + UID: types.UID("the-uid"), + Annotations: map[string]string{ + "some.annotation": "some.value", + corev1.LastAppliedConfigAnnotation: "blah", + }, + }, + Spec: v1alpha1.DomainMappingSpec{ + Ref: duckv1.KReference{ + Namespace: "the-namespace", + Name: "the-name", + }, + }, + }, + want: netv1alpha1.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "mapping.com", + Namespace: "the-namespace", + Annotations: map[string]string{ + netapi.IngressClassAnnotationKey: "the-ingress-class", + "some.annotation": "some.value", + }, + }, + Spec: netv1alpha1.IngressSpec{ + HTTPOption: netv1alpha1.HTTPOptionEnabled, + Rules: []netv1alpha1.IngressRule{{ + Hosts: []string{"mapping.com"}, + Visibility: netv1alpha1.IngressVisibilityExternalIP, + HTTP: &netv1alpha1.HTTPIngressRuleValue{ + Paths: []netv1alpha1.HTTPIngressPath{{ + RewriteHost: "the-rewrite-host", + Splits: []netv1alpha1.IngressBackendSplit{{ + Percent: 100, + AppendHeaders: map[string]string{ + netheader.OriginalHostKey: "mapping.com", + }, + IngressBackend: netv1alpha1.IngressBackend{ + ServiceName: "the-target-svc", + ServiceNamespace: "the-namespace", + ServicePort: intstr.FromInt(443), + }, + }}, + }}, + }, + }}, + }, + }, + }, { + name: "tls", + dm: v1alpha1.DomainMapping{ + ObjectMeta: metav1.ObjectMeta{ + Name: "mapping.com", + Namespace: "the-namespace", + UID: types.UID("the-uid"), + Annotations: map[string]string{ + "some.annotation": "some.value", + corev1.LastAppliedConfigAnnotation: "blah", + }, + }, + Spec: v1alpha1.DomainMappingSpec{ + Ref: duckv1.KReference{ + Namespace: "the-namespace", + Name: "the-name", + }, + }, + }, + tls: []netv1alpha1.IngressTLS{{ + Hosts: []string{"mapping.com"}, + SecretName: "secret", + }}, + want: netv1alpha1.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "mapping.com", + Namespace: "the-namespace", + Annotations: map[string]string{ + netapi.IngressClassAnnotationKey: "the-ingress-class", + "some.annotation": "some.value", + }, + }, + Spec: netv1alpha1.IngressSpec{ + HTTPOption: netv1alpha1.HTTPOptionEnabled, + Rules: []netv1alpha1.IngressRule{{ + Hosts: []string{"mapping.com"}, + Visibility: netv1alpha1.IngressVisibilityExternalIP, + HTTP: &netv1alpha1.HTTPIngressRuleValue{ + Paths: []netv1alpha1.HTTPIngressPath{{ + RewriteHost: "the-rewrite-host", + Splits: []netv1alpha1.IngressBackendSplit{{ + Percent: 100, + AppendHeaders: map[string]string{ + netheader.OriginalHostKey: "mapping.com", + }, + IngressBackend: netv1alpha1.IngressBackend{ + ServiceName: "the-target-svc", + ServiceNamespace: "the-namespace", + ServicePort: intstr.FromInt(443), + }, + }}, + }}, + }, + }}, + TLS: []netv1alpha1.IngressTLS{{ + Hosts: []string{"mapping.com"}, + SecretName: "secret", + }}, + }, + }, + }, { + name: "challenges", + dm: v1alpha1.DomainMapping{ + ObjectMeta: metav1.ObjectMeta{ + Name: "mapping.com", + Namespace: "the-namespace", + UID: types.UID("the-uid"), + Annotations: map[string]string{ + "some.annotation": "some.value", + corev1.LastAppliedConfigAnnotation: "blah", + }, + }, + Spec: v1alpha1.DomainMappingSpec{ + Ref: duckv1.KReference{ + Namespace: "the-namespace", + Name: "the-name", + }, + }, + }, + acmeChallenges: []netv1alpha1.HTTP01Challenge{{ + ServiceNamespace: "test-ns", + ServiceName: "cm-solver", + ServicePort: intstr.FromInt(8090), + URL: &apis.URL{ + Scheme: "http", + Path: "/.well-known/acme-challenge/challenge-token", + Host: "mapping.com", + }, + }}, + want: netv1alpha1.