Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All Hops Encrypted: Activator uses queue-proxy TLS if available #12503

Closed
Tracked by #11906
evankanderson opened this issue Jan 13, 2022 · 2 comments · Fixed by #12815
Closed
Tracked by #11906

All Hops Encrypted: Activator uses queue-proxy TLS if available #12503

evankanderson opened this issue Jan 13, 2022 · 2 comments · Fixed by #12815
Labels
kind/feature Well-understood/specified features, ready for coding.

Comments

@evankanderson
Copy link
Member

Larger description in the Feature Track document

Summary:

The Activator should attempt connection to the queue-proxy TLS port and validate the client certificate if TLS is available. If not, it should fall back to the existing HTTP (non-TLS) path.

For certificate validation, the activator may need to be provided with a CA root certificate and a known (per-namespace) SNI target name. If needed, configuration should be added to config-network configmap, or managed as a secret.

Recommended configuration extension for the activator Deployment for alpha to enable mounting secrets if needed (the CA public keys could also be stored in config-network):

spec:
  template:
    spec:
      containers:
      - ...
        volumeMounts:
        - name: client-ca
          mountPath: /tls/client-ca
        - readOnly: true
      volumes:
      - name: client-ca
        secret:
          # Each per-namespace client cert would need to be signed by this CA
          secretName: client-ca
          optional: true
@evankanderson evankanderson added the kind/feature Well-understood/specified features, ready for coding. label Jan 13, 2022
@evankanderson evankanderson mentioned this issue Jan 13, 2022
Open
6 tasks
@evankanderson
Copy link
Member Author

Ref nak3#25 for a prototype

nak3 added a commit to nak3/serving that referenced this issue Apr 5, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
e059828 
Fix knative#12502
Fix knative#12503
nak3 added a commit to nak3/serving that referenced this issue Apr 5, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
817fa7a 
Fix knative#12502
Fix knative#12503
This was referenced Apr 5, 2022
Merged
Merged
@nak3
Copy link
Contributor

nak3 commented Apr 6, 2022

Same with #12501 (comment).
It makes easier to implementation and configurations when we use Secrets. I sent the change in knative/networking#648

nak3 added a commit to nak3/serving that referenced this issue Apr 7, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
bf8563f 
Fix knative#12502
Fix knative#12503
nak3 added a commit to nak3/serving that referenced this issue Apr 7, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
e364fe6 
Fix knative#12502
Fix knative#12503
knative-prow bot pushed a commit to knative/pkg that referenced this issue Apr 11, 2022
@nak3
Add NewProxyAutoTLSTransport and DialTLSWithBackOff to support TL…
ca82d2b 
…S proxy (#2479)

* Add `NewProxyAutoTLSTransport` and `DialTLSWithBackOff` to support TLS proxy

Part of: knative/serving#12503
PoC: knative/serving#12815

This patch `NewProxyAutoTLSTransport` which is `NewProxyAutoTransport + TLS config.
Current proxy does not support TLS but it needs for knative/serving#12503.

`DialTLSWithBackOff` is also `DialWithBackOff` + TLS config. It needs
`newH2Transport` which handles HTTP2 with TLS.

* Fix lint

* Fix review comments
nak3 added a commit to nak3/serving that referenced this issue Apr 11, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
df0884e 
Fix knative#12502
Fix knative#12503
nak3 added a commit to nak3/serving that referenced this issue Apr 12, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
4078624 
Fix knative#12502
Fix knative#12503
nak3 added a commit to nak3/serving that referenced this issue Apr 12, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
12cca08 
Fix knative#12502
Fix knative#12503
nak3 added a commit to nak3/serving that referenced this issue Apr 12, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
3375537 
Fix knative#12502
Fix knative#12503
nak3 added a commit to nak3/serving that referenced this issue Apr 13, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy
51fb4f4 
Fix knative#12502
Fix knative#12503
knative-prow bot pushed a commit that referenced this issue Apr 19, 2022
@nak3
All Hops Encrypted: TLS between activator and queue-Proxy (#12815)
6ec4509 
* All Hops Encrypted: TLS between activator and queue-Proxy

Fix #12502
Fix #12503

* Large capital

* Fix review comments

* Refactor loop

* Add TODO comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Well-understood/specified features, ready for coding.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

All Hops Encrypted: TLS between activator and queue-Proxy nak3/serving
2 participants
@nak3 @evankanderson