Update certificates and SANs used in Serving

cmd/activator/main.go

@@ -158,16 +158,16 @@ func main() {
 		logger.Fatalw("Failed to construct network config", zap.Error(err))
 	}
 
-	// Enable TLS against queue-proxy when internal-encryption is enabled.
-	tlsEnabled := networkConfig.InternalTLSEnabled()
+	// Enable TLS for connections to queue-proxy when system-internal-tls is enabled.
+	tlsEnabled := networkConfig.SystemInternalTLSEnabled()
 
 	var certCache *certificate.CertCache
 
 	// Enable TLS client when queue-proxy-ca is specified.
 	// At this moment activator with TLS does not disable HTTP.
 	// See also https://github.com/knative/serving/issues/12808.
 	if tlsEnabled {
-		logger.Info("Internal Encryption is enabled")
+		logger.Info("Knative Internal TLS is enabled")
 		certCache = certificate.NewCertCache(ctx)
 		transport = pkgnet.NewProxyAutoTLSTransport(env.MaxIdleProxyConns, env.MaxIdleProxyConnsPerHost, &certCache.TLSConf)
 	}
@@ -278,7 +278,7 @@ func main() {
 		}(name, server)
 	}
 
-	// Enable TLS server when internal-encryption is specified.
+	// Enable TLS server when system-internal-tls is specified.
 	// At this moment activator with TLS does not disable HTTP.
 	// See also https://github.com/knative/serving/issues/12808.
 	if tlsEnabled {

go.mod

@@ -32,10 +32,10 @@ require (
 	k8s.io/code-generator v0.27.6
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491
-	knative.dev/caching v0.0.0-20230927121431-da42414936d9
+	knative.dev/caching v0.0.0-20231002150103-808ee92ee6f2
 	knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263
-	knative.dev/networking v0.0.0-20230927121431-c1cae210daec
-	knative.dev/pkg v0.0.0-20231002125759-1860700f6ffe
+	knative.dev/networking v0.0.0-20231002150856-97dab159e185
+	knative.dev/pkg v0.0.0-20231002131630-294e777acf1a
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -925,14 +925,14 @@ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5F
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/caching v0.0.0-20230927121431-da42414936d9 h1:4VatxDY+XTd4ZnmGviV7SBDvxbW6tAsI7tAvRUFwiTs=
-knative.dev/caching v0.0.0-20230927121431-da42414936d9/go.mod h1:HMAUIHPcIhEUWaSWzTj8eLDrTFa9gkLD6gtrlZ098Jw=
+knative.dev/caching v0.0.0-20231002150103-808ee92ee6f2 h1:ZEp240TFtW7ZQkNFBWXixmMw8XUJsfL5uVDo8nRVDIM=
+knative.dev/caching v0.0.0-20231002150103-808ee92ee6f2/go.mod h1:St0Mg+7hRqq7oCsHm+y3T3a9x87zaylG+DDOLv1gpXc=
 knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 h1:e6r9J1YopzSh6tDCpyKhVBfRUlZ2r0KRo9wupRjdRF4=
 knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/networking v0.0.0-20230927121431-c1cae210daec h1:FuApkAE1QhvChCQDR3yziqdsZ+LiEM0ZxTdI0qKIMrA=
-knative.dev/networking v0.0.0-20230927121431-c1cae210daec/go.mod h1:U9yqeTf2NtTY5aexYLbE4LAoIt/FAsnoERbnejJKlgI=
-knative.dev/pkg v0.0.0-20231002125759-1860700f6ffe h1:hjBKTt3k7dtsC3LMRXDicPtM0HwERGsJ6CkWVOcts2E=
-knative.dev/pkg v0.0.0-20231002125759-1860700f6ffe/go.mod h1:PxnS8ZnVtC0S+An+NEhrpzWt6k9hedDNt659Gu5EtJk=
+knative.dev/networking v0.0.0-20231002150856-97dab159e185 h1:dTo1cDylnLTtTqGONoEM3r1btKtY2S5JBSaCOM7+/VM=
+knative.dev/networking v0.0.0-20231002150856-97dab159e185/go.mod h1:LAT8cu/PGOtik5ABZhhl6h45QrNRXj0uqlpIP0dmLnU=
+knative.dev/pkg v0.0.0-20231002131630-294e777acf1a h1:o3A1May7y6MDLC97LTF+F0uyho97sLC1ypvrlSyOccg=
+knative.dev/pkg v0.0.0-20231002131630-294e777acf1a/go.mod h1:PxnS8ZnVtC0S+An+NEhrpzWt6k9hedDNt659Gu5EtJk=
 pgregory.net/rapid v1.0.0 h1:iQaM2w5PZ6xvt6x7hbd7tiDS+nk7YPp5uCaEba+T/F4=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