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "mapping.com", + Namespace: "the-namespace", + Annotations: map[string]string{ + netapi.IngressClassAnnotationKey: "the-ingress-class", + "some.annotation": "some.value", + }, + }, + Spec: netv1alpha1.IngressSpec{ + HTTPOption: netv1alpha1.HTTPOptionEnabled, + Rules: []netv1alpha1.IngressRule{{ + Hosts: []string{"mapping.com"}, + Visibility: netv1alpha1.IngressVisibilityExternalIP, + HTTP: &netv1alpha1.HTTPIngressRuleValue{ + Paths: []netv1alpha1.HTTPIngressPath{{ + Path: "/.well-known/acme-challenge/challenge-token", + Splits: []netv1alpha1.IngressBackendSplit{{ + IngressBackend: netv1alpha1.IngressBackend{ + ServiceNamespace: "test-ns", + ServiceName: "cm-solver", + ServicePort: intstr.FromInt(8090), + }, + Percent: 100, + }}, + }, { + RewriteHost: "the-rewrite-host", + Splits: []netv1alpha1.IngressBackendSplit{{ + Percent: 100, + AppendHeaders: map[string]string{ + netheader.OriginalHostKey: "mapping.com", + }, + IngressBackend: netv1alpha1.IngressBackend{ + ServiceName: "the-target-svc", + ServiceNamespace: "the-namespace", + ServicePort: intstr.FromInt(443), + }, + }}, + }}, + }, + }}, + }, + }, + }} { + t.Run(tc.name, func(t *testing.T) { + tc.want.Labels = kmeta.UnionMaps(tc.dm.Labels, map[string]string{ + serving.DomainMappingUIDLabelKey: "the-uid", + serving.DomainMappingNamespaceLabelKey: "the-namespace", + }) + tc.want.OwnerReferences = []metav1.OwnerReference{*kmeta.NewControllerRef(&tc.dm)} + got := *MakeIngress(&tc.dm, + "the-target-svc", "the-rewrite-host", "the-ingress-class", + netv1alpha1.HTTPOptionEnabled, + tc.tls, true, tc.acmeChallenges...) if diff := cmp.Diff(tc.want, got); diff != "" { t.Errorf("Unexpected Ingress (-want, +got):\n%s", diff) } diff --git a/pkg/reconciler/domainmapping/table_test.go b/pkg/reconciler/domainmapping/table_test.go index c5e3911d1cab..f31d0fa25d79 100644 --- a/pkg/reconciler/domainmapping/table_test.go +++ b/pkg/reconciler/domainmapping/table_test.go @@ -95,7 +95,7 @@ func TestReconcile(t *testing.T) { SkipNamespaceValidation: true, // allow creation of ClusterDomainClaim. WantCreates: []runtime.Object{ resources.MakeDomainClaim(domainMapping("default", "first-reconcile.com", withRef("default", "target"))), - resources.MakeIngress(domainMapping("default", "first-reconcile.com", withRef("default", "target")), "the-target-svc", "the-target-svc.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */), + resources.MakeIngress(domainMapping("default", "first-reconcile.com", withRef("default", "target")), "the-target-svc", "the-target-svc.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */, false), }, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("default", "first-reconcile.com"), @@ -195,7 +195,7 @@ func TestReconcile(t *testing.T) { resources.MakeDomainClaim(domainMapping("default", "first-reconcile.com", withRef("default", "target", withAPIVersionKind("v1", "Service")))), resources.MakeIngress( domainMapping("default", "first-reconcile.com", withRef("default", "target", withAPIVersionKind("v1", "Service"))), - "target", "target.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */), + "target", "target.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */, false), }, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("default", "first-reconcile.com"), @@ -344,7 +344,7 @@ func TestReconcile(t *testing.T) { ), }}, WantCreates: []runtime.Object{ - resources.MakeIngress(domainMapping("default", "first-reconcile.com", withRef("default", "target")), "the-target-svc", "the-target-svc.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */), + resources.MakeIngress(domainMapping("default", "first-reconcile.com", withRef("default", "target")), "the-target-svc", "the-target-svc.