diff --git a/go.mod b/go.mod index 8f5de88a5..6542300b5 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( knative.dev/eventing v0.38.1-0.20231004152306-402f6acbe992 knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 knative.dev/pkg v0.0.0-20231003141102-833dd976f13d - knative.dev/serving v0.38.1-0.20231004014018-b66b18545146 + knative.dev/serving v0.38.1-0.20231005084506-3eb979a5f24f ) require ( @@ -101,7 +101,7 @@ require ( k8s.io/klog/v2 v2.90.1 // indirect k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect - knative.dev/networking v0.0.0-20230927121431-c1cae210daec // indirect + knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index 74c57fa23..e6cf14287 100644 --- a/go.sum +++ b/go.sum @@ -780,12 +780,12 @@ knative.dev/eventing v0.38.1-0.20231004152306-402f6acbe992 h1:+ff0CSX6Y4rGHps9IQ knative.dev/eventing v0.38.1-0.20231004152306-402f6acbe992/go.mod h1:OaXBKpWXqAvn5U8i0Ey9zt9W22w0ddSlhqHlnpfYWK4= knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 h1:e6r9J1YopzSh6tDCpyKhVBfRUlZ2r0KRo9wupRjdRF4= knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/networking v0.0.0-20230927121431-c1cae210daec h1:FuApkAE1QhvChCQDR3yziqdsZ+LiEM0ZxTdI0qKIMrA= -knative.dev/networking v0.0.0-20230927121431-c1cae210daec/go.mod h1:U9yqeTf2NtTY5aexYLbE4LAoIt/FAsnoERbnejJKlgI= +knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a h1:Q31AcykUUn/EcDFLt4citbeN8W7sxHenX1YG8l+urcE= +knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a/go.mod h1:LAT8cu/PGOtik5ABZhhl6h45QrNRXj0uqlpIP0dmLnU= knative.dev/pkg v0.0.0-20231003141102-833dd976f13d h1:EcUwMwxqa1/4lhh0Hm5lc9h3ohUckHzKofG8ZAPZlbk= knative.dev/pkg v0.0.0-20231003141102-833dd976f13d/go.mod h1:PxnS8ZnVtC0S+An+NEhrpzWt6k9hedDNt659Gu5EtJk= -knative.dev/serving v0.38.1-0.20231004014018-b66b18545146 h1:3F0daPkVr3UAdurm5ea412yugj8rKPi+mUGlT2kSPmI= -knative.dev/serving v0.38.1-0.20231004014018-b66b18545146/go.mod h1:W8uFQIUiKeP7n9+t+BsfR2cedKLvQO75XlQiot3oiHE= +knative.dev/serving v0.38.1-0.20231005084506-3eb979a5f24f h1:zNnbdtMbZZjRmJ0bWPEWYfgUSth0G+ZZzoWk/lb1mK0= +knative.dev/serving v0.38.1-0.20231005084506-3eb979a5f24f/go.mod h1:UvbR1b2b9QKgOIA+4QxmjvHfQH5miQbfgwzzDbKAaoQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go index 85f69717f..fbd6c155f 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go @@ -29,6 +29,7 @@ var ( IngressClassAnnotationKey, CertificateClassAnnotationKey, DisableAutoTLSAnnotationKey, + DisableExternalDomainTLSAnnotationKey, HTTPOptionAnnotationKey, IngressClassAnnotationAltKey, diff --git a/vendor/knative.dev/networking/pkg/apis/networking/register.go b/vendor/knative.dev/networking/pkg/apis/networking/register.go index f7bdd81d7..e88e9b5c0 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/register.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/register.go @@ -70,11 +70,17 @@ const ( // DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate that AutoTLS should not be enabled for it. + // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS" // DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey + // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls" + // DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping + // to indicate that external-domain-tls should not be enabled for it. + DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls" + // HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate the HTTP option of it. HTTPOptionAnnotationKey = PublicGroupName + "/httpOption" @@ -130,9 +136,15 @@ var ( CertificateClassAnnotationAltKey, } - DisableAutoTLSAnnotation = kmap.KeyPriority{ + // Deprecated: use DisableExternalDomainTLSAnnotation instead. + DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation + + DisableExternalDomainTLSAnnotation = kmap.KeyPriority{ + // backward compatibility DisableAutoTLSAnnotationKey, DisableAutoTLSAnnotationAltKey, + + DisableExternalDomainTLSAnnotationKey, } HTTPProtocolAnnotation = kmap.KeyPriority{ @@ -153,6 +165,9 @@ func GetHTTPProtocol(annotations map[string]string) (val string) { return HTTPProtocolAnnotation.Value(annotations) } -func GetDisableAutoTLS(annotations map[string]string) (val string) { - return DisableAutoTLSAnnotation.Value(annotations) +// Deprecated: use GetDisableExternalDomainTLS instead. +var GetDisableAutoTLS = GetDisableExternalDomainTLS + +func GetDisableExternalDomainTLS(annotations map[string]string) (val string) { + return DisableExternalDomainTLSAnnotation.Value(annotations) } diff --git a/vendor/knative.dev/networking/pkg/config/config.go b/vendor/knative.dev/networking/pkg/config/config.go index f27c7865e..028937067 100644 --- a/vendor/knative.dev/networking/pkg/config/config.go +++ b/vendor/knative.dev/networking/pkg/config/config.go @@ -70,17 +70,12 @@ const ( // ServingInternalCertName is the name of secret contains certificates in serving // system