From ba54857a7fdcb5bd2ef67110cee3650666e0171d Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Fri, 22 Sep 2023 10:52:44 -0400 Subject: [PATCH] run update-deps --- go.sum | 4 +- .../networking/config/config-network.yaml | 77 +++++----- .../apis/networking/metadata_validation.go | 1 - .../pkg/apis/networking/register.go | 21 +-- .../networking/pkg/config/config.go | 136 ++++++++---------- vendor/modules.txt | 3 +- 6 files changed, 109 insertions(+), 133 deletions(-) diff --git a/go.sum b/go.sum index 43bc2a0f4464..7a85a04baa91 100644 --- a/go.sum +++ b/go.sum @@ -68,8 +68,6 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/ReToCode/networking v0.0.0-20230922054024-0ad79f254634 h1:mM/83eiu9VRn3HcyJJq31Dy4sjjVzGYG4sBw+kYhhUM= -github.com/ReToCode/networking v0.0.0-20230922054024-0ad79f254634/go.mod h1:t5rGgqqJ55N1KdGcaT/S/3mVJfttqQx0xa/wxcLC09w= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/ahmetb/gen-crd-api-reference-docs v0.3.1-0.20210609063737-0067dc6dcea2 h1:t/ces1/q8tuApSb+T5ajsu3wqkofUT43U1gpDYTPYME= @@ -927,6 +925,8 @@ knative.dev/caching v0.0.0-20230920131814-94468139a072 h1:IstfPsvNrNYLN/pqYkCeEi knative.dev/caching v0.0.0-20230920131814-94468139a072/go.mod h1:qD/ScmVr6Z7v23FL1JL8rCrPdvAN2WokwVGLdqGLSmc= knative.dev/hack v0.0.0-20230921145603-c4a34c34512e h1:6Va+yK7+Sjtnck9dsCDsgk/1k+K0Hx9HPZ2ZJ7mRJFs= knative.dev/hack v0.0.0-20230921145603-c4a34c34512e/go.mod h1:dx0YG3YWqJu653e9tjcT0Q1ZdS9JJXLKbUhzr4EB0g8= +knative.dev/networking v0.0.0-20230921070414-6aa88055400d h1:avwL7zSaTNm9rdi0gVKLYLQ71iYmM7LKP71xrQV/AH4= +knative.dev/networking v0.0.0-20230921070414-6aa88055400d/go.mod h1:5MM0oDUBDW1Y6pqxr3FPSpHL07ajdKSzHGtjV+j0BZw= knative.dev/pkg v0.0.0-20230920131713-8761ceb9297f h1:ZapGIwjj8yUNfXhLo6f/DuDnNGV4UrqTIwVgxRir9HI= knative.dev/pkg v0.0.0-20230920131713-8761ceb9297f/go.mod h1:a133faJchgmFZIJyOOcFq34NbWnrUcOvwVKgK6hfrHE= pgregory.net/rapid v1.0.0 h1:iQaM2w5PZ6xvt6x7hbd7tiDS+nk7YPp5uCaEba+T/F4= diff --git a/vendor/knative.dev/networking/config/config-network.yaml b/vendor/knative.dev/networking/config/config-network.yaml index 13241801471b..8f3a7399812f 100644 --- a/vendor/knative.dev/networking/config/config-network.yaml +++ b/vendor/knative.dev/networking/config/config-network.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: networking app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "b2698fe8" + knative.dev/example-checksum: "cfad3b9a" data: _example: | ################################ @@ -73,7 +73,7 @@ data: # namespace-wildcard-cert-selector: {} # # Useful labels include the "kubernetes.io/metadata.name" label to - # avoid provisioning a certificate for the "kube-system" namespaces. + # avoid provisioning a certifcate for the "kube-system" namespaces. # Use the following selector to match pre-1.0 behavior of using # "networking.knative.dev/disableWildcardCert" to exclude namespaces: # @@ -114,45 +114,16 @@ data: # domain-template above to determine the full URL for the tag. tag-template: "{{.Tag}}-{{.Name}}" - # auto-tls is deprecated and replaced by external-domain-tls - auto-tls: "Disabled" - # Controls whether TLS certificates are automatically provisioned and - # installed in the Knative ingress to terminate TLS connections - # for cluster external domains (like: app.example.com) - # - Enabled: enables the TLS certificate provisioning feature for cluster external domains. - # - Disabled: disables the TLS certificate provisioning feature for cluster external domains. - external-domain-tls: "Disabled" - - # Controls weather TLS certificates are automatically provisioned and - # installed in the Knative ingress to terminate TLS connections - # for cluster local domains (like: app.namespace.svc.cluster.local) - # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains. - # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains. - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - cluster-local-domain-tls: "Disabled" - - # internal-encryption is deprecated and replaced by system-internal-tls - internal-encryption: "false" - - # system-internal-tls controls weather TLS encryption is used for connections between - # the internal components of Knative: - # - ingress to activator - # - ingress to queue-proxy - # - activator to queue-proxy - # - # Possible values for this flag are: - # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains. - # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains. - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - system-internal-tls: "Disabled" + # installed in the Knative ingress to terminate external TLS connection. + # 1. Enabled: enabling auto-TLS feature. + # 2. Disabled: disabling auto-TLS feature. + auto-tls: "Disabled" # Controls the behavior of the HTTP endpoint for the Knative ingress. # It requires auto-tls to be enabled. - # - Enabled: The Knative ingress will be able to serve HTTP connection. - # - Redirected: The Knative ingress will send a 301 redirect for all + # 1. Enabled: The Knative ingress will be able to serve HTTP connection. + # 2. Redirected: The Knative ingress will send a 301 redirect for all # http connections, asking the clients to use HTTPS. # # "Disabled" option is deprecated. @@ -201,3 +172,35 @@ data: # fronting Knative with an external loadbalancer that deals with TLS termination and # Knative doesn't know about that otherwise. default-external-scheme: "http" + + # internal-encryption is deprecated and replaced by dataplane-trust and controlplane-trust + # internal-encryption indicates whether internal traffic is encrypted or not. + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + internal-encryption: "false" + + # dataplane-trust indicates the level of trust established in the knative data-plane. + # dataplane-trust = "disabled" (the default) - uses no encryption for internal data plane traffic + # Using any other value ensures that the following traffic is encrypted using TLS: + # - ingress to activator + # - ingress to queue-proxy + # - activator to queue-proxy + # + # dataplane-trust = "minimal" ensures data messages are encrypted, Kingress authenticate that the receiver is a Ksvc + # dataplane-trust = "enabled" same as "minimal" and in addition, Kingress authenticate that Ksvc is at the correct namespace + # dataplane-trust = "mutual" same as "enabled" and in addition, Ksvc authenticate that the messages come from the Kingress + # dataplane-trust = "identity" same as "mutual" with Kingress adding a trusted sender identity to the message + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution. + dataplane-trust: "disabled" + + # controlplane-trust indicates the level of trust established in the knative control-plane. + # controlplane-trust = "disabled" (the default) - uses no encryption for internal control plane traffic + # Using any other value ensures that control traffic is encrypted using TLS. + # + # controlplane-trust = "enabled" ensures control messages are encrypted using TLS (client authenticate the server) + # controlplane-trust = "mutual" ensures control messages are encrypted using mTLS (client and server authenticate each other) + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution. + controlplane-trust: "disabled" diff --git a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go index fbd6c155fd60..85f69717fc8f 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go @@ -29,7 +29,6 @@ var ( IngressClassAnnotationKey, CertificateClassAnnotationKey, DisableAutoTLSAnnotationKey, - DisableExternalDomainTLSAnnotationKey, HTTPOptionAnnotationKey, IngressClassAnnotationAltKey, diff --git a/vendor/knative.dev/networking/pkg/apis/networking/register.go b/vendor/knative.dev/networking/pkg/apis/networking/register.go index e88e9b5c0455..f7bdd81d7d3c 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/register.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/register.go @@ -70,17 +70,11 @@ const ( // DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate that AutoTLS should not be enabled for it. - // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS" // DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey - // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls" - // DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping - // to indicate that external-domain-tls should not be enabled for it. - DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls" - // HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate the HTTP option of it. HTTPOptionAnnotationKey = PublicGroupName + "/httpOption" @@ -136,15 +130,9 @@ var ( CertificateClassAnnotationAltKey, } - // Deprecated: use DisableExternalDomainTLSAnnotation instead. - DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation - - DisableExternalDomainTLSAnnotation = kmap.KeyPriority{ - // backward compatibility + DisableAutoTLSAnnotation = kmap.KeyPriority{ DisableAutoTLSAnnotationKey, DisableAutoTLSAnnotationAltKey, - - DisableExternalDomainTLSAnnotationKey, } HTTPProtocolAnnotation = kmap.KeyPriority{ @@ -165,9 +153,6 @@ func GetHTTPProtocol(annotations map[string]string) (val string) { return HTTPProtocolAnnotation.Value(annotations) } -// Deprecated: use GetDisableExternalDomainTLS instead. -var GetDisableAutoTLS = GetDisableExternalDomainTLS - -func GetDisableExternalDomainTLS(annotations map[string]string) (val string) { - return DisableExternalDomainTLSAnnotation.Value(annotations) +func