pkg/activator/certificate/cache.go

@@ -56,7 +56,7 @@ func NewCertCache(ctx context.Context) *CertCache {
 		logger:         logging.FromContext(ctx),
 	}
 
-	secret, err := cr.secretInformer.Lister().Secrets(system.Namespace()).Get(netcfg.ServingInternalCertName)
+	secret, err := cr.secretInformer.Lister().Secrets(system.Namespace()).Get(netcfg.ServingRoutingCertName)
 	if err != nil {
 		cr.logger.Warnw("failed to get secret", zap.Error(err))
 		return nil
@@ -65,7 +65,7 @@ func NewCertCache(ctx context.Context) *CertCache {
 	cr.updateCache(secret)
 
 	secretInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
-		FilterFunc: controller.FilterWithNameAndNamespace(system.Namespace(), netcfg.ServingInternalCertName),
+		FilterFunc: controller.FilterWithNameAndNamespace(system.Namespace(), netcfg.ServingRoutingCertName),
 		Handler: cache.ResourceEventHandlerFuncs{
 			UpdateFunc: cr.handleCertificateUpdate,
 			AddFunc:    cr.handleCertificateAdd,

pkg/activator/certificate/cache_test.go

@@ -52,7 +52,7 @@ func fakeCertCache(ctx context.Context) *CertCache {
 	}
 
 	secretInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
-		FilterFunc: controller.FilterWithNameAndNamespace(system.Namespace(), netcfg.ServingInternalCertName),
+		FilterFunc: controller.FilterWithNameAndNamespace(system.Namespace(), netcfg.ServingRoutingCertName),
 		Handler: cache.ResourceEventHandlerFuncs{
 			UpdateFunc: cr.handleCertificateUpdate,
 			AddFunc:    cr.handleCertificateAdd,
@@ -78,7 +78,7 @@ func TestReconcile(t *testing.T) {
 
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      netcfg.ServingInternalCertName,
+			Name:      netcfg.ServingRoutingCertName,
 			Namespace: system.Namespace(),
 		},
 		Data: map[string][]byte{

pkg/reconciler/autoscaling/config/store_test.go

@@ -66,7 +66,7 @@ func TestStoreImmutableConfig(t *testing.T) {
 	config := store.Load()
 	config.Autoscaler.MaxScaleUpRate = 100.0
 	config.Deployment.ProgressDeadline = 3 * time.Minute
-	config.Network.DataplaneTrust = netcfg.TrustMinimal
+	config.Network.SystemInternalTLS = netcfg.EncryptionEnabled
 	newConfig := store.Load()
 
 	if newConfig.Autoscaler.MaxScaleUpRate == 100.0 {
@@ -76,7 +76,7 @@ func TestStoreImmutableConfig(t *testing.T) {
 		t.Error("Deployment config is not immutable")
 	}
 
-	if newConfig.Network.DataplaneTrust != netcfg.TrustDisabled {
+	if newConfig.Network.SystemInternalTLS != netcfg.EncryptionDisabled {
 		t.Error("Network config is not immutable")
 	}
 }

pkg/reconciler/autoscaling/kpa/kpa.go

@@ -25,7 +25,6 @@ import (
 	"go.uber.org/zap"
 
 	nv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
-	netcfg "knative.dev/networking/pkg/config"
 	"knative.dev/pkg/logging"
 	pkgmetrics "knative.dev/pkg/metrics"
 	"knative.dev/pkg/ptr"
@@ -129,7 +128,7 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, pa *autoscalingv1alpha1.
 	// When activator CA is enabled, force activator always in path.
 	// TODO: This is a temporary state and to be fixed.
 	// See also issues/11906 and issues/12797.
-	case config.FromContext(ctx).Network.DataplaneTrust != netcfg.TrustDisabled:
+	case config.FromContext(ctx).Network.SystemInternalTLSEnabled():
 		mode = nv1alpha1.SKSOperationModeProxy
 
