Host cluster-local-domain-tls on cluster-local gateway with SNI #1228
Conversation
knative-prow
bot
added
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ReToCode The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
approved
knative-prow
bot
added
the
size/L
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #1228 +/- ##
==========================================
- Coverage 81.84% 81.12% -0.72%
==========================================
Files 19 19
Lines 1680 1706 +26
==========================================
+ Hits 1375 1384 +9
- Misses 218 230 +12
- Partials 87 92 +5 ☔ View full report in Codecov by Sentry. |
ReToCode
changed the title
ReToCode
force-pushed
the
cluster-local-tls
branch
from
a9c85e4
to
48aafe4
Compare
knative-prow
bot
added
size/XL
|
Did some testing with Serving @ knative/serving#14610, looks good. Test setup here. @skonto PTAL. Note: I'm fine with waiting until Serving is merged, then we can add this here and also do the full test-set with with net-istio in Serving. |
ReToCode
changed the title
knative-prow
bot
removed
the
do-not-merge/work-in-progress
|
/unhold Serving PR has been merged, @skonto PTAL. |
knative-prow
bot
removed
the
do-not-merge/hold
config/203-local-gateway.yaml
Outdated
| @@ -55,3 +55,6 @@ spec: | |||
| - name: http2 | |||
| port: 80 | |||
| targetPort: 8081 | |||
| - name: https | |||
| port: 443 | |||
| targetPort: 8443 | |||
There was a problem hiding this comment.
To confirm my understanding - the two istio gateways we have actually use the same envoy instance but we use different ports for tenancy
For external ingress we open
- port 80
- port 443 dynamically when we have TLS certs
For internal traffic we have
- port 8081 (this service exposes it on port 80)
- port 8443 (this service exposes it on port 443)
There was a problem hiding this comment.
I see 443 server being added here for external traffic:
net-istio/pkg/reconciler/ingress/resources/gateway.go
Lines 321 to 323 in 6dd62fe
There was a problem hiding this comment.
But I don't see us adding TLS servers on port 8443 for cluster local traffic
There was a problem hiding this comment.
Unfortunately istio is quite confusing in that config:
- Istio has an already open and exposed port 8443 for https (https://github.com/knative-extensions/net-istio/blob/main/third_party/istio-latest/istio-ci-no-mesh/istio.yaml#L9955)
- traffic from external (LB) will end up on 8443 (https://github.com/knative-extensions/net-istio/blob/main/third_party/istio-latest/istio-ci-no-mesh/istio.yaml#L10240)
- The change here will just forward traffic on the local gateway service to the same port
- Istio will use SNI to determine which route to take, if we look at the envoy config for two Knative Services we get
istioctl proxy-config listeners -n istio-system deploy/istio-ingressgateway
ADDRESSES PORT MATCH DESTINATION
0.0.0.0 8080 ALL Route: http.8080
0.0.0.0 8081 ALL Route: http.8081
0.0.0.0 8443 SNI: helloworld.second,helloworld.second.svc,helloworld.second.svc.cluster.local Route: https.443.second/helloworld:0.helloworld-975966116.second
0.0.0.0 8443 SNI: helloworld.second.172.17.0.100.sslip.io Route: https.443.second/helloworld:0.helloworld-3797421420.second
0.0.0.0 8443 SNI: helloworld.first,helloworld.first.svc,helloworld.first.svc.cluster.local Route: https.443.first/helloworld:0.helloworld-975966116.first
0.0.0.0 8443 SNI: helloworld.first.172.17.0.100.sslip.io Route: https.443.first/helloworld:0.helloworld-3797421420.first
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
So basically, everything https will be on 8443 and routed to 443 to the Knative Service.
- I'm not even sure if we would need to specify the port or not, but that 443 just maps to the containers 8443 port.
There was a problem hiding this comment.
I assume we could use a completely different port for the internal TLS traffic, but not sure what we would gain. As you said, it's a shared component without tenancy anyway.
There was a problem hiding this comment.
It's using tenancy via port isolation so external traffic cannot hit the 'local' gateway ports.
Essentially these ports are public - so we should use a different port for internal tls - otherwise we risk exposing private Knative Services to the internet.
net-istio/third_party/istio-latest/istio-ci-no-mesh/istio.yaml
Lines 10232 to 10247 in 54d8f41
There was a problem hiding this comment.
Maybe this can be configurable after this lands - #1249
There was a problem hiding this comment.
Essentially these ports are public - so we should use a different port for internal tls - otherwise we risk exposing private Knative Services to the internet.
That's a valid point. I'll take a look tomorrow.
There was a problem hiding this comment.
I updated the PR to use a dedicated port for cluster-local-tls (8444). With that I get the following envoy config:
istioctl proxy-config listeners -n istio-system deploy/istio-ingressgateway
ADDRESSES PORT MATCH DESTINATION
0.0.0.0 8080 ALL Route: http.8080
0.0.0.0 8081 ALL Route: http.8081
0.0.0.0 8443 SNI: helloworld.default.172.17.0.100.sslip.io Route: https.443.default/helloworld:0.helloworld-3797421420.default
0.0.0.0 8444 SNI: helloworld.default,helloworld.default.svc,helloworld.default.svc.cluster.local Route: https.8444.default/helloworld:0.helloworld-975966116.default
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*As 8444 is not exposed, it is now only available cluster locally.
|
As discussed with Reto the landing page of this repo is not ideal. There is no doc explaining what is supported and how. For example here we are moving to a design choice of having one gateway per svc for cluster local stuff but it is not captured somewhere etc. I think we need to spend some time adding content here but also to other net-* repos. |
| @@ -57,10 +57,9 @@ import ( | |||
| ) | |||
|
|
|||
| const ( | |||
| virtualServiceConditionReconciled = "Reconciled" | |||
There was a problem hiding this comment.
+1 this is a relic of some functionality never fixed at the istio side.
| } | ||
|
|
||
| func (r *Reconciler) reconcileDeletion(ctx context.Context, ing *v1alpha1.Ingress) error { | ||
| if !shouldReconcileTLS(ing) { | ||
| func (r *Reconciler) cleanupCertificateSecrets(ctx context.Context, ing *v1alpha1.Ingress) error { |
There was a problem hiding this comment.
Maybe deleteAllDomainCertificateSecrets.
| ingressGateways := []*v1beta1.Gateway{} | ||
| if shouldReconcileTLS(ing) { | ||
| originSecrets, err := resources.GetSecrets(ing, r.secretLister) | ||
| externalIngressGateways := []*v1beta1.Gateway{} |
There was a problem hiding this comment.
var externalIngressGateways []*v1beta1.Gateway or we want an empty slice instead?
|
minor comments, LGTM. We can stamp if @dprotaso has no other comments. |
|
/lgtm
Yeah that's a good point - want to create an issue to capture this work? |
…ive-extensions#1228) * Host cluster-local-domain TLS on local listener with SNI * Use port 8444 for cluster-local TLS traffic (cherry picked from commit 83db165)
* Host cluster-local-domain-tls on cluster-local gateway with SNI (knative-extensions#1228) * Host cluster-local-domain TLS on local listener with SNI * Use port 8444 for cluster-local TLS traffic (cherry picked from commit 83db165) * Update patch to reflect upstream changes
Changes
cluster-local-domain-tlsis enabled and a KSVC exists/kind enhancement
Fixes knative/serving#14374
Release Note
Docs
Will be done once the features is complete