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */, false), }, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("default", "first-reconcile.com"), @@ -441,7 +441,7 @@ func TestReconcile(t *testing.T) { WantCreates: []runtime.Object{ resources.MakeDomainClaim(domainMapping("default", "ingressclass.first-reconcile.com", withRef("default", "target"))), resources.MakeIngress(domainMapping("default", "ingressclass.first-reconcile.com", withRef("default", "target")), - "the-target-svc", "the-target-svc.default.svc.cluster.local", "overridden-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */), + "the-target-svc", "the-target-svc.default.svc.cluster.local", "overridden-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */, false), }, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("default", "ingressclass.first-reconcile.com"), @@ -480,7 +480,7 @@ func TestReconcile(t *testing.T) { WantCreates: []runtime.Object{ resources.MakeDomainClaim(domainMapping("default", "ingressclass.first-reconcile.com", withRef("default", "target"))), resources.MakeIngress(domainMapping("default", "ingressclass.first-reconcile.com", withRef("default", "target"), withLabels(map[string]string{netapi.IngressLabelKey: "new-label"})), - "the-target-svc", "the-target-svc.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */), + "the-target-svc", "the-target-svc.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */, false), }, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("default", "ingressclass.first-reconcile.com"), @@ -495,7 +495,7 @@ func TestReconcile(t *testing.T) { Objects: []runtime.Object{ ksvc("default", "changed", "changed.default.svc.cluster.local", ""), domainMapping("default", "ingress-exists.org", withRef("default", "changed")), - resources.MakeIngress(domainMapping("default", "ingress-exists.org", withRef("default", "changed")), "previous", "previous.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */), + resources.MakeIngress(domainMapping("default", "ingress-exists.org", withRef("default", "changed")), "previous", "previous.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */, false), resources.MakeDomainClaim(domainMapping("default", "ingress-exists.org", withRef("default", "changed"))), }, WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ @@ -822,7 +822,7 @@ func TestReconcileAutocreateClaimsDisabled(t *testing.T) { }}, SkipNamespaceValidation: true, // allow creation of ClusterDomainClaim. WantCreates: []runtime.Object{ - resources.MakeIngress(domainMapping("default", "first-reconcile.com", withRef("default", "target")), "the-target-svc", "the-target-svc.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */), + resources.MakeIngress(domainMapping("default", "first-reconcile.com", withRef("default", "target")), "the-target-svc", "the-target-svc.default.svc.cluster.local", "the-ingress-class", netv1alpha1.HTTPOptionEnabled, nil /* tls */, false), }, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("default", "first-reconcile.com"), @@ -1180,7 +1180,7 @@ func TestReconcileTLSEnabled(t *testing.T) { ServiceName: "cm-solver", ServicePort: intstr.FromInt(8090), ServiceNamespace: "default", - }}, withIngressReady, withIngressHTTPOption(netv1alpha1.HTTPOptionRedirected)), + }}, false, withIngressReady, withIngressHTTPOption(netv1alpha1.HTTPOptionRedirected)), }}, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("default", "challenged.com"), @@ -1327,6 +1327,140 @@ func TestReconcileTLSEnabledButDowngraded(t *testing.T) { })) } +func TestReconcileInternalEncryptionEnabled(t *testing.T) { + table := TableTest{{ + Name: "first reconcile", + Key: "default/first.reconcile.io", + Objects: []runtime.Object{ + ksvc("default", "ready", "ready.default.svc.cluster.local", ""), + domainMapping("default", "first.reconcile.io", + withRef("default", "ready"), + withURL("http", "first.reconcile.io"), + withAddress("http", "first.reconcile.io"), + ), + resources.MakeDomainClaim(domainMapping("default", "first.reconcile.io", withRef("default", "ready"))), + }, + WantCreates: []runtime.Object{ + resources.MakeCertificate(domainMapping("default", "first.reconcile.io", + withRef("default", "ready"), + withURL("http", "first.reconcile.io"), + withAddress("http", "first.reconcile.io"), + ), "the-cert-class"), + ingressInternalEncryption(domainMapping("default", "first.reconcile.io", withRef("default", "ready")), "the-ingress-class", withIngressHTTPOption(netv1alpha1.HTTPOptionRedirected)), + }, + WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ + Object: domainMapping("default", "first.reconcile.io", + withRef("default", "ready"), + withURL("https", "first.reconcile.io"), + withAddress("https", "first.reconcile.io"), + withCertificateNotReady, + withInitDomainMappingConditions, + withIngressNotConfigured, + withDomainClaimed, + withReferenceResolved, + ), + }}, + WantPatches: []clientgotesting.PatchActionImpl{ + patchAddFinalizerAction("default", "first.reconcile.io"), + }, + WantEvents: []string{ + Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", "first.reconcile.io"), + Eventf(corev1.EventTypeNormal, "Created", "Created Certificate %s/%s", "default", "first.reconcile.io"), + Eventf(corev1.EventTypeNormal, "Created", "Created Ingress %q", "first.reconcile.io"), + }, + }, { + Name: "becomes ready", + Key: "default/becomes.ready.run", + Objects: []runtime.Object{ + ksvc("default", "ready", "ready.default.svc.cluster.local", ""), + domainMapping("default", "becomes.ready.run", + withRef("default", "ready"), + withURL("http", "becomes.ready.run"), + withAddress("http", "becomes.ready.run"), + ), + resources.MakeDomainClaim(domainMapping("default", "becomes.ready.run", withRef("default", "ready"))), + &netv1alpha1.Certificate{ + ObjectMeta: metav1.ObjectMeta{ + Name: "becomes.ready.run", + Namespace: "default", + OwnerReferences: []metav1.OwnerReference{*kmeta.NewControllerRef( + domainMapping("default", "becomes.ready.run", + withRef("default", "ready"), + withURL("http", "becomes.ready.run"), + withAddress("http", "becomes.ready.run")))}, + Annotations: map[string]string{ + netapi.CertificateClassAnnotationKey: "the-cert-class", + }, + Labels: map[string]string{ + serving.DomainMappingUIDLabelKey: "becomes.ready.run", + }, + }, + Spec: netv1alpha1.CertificateSpec{ + Domain: "becomes.ready.run", + DNSNames: []string{"becomes.ready.run"}, + SecretName: "becomes.ready.run", + }, + Status: readyCertStatus(), + }, + ingressInternalEncryption(domainMapping("default", "becomes.ready.run", withRef("default", "ready")), "the-ingress-class", withIngressReady, withIngressHTTPOption(netv1alpha1.HTTPOptionRedirected)), + }, + WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ + Object: domainMapping("default", "becomes.ready.run", + withRef("default", "ready"), + withURL("https", "becomes.ready.run"), + withAddress("https", "becomes.ready.run"), + withCertificateReady, + withInitDomainMappingConditions, + withDomainClaimed, + withReferenceResolved, + withPropagatedStatus(ingress(domainMapping("default", "becomes.ready.run"), "", withIngressReady).Status), + ), + }}, + WantUpdates: []clientgotesting.UpdateActionImpl{{ + Object: ingressInternalEncryption(domainMapping("default", "becomes.ready.run", withRef("default", "ready")), "the-ingress-class", withIngressReady, + withIngressHTTPOption(netv1alpha1.HTTPOptionRedirected), + withIngressTLS(netv1alpha1.IngressTLS{ + Hosts: []string{"becomes.ready.run"}, + SecretName: "becomes.ready.run", + SecretNamespace: "default", + })), + }}, + WantPatches: []clientgotesting.PatchActionImpl{ + patchAddFinalizerAction("default", "becomes.ready.run"), + }, + WantEvents: []string{ + Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", "becomes.ready.run"), + }, + }} + + table.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, cmw configmap.Watcher) controller.Reconciler { + ctx = addressable.WithDuck(ctx) + r := &Reconciler{ + certificateLister: listers.GetCertificateLister(), + domainClaimLister: listers.GetDomainClaimLister(), + ingressLister: listers.GetIngressLister(), + netclient: networkingclient.Get(ctx), + resolver: resolver.NewURIResolverFromTracker(ctx, tracker.New(func(types.NamespacedName) {}, 0)), + } + + return domainmappingreconciler.NewReconciler(ctx, logging.FromContext(ctx), + servingclient.Get(ctx), listers.GetDomainMappingLister(), controller.GetEventRecorder(ctx), r, + controller.Options{ConfigStore: &testConfigStore{ + config: &config.Config{ + Network: &netcfg.Config{ + DefaultIngressClass: "the-ingress-class", + DefaultCertificateClass: "the-cert-class", + AutoTLS: true, + HTTPProtocol: netcfg.HTTPRedirected, + DefaultExternalScheme: "http", + InternalEncryption: true, + }, + }, + }}, + ) + })) +} + type domainMappingOption func(dm *v1alpha1.DomainMapping) func domainMapping(namespace, name string, opt ...domainMappingOption) *v1alpha1.DomainMapping { @@ -1486,11 +1620,15 @@ func withDeletionTimestamp(t *metav1.Time) domainMappingOption { } func ingress(dm *v1alpha1.DomainMapping, ingressClass string, opt ...IngressOption) *netv1alpha1.Ingress { - return ingressWithChallenges(dm, ingressClass, nil /* challenges */, opt...) + return ingressWithChallenges(dm, ingressClass, nil /* challenges */, false, opt...) +} + +func ingressInternalEncryption(dm *v1alpha1.DomainMapping, ingressClass string, opt ...IngressOption) *netv1alpha1.Ingress { + return ingressWithChallenges(dm, ingressClass, nil /* challenges */, true, opt...) } -func ingressWithChallenges(dm *v1alpha1.DomainMapping, ingressClass string, challenges []netv1alpha1.HTTP01Challenge, opt ...IngressOption) *netv1alpha1.Ingress { - ing := resources.MakeIngress(dm, dm.Spec.Ref.Name, dm.Spec.Ref.Name+"."+dm.Spec.Ref.Namespace+".svc.cluster.local", ingressClass, netv1alpha1.HTTPOptionEnabled, nil /* tls */, challenges...) +func ingressWithChallenges(dm *v1alpha1.DomainMapping, ingressClass string, challenges []netv1alpha1.HTTP01Challenge, internalEncryption bool, opt ...IngressOption) *netv1alpha1.Ingress { + ing := resources.MakeIngress(dm, dm.Spec.Ref.Name, dm.Spec.Ref.Name+"."+dm.Spec.Ref.Namespace+".svc.cluster.local", ingressClass, netv1alpha1.HTTPOptionEnabled, nil /* tls */, internalEncryption, challenges...) for _, o := range opt { o(ing) } From 656e48525c9c600054ff20828f0612802c93b733 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Mon, 30 Jan 2023 10:28:31 -0500 Subject: [PATCH 2/4] lb redirect svc use 443 when internal encryption enabled --- pkg/reconciler/route/resources/service.go | 48 ++++++++++++++++------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/pkg/reconciler/route/resources/service.go b/pkg/reconciler/route/resources/service.go index 2a19da7581a6..d620587e7ee6 100644 --- a/pkg/reconciler/route/resources/service.go +++ b/pkg/reconciler/route/resources/service.go @@ -29,6 +29,7 @@ import ( "knative.dev/pkg/kmeta" "knative.dev/serving/pkg/apis/serving" v1 "knative.dev/serving/pkg/apis/serving/v1" + "knative.dev/serving/pkg/reconciler/route/config" "knative.dev/serving/pkg/reconciler/route/domains" ) @@ -53,17 +54,15 @@ func MakeK8sPlaceholderService(ctx context.Context, route *v1.Route, tagName str return nil, err } + netcfg := config.FromContextOrDefaults(ctx).Network + return &corev1.Service{ ObjectMeta: makeServiceObjectMeta(hostname, route), Spec: corev1.ServiceSpec{ Type: corev1.ServiceTypeExternalName, ExternalName: domainName, SessionAffinity: corev1.ServiceAffinityNone, - Ports: []corev1.ServicePort{{ - Name: netapi.ServicePortNameH2C, - Port: int32(80), - TargetPort: intstr.FromInt(80), - }}, + Ports: []corev1.ServicePort{makeServicePort(netcfg.InternalEncryption)}, }, }, nil } @@ -96,15 +95,13 @@ func MakeK8sService(ctx context.Context, route *v1.Route, tagName string, ingres return nil, err } + netcfg := config.FromContextOrDefaults(ctx).Network + pair := &ServicePair{ Service: &corev1.Service{ ObjectMeta: makeServiceObjectMeta(hostname, route), Spec: corev1.ServiceSpec{ - Ports: []corev1.ServicePort{{ - Name: netapi.ServicePortNameH2C, - Port: int32(80), - TargetPort: intstr.FromInt(80), - }}, + Ports: []corev1.ServicePort{makeServicePort(netcfg.InternalEncryption)}, }, }, Endpoints: nil, @@ -127,10 +124,7 @@ func MakeK8sService(ctx context.Context, route *v1.Route, tagName string, ingres Addresses: []corev1.EndpointAddress{{ IP: balancer.IP, }}, - Ports: []corev1.EndpointPort{{ - Name: netapi.ServicePortNameH2C, - Port: int32(80), - }}, + Ports: []corev1.EndpointPort{makeEndpointPort(netcfg.InternalEncryption)}, }}, } case balancer.DomainInternal != "": @@ -177,3 +171,29 @@ func makeServiceObjectMeta(hostname string, route *v1.Route) metav1.ObjectMeta { Annotations: route.GetAnnotations(), } } + +func makeServicePort(internalEncryption bool) (sp corev1.ServicePort) { + if internalEncryption { + sp.Port = int32(netapi.ServiceHTTPSPort) + sp.TargetPort = intstr.FromInt(netapi.ServiceHTTPSPort) + sp.Name = netapi.ServicePortNameHTTPS + } else { + sp.Port = int32(80) + sp.TargetPort = intstr.FromInt(80) + sp.Name = netapi.ServicePortNameH2C + } + + return +} + +func makeEndpointPort(internalEncryption bool) (ep corev1.EndpointPort) { + if internalEncryption { + ep.Port = int32(netapi.ServiceHTTPSPort) + ep.Name = netapi.ServicePortNameHTTPS + } else { + ep.Port = int32(80) + ep.Name = netapi.ServicePortNameH2C + } + + return +} From f182a5e5b402dd8c9f42f74ec020eece401f3d67 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Mon, 30 Jan 2023 10:29:08 -0500 Subject: [PATCH 3/4] wip: set internal certs on clusterlocal domains when internal encryption enabled --- pkg/reconciler/route/resources/ingress.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go index 5046b486120d..b4a0cd66b40b 100644 --- a/pkg/reconciler/route/resources/ingress.go +++ b/pkg/reconciler/route/resources/ingress.go @@ -29,10 +29,12 @@ import ( "knative.dev/networking/pkg/apis/networking" netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" + netcfg "knative.dev/networking/pkg/config" netheader "knative.dev/networking/pkg/http/header" ingress "knative.dev/networking/pkg/ingress" "knative.dev/pkg/kmeta" "knative.dev/pkg/logging" + "knative.dev/pkg/system" "knative.dev/serving/pkg/activator" apicfg "knative.dev/serving/pkg/apis/config" "knative.dev/serving/pkg/apis/serving" @@ -183,6 +185,18 @@ func makeIngressSpec( rule.HTTP.Paths[0].AppendHeaders[netheader.RouteTagKey] = name } } + + // if