GetDisableAutoTLS(annotations map[string]string) (val string) { + return DisableAutoTLSAnnotation.Value(annotations) } diff --git a/vendor/knative.dev/networking/pkg/config/config.go b/vendor/knative.dev/networking/pkg/config/config.go index e65570e4ac1a..f27c7865e4b8 100644 --- a/vendor/knative.dev/networking/pkg/config/config.go +++ b/vendor/knative.dev/networking/pkg/config/config.go @@ -92,17 +92,8 @@ const ( // AutoTLSKey is the name of the configuration entry // that specifies enabling auto-TLS or not. - // Deprecated: please use ExternalDomainTLSKey. AutoTLSKey = "auto-tls" - // ExternalDomainTLSKey is the name of the configuration entry - // that specifies if external-domain-tls is enabled or not. - ExternalDomainTLSKey = "external-domain-tls" - - // ClusterLocalDomainTLSKey is the name of the configuration entry - // that specifies if cluster-local-domain-tls is enabled or not. - ClusterLocalDomainTLSKey = "cluster-local-domain-tls" - // DefaultCertificateClassKey is the name of the configuration entry // that specifies the default Certificate. DefaultCertificateClassKey = "certificate-class" @@ -143,26 +134,39 @@ const ( // hostname for a Route's tag. TagTemplateKey = "tag-template" + // InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and ControlplaneTrustKey. // InternalEncryptionKey is the name of the configuration whether // internal traffic is encrypted or not. - // Deprecated: please use SystemInternalTLSKey. InternalEncryptionKey = "internal-encryption" - // SystemInternalTLSKey is the name of the configuration whether - // traffic between Knative system components is encrypted or not. - SystemInternalTLSKey = "system-internal-tls" + // DataplaneTrustKey is the name of the configuration entry + // defining the level of trust used for data plane traffic. + DataplaneTrustKey = "dataplane-trust" + + // ControlplaneTrustKey is the name of the configuration entry + // defining the level of trust used for control plane traffic. + ControlplaneTrustKey = "controlplane-trust" ) -// EncryptionConfig indicates the encryption configuration -// used for TLS connections. -type EncryptionConfig string +// HTTPProtocol indicates a type of HTTP endpoint behavior +// that Knative ingress could take. +type Trust string const ( - // EncryptionDisabled - TLS not used. - EncryptionDisabled EncryptionConfig = "disabled" + // TrustDisabled - TLS not used + TrustDisabled Trust = "disabled" + + // TrustMinimal - TLS used. We verify that the server is using Knative certificates + TrustMinimal Trust = "minimal" + + // TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace + TrustEnabled Trust = "enabled" - // EncryptionEnabled - TLS used. The client verifies the servers certificate. - EncryptionEnabled EncryptionConfig = "enabled" + // TrustMutual - same as TrustEnabled and we also verify the identity of the client. + TrustMutual Trust = "mutual" + + // TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message. + TrustIdentity Trust = "identity" ) // HTTPProtocol indicates a type of HTTP endpoint behavior @@ -240,12 +244,8 @@ type Config struct { TagTemplate string // AutoTLS specifies if auto-TLS is enabled or not. - // Deprecated: please use ExternalDomainTLS instead. AutoTLS bool - // ExternalDomainTLS specifies if external-domain-tls is enabled or not. - ExternalDomainTLS bool - // HTTPProtocol specifics the behavior of HTTP endpoint of Knative // ingress. HTTPProtocol HTTPProtocol @@ -293,15 +293,15 @@ type Config struct { // not enabled. Defaults to "http". DefaultExternalScheme string + // Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust // InternalEncryption specifies whether internal traffic is encrypted or not. - // Deprecated: please use SystemInternalTLSKey instead. InternalEncryption bool - // SystemInternalTLS specifies whether knative internal traffic is encrypted or not. - SystemInternalTLS EncryptionConfig + // DataplaneTrust specifies the level of trust used for date plane. + DataplaneTrust Trust - // ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not. - ClusterLocalDomainTLS EncryptionConfig + // ControlplaneTrust specifies the level of trust used for control plane. + ControlplaneTrust Trust } func defaultConfig() *Config { @@ -311,15 +311,14 @@ func defaultConfig() *Config { DomainTemplate: DefaultDomainTemplate, TagTemplate: DefaultTagTemplate, AutoTLS: false, - ExternalDomainTLS: false, NamespaceWildcardCertSelector: nil, HTTPProtocol: HTTPEnabled, AutocreateClusterDomainClaims: false, DefaultExternalScheme: "http", MeshCompatibilityMode: MeshCompatibilityModeAuto, InternalEncryption: false, - SystemInternalTLS: EncryptionDisabled, - ClusterLocalDomainTLS: EncryptionDisabled, + DataplaneTrust: TrustDisabled, + ControlplaneTrust: TrustDisabled, } } @@ -384,23 +383,12 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { } templateCache.Add(nc.TagTemplate, t) - // external-domain-tls and auto-tls if val, ok := data["autoTLS"]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } if val, ok := data[AutoTLSKey]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } - if val, ok := data[ExternalDomainTLSKey]; ok { - nc.ExternalDomainTLS = strings.EqualFold(val, "enabled") - - // The new key takes precedence, but we support compatibility - // for code that has not updated to the new field yet. - nc.AutoTLS = nc.ExternalDomainTLS - } else { - // backward compatibility: if the new key is not set, use the value from the old key - nc.ExternalDomainTLS = nc.AutoTLS - } var httpProtocol string if val, ok := data["httpProtocol"]; ok { @@ -422,52 +410,52 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey]) } - switch strings.ToLower(data[SystemInternalTLSKey]) { - case "", string(EncryptionDisabled): - // If SystemInternalTLSKey is not set in the config-network, default is already - // set to EncryptionDisabled. + switch strings.ToLower(data[DataplaneTrustKey]) { + case "", string(TrustDisabled): + // If DataplaneTrus is not set in the config-network, default is already + // set to TrustDisabled. if nc.InternalEncryption { // Backward compatibility - nc.SystemInternalTLS = EncryptionEnabled + nc.DataplaneTrust = TrustMinimal } - case string(EncryptionEnabled): - nc.SystemInternalTLS = EncryptionEnabled - - // The new key takes precedence, but we support compatibility - // for code that has not updated to the new field yet. - nc.InternalEncryption = true + case string(TrustMinimal): + nc.DataplaneTrust = TrustMinimal + case string(TrustEnabled): + nc.DataplaneTrust = TrustEnabled + case string(TrustMutual): + nc.DataplaneTrust = TrustMutual + case string(TrustIdentity): + nc.DataplaneTrust = TrustIdentity default: - return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", - SystemInternalTLSKey, data[SystemInternalTLSKey]) + return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey]) } - switch strings.ToLower(data[ClusterLocalDomainTLSKey]) { - case "", string(EncryptionDisabled): - // If ClusterLocalDomainTLSKey is not set in the config-network, default is already - // set to EncryptionDisabled. - case string(EncryptionEnabled): - nc.ClusterLocalDomainTLS = EncryptionEnabled + switch strings.ToLower(data[ControlplaneTrustKey]) { + case "", string(TrustDisabled): + // If ControlplaneTrust is not set in the config-network, default is already + // set to TrustDisabled. + case string(TrustEnabled): + nc.ControlplaneTrust = TrustEnabled + case string(TrustMutual): + nc.ControlplaneTrust = TrustMutual default: - return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", - ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey]) + return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey]) } return nc, nil } -// InternalTLSEnabled returns whether InternalEncryption is enabled or not. -// Deprecated: please use SystemInternalTLSEnabled() +// InternalTLSEnabled returns whether or not InternalEncyrption is enabled. +// Currently only DataplaneTrust is considered. func (c *Config) InternalTLSEnabled() bool { - return tlsEnabled(c.SystemInternalTLS) -} - -// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not. -func (c *Config) SystemInternalTLSEnabled() bool { - return tlsEnabled(c.SystemInternalTLS) + return tlsEnabled(c.DataplaneTrust) } -func tlsEnabled(encryptionConfig EncryptionConfig) bool { - return encryptionConfig == EncryptionEnabled +func tlsEnabled(trust Trust) bool { + return trust == TrustMinimal || + trust == TrustEnabled || + trust == TrustMutual || + trust == TrustIdentity } // GetDomainTemplate returns the golang Template from the config map diff --git a/vendor/modules.txt b/vendor/modules.txt index 30184618b884..63f6841899be 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1288,7 +1288,7 @@ knative.dev/caching/pkg/client/listers/caching/v1alpha1 ## explicit; go 1.18 knative.dev/hack knative.dev/hack/shell -# knative.dev/networking v0.0.0-20230911132222-48042038ea3d => github.com/ReToCode/networking v0.0.0-20230922054024-0ad79f254634 +# knative.dev/networking v0.0.0-20230921070414-6aa88055400d ## explicit; go 1.18 knative.dev/networking/config knative.dev/networking/pkg @@ -1455,3 +1455,4 @@ sigs.k8s.io/structured-merge-diff/v4/value # sigs.k8s.io/yaml v1.3.0 ## explicit; go 1.12 sigs.k8s.io/yaml +# knative.dev/networking v0.0.0-20230911132222-48042038ea3d => github.com/ReToCode/networking v0.0.0-20230922054024-0ad79f254634