namespace. // - // Deprecated: ServingInternalCertName is deprecated. - // (use ServingControlCertName or ServingRoutingCertName instead) + // Deprecated: ServingInternalCertName is deprecated. Use ServingRoutingCertName instead. ServingInternalCertName = "knative-serving-certs" // ServingRoutingCertName is the name of secret contains certificates for Routing data in serving // system namespace. (Used by Ingress GWs and Activator) ServingRoutingCertName = "routing-serving-certs" - - // ServingControlCertName is the name of secret contains certificates for Control data in serving - // system namespace. (Used by Autoscaler and Ingress control for example) - ServingControlCertName = "control-serving-certs" ) // Config Keys @@ -92,8 +87,17 @@ const ( // AutoTLSKey is the name of the configuration entry // that specifies enabling auto-TLS or not. + // Deprecated: please use ExternalDomainTLSKey. AutoTLSKey = "auto-tls" + // ExternalDomainTLSKey is the name of the configuration entry + // that specifies if external-domain-tls is enabled or not. + ExternalDomainTLSKey = "external-domain-tls" + + // ClusterLocalDomainTLSKey is the name of the configuration entry + // that specifies if cluster-local-domain-tls is enabled or not. + ClusterLocalDomainTLSKey = "cluster-local-domain-tls" + // DefaultCertificateClassKey is the name of the configuration entry // that specifies the default Certificate. DefaultCertificateClassKey = "certificate-class" @@ -134,39 +138,26 @@ const ( // hostname for a Route's tag. TagTemplateKey = "tag-template" - // InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and ControlplaneTrustKey. // InternalEncryptionKey is the name of the configuration whether // internal traffic is encrypted or not. + // Deprecated: please use SystemInternalTLSKey. InternalEncryptionKey = "internal-encryption" - // DataplaneTrustKey is the name of the configuration entry - // defining the level of trust used for data plane traffic. - DataplaneTrustKey = "dataplane-trust" - - // ControlplaneTrustKey is the name of the configuration entry - // defining the level of trust used for control plane traffic. - ControlplaneTrustKey = "controlplane-trust" + // SystemInternalTLSKey is the name of the configuration whether + // traffic between Knative system components is encrypted or not. + SystemInternalTLSKey = "system-internal-tls" ) -// HTTPProtocol indicates a type of HTTP endpoint behavior -// that Knative ingress could take. -type Trust string +// EncryptionConfig indicates the encryption configuration +// used for TLS connections. +type EncryptionConfig string const ( - // TrustDisabled - TLS not used - TrustDisabled Trust = "disabled" - - // TrustMinimal - TLS used. We verify that the server is using Knative certificates - TrustMinimal Trust = "minimal" + // EncryptionDisabled - TLS not used. + EncryptionDisabled EncryptionConfig = "disabled" - // TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace - TrustEnabled Trust = "enabled" - - // TrustMutual - same as TrustEnabled and we also verify the identity of the client. - TrustMutual Trust = "mutual" - - // TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message. - TrustIdentity Trust = "identity" + // EncryptionEnabled - TLS used. The client verifies the servers certificate. + EncryptionEnabled EncryptionConfig = "enabled" ) // HTTPProtocol indicates a type of HTTP endpoint behavior @@ -244,8 +235,12 @@ type Config struct { TagTemplate string // AutoTLS specifies if auto-TLS is enabled or not. + // Deprecated: please use ExternalDomainTLS instead. AutoTLS bool + // ExternalDomainTLS specifies if external-domain-tls is enabled or not. + ExternalDomainTLS bool + // HTTPProtocol specifics the behavior of HTTP endpoint of Knative // ingress. HTTPProtocol HTTPProtocol @@ -293,15 +288,15 @@ type Config struct { // not enabled. Defaults to "http". DefaultExternalScheme string - // Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust // InternalEncryption specifies whether internal traffic is encrypted or not. + // Deprecated: please use SystemInternalTLSKey instead. InternalEncryption bool - // DataplaneTrust specifies the level of trust used for date plane. - DataplaneTrust Trust + // SystemInternalTLS specifies whether knative internal traffic is encrypted or not. + SystemInternalTLS EncryptionConfig - // ControlplaneTrust specifies the level of trust used for control plane. - ControlplaneTrust Trust + // ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not. + ClusterLocalDomainTLS EncryptionConfig } func defaultConfig() *Config { @@ -311,14 +306,15 @@ func defaultConfig() *Config { DomainTemplate: DefaultDomainTemplate, TagTemplate: DefaultTagTemplate, AutoTLS: false, + ExternalDomainTLS: false, NamespaceWildcardCertSelector: nil, HTTPProtocol: HTTPEnabled, AutocreateClusterDomainClaims: false, DefaultExternalScheme: "http", MeshCompatibilityMode: MeshCompatibilityModeAuto, InternalEncryption: false, - DataplaneTrust: TrustDisabled, - ControlplaneTrust: TrustDisabled, + SystemInternalTLS: EncryptionDisabled, + ClusterLocalDomainTLS: EncryptionDisabled, } } @@ -383,12 +379,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { } templateCache.Add(nc.TagTemplate, t) + // external-domain-tls and auto-tls if val, ok := data["autoTLS"]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } if val, ok := data[AutoTLSKey]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } + if val, ok := data[ExternalDomainTLSKey]; ok { + nc.ExternalDomainTLS = strings.EqualFold(val, "enabled") + + // The new key takes precedence, but we support compatibility + // for code that has not updated to the new field yet. + nc.AutoTLS = nc.ExternalDomainTLS + } else { + // backward compatibility: if the new key is not set, use the value from the old key + nc.ExternalDomainTLS = nc.AutoTLS + } var httpProtocol string if val, ok := data["httpProtocol"]; ok { @@ -410,52 +417,52 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey]) } - switch strings.ToLower(data[DataplaneTrustKey]) { - case "", string(TrustDisabled): - // If DataplaneTrus is not set in the config-network, default is already - // set to TrustDisabled. + switch strings.ToLower(data[SystemInternalTLSKey]) { + case "", string(EncryptionDisabled): + // If SystemInternalTLSKey is not set in the config-network, default is already + // set to EncryptionDisabled. if nc.InternalEncryption { // Backward compatibility - nc.DataplaneTrust = TrustMinimal + nc.SystemInternalTLS = EncryptionEnabled } - case string(TrustMinimal): - nc.DataplaneTrust = TrustMinimal - case string(TrustEnabled): - nc.DataplaneTrust = TrustEnabled - case string(TrustMutual): - nc.DataplaneTrust = TrustMutual - case string(TrustIdentity): - nc.DataplaneTrust = TrustIdentity + case string(EncryptionEnabled): + nc.SystemInternalTLS = EncryptionEnabled + + // The new key takes precedence, but we support compatibility + // for code that has not updated to the new field yet. + nc.InternalEncryption = true default: - return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey]) + return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", + SystemInternalTLSKey, data[SystemInternalTLSKey]) } - switch strings.ToLower(data[ControlplaneTrustKey]) { - case "", string(TrustDisabled): - // If ControlplaneTrust is not set in the config-network, default is already - // set to TrustDisabled. - case string(TrustEnabled): - nc.ControlplaneTrust = TrustEnabled - case string(TrustMutual): - nc.ControlplaneTrust = TrustMutual + switch strings.ToLower(data[ClusterLocalDomainTLSKey]) { + case "", string(EncryptionDisabled): + // If ClusterLocalDomainTLSKey is not set in the config-network, default is already + // set to EncryptionDisabled. + case string(EncryptionEnabled): + nc.ClusterLocalDomainTLS = EncryptionEnabled default: - return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey]) + return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", + ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey]) } return nc, nil } -// InternalTLSEnabled returns whether or not InternalEncyrption is enabled. -// Currently only DataplaneTrust is considered. +// InternalTLSEnabled returns whether InternalEncryption is enabled or not. +// Deprecated: please use SystemInternalTLSEnabled() func (c *Config) InternalTLSEnabled() bool { - return tlsEnabled(c.DataplaneTrust) + return tlsEnabled(c.SystemInternalTLS) +} + +// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not. +func (c *Config) SystemInternalTLSEnabled() bool { + return tlsEnabled(c.SystemInternalTLS) } -func tlsEnabled(trust Trust) bool { - return trust == TrustMinimal || - trust == TrustEnabled || - trust == TrustMutual || - trust == TrustIdentity +func tlsEnabled(encryptionConfig EncryptionConfig) bool { + return encryptionConfig == EncryptionEnabled } // GetDomainTemplate returns the golang Template from the config map diff --git a/vendor/modules.txt b/vendor/modules.txt index db5bd5e4d..df6c144af 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1013,7 +1013,7 @@ knative.dev/eventing/pkg/reconciler/source # knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 ## explicit; go 1.18 knative.dev/hack -# knative.dev/networking v0.0.0-20230927121431-c1cae210daec +# knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a ## explicit; go 1.18 knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 @@ -1071,7 +1071,7 @@ knative.dev/pkg/tracker knative.dev/pkg/version knative.dev/pkg/webhook knative.dev/pkg/webhook/certificates/resources -# knative.dev/serving v0.38.1-0.20231004014018-b66b18545146 +# knative.dev/serving v0.38.1-0.20231005084506-3eb979a5f24f ## explicit; go 1.18 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1