this is a private rule, and internal encryption is on, we need to stick the certs in the tls seciton + if visibility == netv1alpha1.IngressVisibilityClusterLocal && networkConfig.InternalEncryption { + for domain := range domains { + tls = append(tls, netv1alpha1.IngressTLS{ + Hosts: []string{domain}, + SecretName: netcfg.ServingInternalCertName, + SecretNamespace: system.Namespace(), + }) + } + + } // If this is a public rule, we need to configure ACME challenge paths. if visibility == netv1alpha1.IngressVisibilityExternalIP { paths, hosts := MakeACMEIngressPaths(acmeChallenges, domains) From 676295de3cbf9c7d05758ea853a8984433dd06c1 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Mon, 30 Jan 2023 13:02:18 -0500 Subject: [PATCH 4/4] wip: try adding both 443 and 80 to service --- pkg/reconciler/route/resources/service.go | 41 +++++++++++++---------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/pkg/reconciler/route/resources/service.go b/pkg/reconciler/route/resources/service.go index d620587e7ee6..ac7ca7d645a1 100644 --- a/pkg/reconciler/route/resources/service.go +++ b/pkg/reconciler/route/resources/service.go @@ -62,7 +62,7 @@ func MakeK8sPlaceholderService(ctx context.Context, route *v1.Route, tagName str Type: corev1.ServiceTypeExternalName, ExternalName: domainName, SessionAffinity: corev1.ServiceAffinityNone, - Ports: []corev1.ServicePort{makeServicePort(netcfg.InternalEncryption)}, + Ports: makeServicePorts(netcfg.InternalEncryption), }, }, nil } @@ -101,7 +101,7 @@ func MakeK8sService(ctx context.Context, route *v1.Route, tagName string, ingres Service: &corev1.Service{ ObjectMeta: makeServiceObjectMeta(hostname, route), Spec: corev1.ServiceSpec{ - Ports: []corev1.ServicePort{makeServicePort(netcfg.InternalEncryption)}, + Ports: makeServicePorts(netcfg.InternalEncryption), }, }, Endpoints: nil, @@ -124,7 +124,7 @@ func MakeK8sService(ctx context.Context, route *v1.Route, tagName string, ingres Addresses: []corev1.EndpointAddress{{ IP: balancer.IP, }}, - Ports: []corev1.EndpointPort{makeEndpointPort(netcfg.InternalEncryption)}, + Ports: makeEndpointPorts(netcfg.InternalEncryption), }}, } case balancer.DomainInternal != "": @@ -172,27 +172,34 @@ func makeServiceObjectMeta(hostname string, route *v1.Route) metav1.ObjectMeta { } } -func makeServicePort(internalEncryption bool) (sp corev1.ServicePort) { +func makeServicePorts(internalEncryption bool) (sps []corev1.ServicePort) { + sps = append(sps, corev1.ServicePort{ + Port: int32(80), + TargetPort: intstr.FromInt(80), + Name: netapi.ServicePortNameH2C, + }) + if internalEncryption { - sp.Port = int32(netapi.ServiceHTTPSPort) - sp.TargetPort = intstr.FromInt(netapi.ServiceHTTPSPort) - sp.Name = netapi.ServicePortNameHTTPS - } else { - sp.Port = int32(80) - sp.TargetPort = intstr.FromInt(80) - sp.Name = netapi.ServicePortNameH2C + sps = append(sps, corev1.ServicePort{ + Port: int32(netapi.ServiceHTTPSPort), + TargetPort: intstr.FromInt(netapi.ServiceHTTPSPort), + Name: netapi.ServicePortNameHTTPS, + }) } return } -func makeEndpointPort(internalEncryption bool) (ep corev1.EndpointPort) { +func makeEndpointPorts(internalEncryption bool) (eps []corev1.EndpointPort) { + eps = append(eps, corev1.EndpointPort{ + Port: int32(80), + Name: netapi.ServicePortNameH2C, + }) if internalEncryption { - ep.Port = int32(netapi.ServiceHTTPSPort) - ep.Name = netapi.ServicePortNameHTTPS - } else { - ep.Port = int32(80) - ep.Name = netapi.ServicePortNameH2C + eps = append(eps, corev1.EndpointPort{ + Port: int32(netapi.ServiceHTTPSPort), + Name: netapi.ServicePortNameHTTPS, + }) } return