 	// If the want == -1 and PA is inactive that implies the autoscaler

pkg/reconciler/autoscaling/kpa/kpa_test.go

@@ -128,7 +128,7 @@ func initialScaleZeroASConfig() *autoscalerconfig.Config {
 
 func activatorCertsNetConfig() *netcfg.Config {
 	nc, _ := netcfg.NewConfigFromMap(map[string]string{
-		netcfg.DataplaneTrustKey: "minimal",
+		netcfg.SystemInternalTLSKey: "enabled",
 	})
 	return nc
 }
@@ -140,7 +140,7 @@ func defaultConfig() *config.Config {
 		deployment.ProgressDeadlineKey:  progressDeadline.String(),
 	})
 	networkConfig, _ := netcfg.NewConfigFromMap(map[string]string{
-		netcfg.DataplaneTrustKey: "disabled",
+		netcfg.SystemInternalTLSKey: "disabled",
 	})
 
 	return &config.Config{

pkg/reconciler/revision/reconcile_resources.go

@@ -203,7 +203,7 @@ func hasDeploymentTimedOut(deployment *appsv1.Deployment) bool {
 func (c *Reconciler) reconcileSecret(ctx context.Context, rev *v1.Revision) error {
 	ns := rev.Namespace
 	logger := logging.FromContext(ctx)
-	logger.Info("Reconciling Secret: ", networking.ServingCertName, " at namespace: ", ns)
+	logger.Info("Reconciling Secret for knative-internal-tls: ", networking.ServingCertName, " at namespace: ", ns)
 
 	secret, err := c.kubeclient.CoreV1().Secrets(ns).Get(ctx, networking.ServingCertName, metav1.GetOptions{})
 	if apierrs.IsNotFound(err) {

pkg/reconciler/revision/resources/deploy.go

@@ -193,7 +193,7 @@ func makePodSpec(rev *v1.Revision, cfg *config.Config) (*corev1.PodSpec, error)
 		extraVolumes = append(extraVolumes, *tokenVolume)
 	}
 
-	if cfg.Network.InternalTLSEnabled() {
+	if cfg.Network.SystemInternalTLSEnabled() {
 		queueContainer.VolumeMounts = append(queueContainer.VolumeMounts, varCertVolumeMount)
 		extraVolumes = append(extraVolumes, certVolume(networking.ServingCertName))
 	}

pkg/reconciler/revision/revision.go

@@ -138,8 +138,8 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, rev *v1.Revision) pkgrec
 		logger.Debug("Revision meta: " + spew.Sdump(rev.ObjectMeta))
 	}
 
-	// Deploy certificate when internal-encryption is enabled.
-	if config.FromContext(ctx).Network.InternalTLSEnabled() {
+	// Deploy certificate when system-internal-tls is enabled.
+	if config.FromContext(ctx).Network.SystemInternalTLSEnabled() {
 		if err := c.reconcileSecret(ctx, rev); err != nil {
 			return err
 		}

pkg/reconciler/route/resources/ingress.go

@@ -29,7 +29,6 @@ import (
 
 	"knative.dev/networking/pkg/apis/networking"
 	netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
-	netcfg "knative.dev/networking/pkg/config"
 	netheader "knative.dev/networking/pkg/http/header"
 	ingress "knative.dev/networking/pkg/ingress"
 	"knative.dev/pkg/kmeta"
@@ -150,7 +149,7 @@ func makeIngressSpec(
 				return netv1alpha1.IngressSpec{}, err
 			}
 			rule := makeIngressRule(domains, r.Namespace,
-				visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.DataplaneTrust != netcfg.TrustDisabled)
+				visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.SystemInternalTLSEnabled())
 			if featuresConfig.TagHeaderBasedRouting == apicfg.Enabled {
 				if rule.HTTP.Paths[0].AppendHeaders == nil {
 					rule.HTTP.Paths[0].AppendHeaders = make(map[string]string, 1)
@@ -172,7 +171,7 @@ func makeIngressSpec(
 					// Since names are sorted `DefaultTarget == ""` is the first one,
 					// so just pass the subslice.
 					rule.HTTP.Paths = append(
-						makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.DataplaneTrust != netcfg.TrustDisabled, names[1:]), rule.HTTP.Paths...)
+						makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.SystemInternalTLSEnabled(), names[1:]), rule.HTTP.Paths...)
 				} else {
 					// If a request is routed by a tag-attached hostname instead of the tag header,
 					// the request may not have the tag header "Knative-Serving-Tag",

