-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host cluster-local-domain-tls on cluster-local gateway with SNI #1228
Host cluster-local-domain-tls on cluster-local gateway with SNI #1228
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ReToCode The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #1228 +/- ##
==========================================
- Coverage 81.84% 81.12% -0.72%
==========================================
Files 19 19
Lines 1680 1706 +26
==========================================
+ Hits 1375 1384 +9
- Misses 218 230 +12
- Partials 87 92 +5 ☔ View full report in Codecov by Sentry. |
a9c85e4
to
48aafe4
Compare
Did some testing with Serving @ knative/serving#14610, looks good. Test setup here. @skonto PTAL. Note: I'm fine with waiting until Serving is merged, then we can add this here and also do the full test-set with with net-istio in Serving. |
/unhold Serving PR has been merged, @skonto PTAL. |
config/203-local-gateway.yaml
Outdated
@@ -55,3 +55,6 @@ spec: | |||
- name: http2 | |||
port: 80 | |||
targetPort: 8081 | |||
- name: https | |||
port: 443 | |||
targetPort: 8443 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To confirm my understanding - the two istio gateways we have actually use the same envoy instance but we use different ports for tenancy
For external ingress we open
- port 80
- port 443 dynamically when we have TLS certs
For internal traffic we have
- port 8081 (this service exposes it on port 80)
- port 8443 (this service exposes it on port 443)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see 443 server being added here for external traffic:
net-istio/pkg/reconciler/ingress/resources/gateway.go
Lines 321 to 323 in 6dd62fe
Name: fmt.Sprintf(portNamePrefix(ing.GetNamespace(), ing.GetName())+":%d", i), | |
Number: 443, | |
Protocol: "HTTPS", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But I don't see us adding TLS servers on port 8443 for cluster local traffic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately istio is quite confusing in that config:
- Istio has an already open and exposed port 8443 for https (https://github.com/knative-extensions/net-istio/blob/main/third_party/istio-latest/istio-ci-no-mesh/istio.yaml#L9955)
- traffic from external (LB) will end up on 8443 (https://github.com/knative-extensions/net-istio/blob/main/third_party/istio-latest/istio-ci-no-mesh/istio.yaml#L10240)
- The change here will just forward traffic on the local gateway service to the same port
- Istio will use SNI to determine which route to take, if we look at the envoy config for two Knative Services we get
istioctl proxy-config listeners -n istio-system deploy/istio-ingressgateway
ADDRESSES PORT MATCH DESTINATION
0.0.0.0 8080 ALL Route: http.8080
0.0.0.0 8081 ALL Route: http.8081
0.0.0.0 8443 SNI: helloworld.second,helloworld.second.svc,helloworld.second.svc.cluster.local Route: https.443.second/helloworld:0.helloworld-975966116.second
0.0.0.0 8443 SNI: helloworld.second.172.17.0.100.sslip.io Route: https.443.second/helloworld:0.helloworld-3797421420.second
0.0.0.0 8443 SNI: helloworld.first,helloworld.first.svc,helloworld.first.svc.cluster.local Route: https.443.first/helloworld:0.helloworld-975966116.first
0.0.0.0 8443 SNI: helloworld.first.172.17.0.100.sslip.io Route: https.443.first/helloworld:0.helloworld-3797421420.first
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
So basically, everything https will be on 8443 and routed to 443 to the Knative Service.
- I'm not even sure if we would need to specify the port or not, but that 443 just maps to the containers 8443 port.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume we could use a completely different port for the internal TLS traffic, but not sure what we would gain. As you said, it's a shared component without tenancy anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's using tenancy via port isolation so external traffic cannot hit the 'local' gateway ports.
Essentially these ports are public - so we should use a different port for internal tls - otherwise we risk exposing private Knative Services to the internet.
net-istio/third_party/istio-latest/istio-ci-no-mesh/istio.yaml
Lines 10232 to 10247 in 54d8f41
- name: status-port | |
port: 15021 | |
protocol: TCP | |
targetPort: 15021 | |
- name: http2 | |
port: 80 | |
protocol: TCP | |
targetPort: 8080 | |
- name: https | |
port: 443 | |
protocol: TCP | |
targetPort: 8443 | |
selector: | |
app: istio-ingressgateway | |
istio: ingressgateway | |
type: LoadBalancer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this can be configurable after this lands - #1249
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Essentially these ports are public - so we should use a different port for internal tls - otherwise we risk exposing private Knative Services to the internet.
That's a valid point. I'll take a look tomorrow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the PR to use a dedicated port for cluster-local-tls (8444). With that I get the following envoy config:
istioctl proxy-config listeners -n istio-system deploy/istio-ingressgateway
ADDRESSES PORT MATCH DESTINATION
0.0.0.0 8080 ALL Route: http.8080
0.0.0.0 8081 ALL Route: http.8081
0.0.0.0 8443 SNI: helloworld.default.172.17.0.100.sslip.io Route: https.443.default/helloworld:0.helloworld-3797421420.default
0.0.0.0 8444 SNI: helloworld.default,helloworld.default.svc,helloworld.default.svc.cluster.local Route: https.8444.default/helloworld:0.helloworld-975966116.default
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
As 8444 is not exposed, it is now only available cluster locally.
As discussed with Reto the landing page of this repo is not ideal. There is no doc explaining what is supported and how. For example here we are moving to a design choice of having one gateway per svc for cluster local stuff but it is not captured somewhere etc. I think we need to spend some time adding content here but also to other net-* repos. |
@@ -57,10 +57,9 @@ import ( | |||
) | |||
|
|||
const ( | |||
virtualServiceConditionReconciled = "Reconciled" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 this is a relic of some functionality never fixed at the istio side.
} | ||
|
||
func (r *Reconciler) reconcileDeletion(ctx context.Context, ing *v1alpha1.Ingress) error { | ||
if !shouldReconcileTLS(ing) { | ||
func (r *Reconciler) cleanupCertificateSecrets(ctx context.Context, ing *v1alpha1.Ingress) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe deleteAllDomainCertificateSecrets
.
ingressGateways := []*v1beta1.Gateway{} | ||
if shouldReconcileTLS(ing) { | ||
originSecrets, err := resources.GetSecrets(ing, r.secretLister) | ||
externalIngressGateways := []*v1beta1.Gateway{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var externalIngressGateways []*v1beta1.Gateway
or we want an empty slice instead?
minor comments, LGTM. We can stamp if @dprotaso has no other comments. |
/lgtm
Yeah that's a good point - want to create an issue to capture this work? |
…ive-extensions#1228) * Host cluster-local-domain TLS on local listener with SNI * Use port 8444 for cluster-local TLS traffic (cherry picked from commit 83db165)
* Host cluster-local-domain-tls on cluster-local gateway with SNI (knative-extensions#1228) * Host cluster-local-domain TLS on local listener with SNI * Use port 8444 for cluster-local TLS traffic (cherry picked from commit 83db165) * Update patch to reflect upstream changes
Changes
cluster-local-domain-tls
is enabled and a KSVC exists/kind enhancement
Fixes knative/serving#14374
Release Note
Docs
Will be done once the features is complete