pkg/reconciler/route/resources/ingress_test.go

@@ -1427,6 +1427,6 @@ func testContextWithHTTPOption() context.Context {
 
 func testContextWithActivatorCA() context.Context {
 	cfg := testConfig()
-	cfg.Network.DataplaneTrust = netcfg.TrustMinimal
+	cfg.Network.SystemInternalTLS = netcfg.EncryptionEnabled
 	return config.ToContext(context.Background(), cfg)
 }

pkg/reconciler/route/resources/service_test.go

@@ -419,7 +419,7 @@ func testConfig() *config.Config {
 			DefaultIngressClass: "test-ingress-class",
 			DomainTemplate:      netcfg.DefaultDomainTemplate,
 			TagTemplate:         netcfg.DefaultTagTemplate,
-			DataplaneTrust:      netcfg.TrustDisabled,
+			SystemInternalTLS:   netcfg.EncryptionDisabled,
 		},
 		Features: &apiConfig.Features{
 			MultiContainer:               apiConfig.Disabled,

test/e2e-common.sh

@@ -376,7 +376,7 @@ function install() {
 
   if (( ENABLE_TLS )); then
     echo "Patch to config-network to enable internal encryption"
-    toggle_feature dataplane-trust minimal config-network
+    toggle_feature system-internal-tls Enabled config-network
     if [[ "$INGRESS_CLASS" == "kourier.ingress.networking.knative.dev" ]]; then
       echo "Point Kourier local gateway to custom server certificates"
       toggle_feature cluster-cert-secret server-certs config-kourier

test/e2e/autoscale_test.go

@@ -175,8 +175,7 @@ func TestTargetBurstCapacity(t *testing.T) {
 	}
 
 	// TODO: Remove this when "activator always stay in path" is eliminated.
-	dataplaneTrustMode := cm.Data[netcfg.DataplaneTrustKey]
-	if (dataplaneTrustMode != "" && !strings.EqualFold(dataplaneTrustMode, string(netcfg.TrustDisabled))) || strings.EqualFold(cm.Data[netcfg.InternalEncryptionKey], "true") {
+	if strings.EqualFold(cm.Data[netcfg.SystemInternalTLSKey], string(netcfg.EncryptionEnabled)) {
 		t.Skip("Skipping TestTargetBurstCapacity as activator always stay in path.")
 	}
 

third_party/kourier-latest/kourier.yaml

@@ -20,7 +20,7 @@ metadata:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
 
 ---
 # Copyright 2020 The Knative Authors
@@ -45,7 +45,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 data:
   envoy-bootstrap.yaml: |
@@ -168,7 +168,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 data:
   _example: |
@@ -248,7 +248,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -258,7 +258,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 rules:
   - apiGroups: [""]
@@ -287,7 +287,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -321,7 +321,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 spec:
   strategy:
@@ -343,7 +343,7 @@ spec:
         app: net-kourier-controller
     spec:
       containers:
-        - image: gcr.io/knative-nightly/knative.dev/net-kourier/cmd/kourier@sha256:b123c5d33409b1c0f5101c4854fee072304aff378bca41904607fc994c1741cc
+        - image: gcr.io/knative-nightly/knative.dev/net-kourier/cmd/kourier@sha256:aac4bc094dfe1affef95d1071507f4156cb6449b6681711f64339fd0c789debe
           name: controller
           env:
             - name: CERTS_SECRET_NAMESPACE
@@ -408,7 +408,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 spec:
   ports:
@@ -443,7 +443,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 spec:
   strategy:
@@ -552,7 +552,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 spec:
   ports:
@@ -576,7 +576,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 spec:
   ports:
@@ -600,7 +600,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 spec:
   minReplicas: 1
@@ -626,7 +626,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20230928-644b5c84"
+    app.kubernetes.io/version: "20231003-a895a08a"
     app.kubernetes.io/name: knative-serving
 spec:
   minAvailable: 80%