run update deps

go.sum

@@ -38,8 +38,6 @@ dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/ReToCode/networking v0.0.0-20230922054024-0ad79f254634 h1:mM/83eiu9VRn3HcyJJq31Dy4sjjVzGYG4sBw+kYhhUM=
-github.com/ReToCode/networking v0.0.0-20230922054024-0ad79f254634/go.mod h1:t5rGgqqJ55N1KdGcaT/S/3mVJfttqQx0xa/wxcLC09w=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=

vendor/knative.dev/networking/config/config-network.yaml

@@ -22,7 +22,7 @@ metadata:
     app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
   annotations:
-    knative.dev/example-checksum: "b2698fe8"
+    knative.dev/example-checksum: "cfad3b9a"
 data:
   _example: |
     ################################
@@ -73,7 +73,7 @@ data:
     #   namespace-wildcard-cert-selector: {}
     #
     # Useful labels include the "kubernetes.io/metadata.name" label to
-    # avoid provisioning a certificate for the "kube-system" namespaces.
+    # avoid provisioning a certifcate for the "kube-system" namespaces.
     # Use the following selector to match pre-1.0 behavior of using
     # "networking.knative.dev/disableWildcardCert" to exclude namespaces:
     #
@@ -114,45 +114,16 @@ data:
     # domain-template above to determine the full URL for the tag.
     tag-template: "{{.Tag}}-{{.Name}}"
 
-    # auto-tls is deprecated and replaced by external-domain-tls
-    auto-tls: "Disabled"
-
     # Controls whether TLS certificates are automatically provisioned and
-    # installed in the Knative ingress to terminate TLS connections
-    # for cluster external domains (like: app.example.com)
-    # - Enabled: enables the TLS certificate provisioning feature for cluster external domains.
-    # - Disabled: disables the TLS certificate provisioning feature for cluster external domains.
-    external-domain-tls: "Disabled"
-
-    # Controls weather TLS certificates are automatically provisioned and
-    # installed in the Knative ingress to terminate TLS connections
-    # for cluster local domains (like: app.namespace.svc.cluster.local)
-    # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains.
-    # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    cluster-local-domain-tls: "Disabled"
-
-    # internal-encryption is deprecated and replaced by system-internal-tls
-    internal-encryption: "false"
-
-    # system-internal-tls controls weather TLS encryption is used for connections between
-    # the internal components of Knative:
-    # - ingress to activator
-    # - ingress to queue-proxy
-    # - activator to queue-proxy
-    #
-    # Possible values for this flag are:
-    # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains.
-    # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    system-internal-tls: "Disabled"
+    # installed in the Knative ingress to terminate external TLS connection.
+    # 1. Enabled: enabling auto-TLS feature.
+    # 2. Disabled: disabling auto-TLS feature.
+    auto-tls: "Disabled"
 
     # Controls the behavior of the HTTP endpoint for the Knative ingress.
     # It requires auto-tls to be enabled.
-    # - Enabled: The Knative ingress will be able to serve HTTP connection.
-    # - Redirected: The Knative ingress will send a 301 redirect for all
+    # 1. Enabled: The Knative ingress will be able to serve HTTP connection.
+    # 2. Redirected: The Knative ingress will send a 301 redirect for all
     # http connections, asking the clients to use HTTPS.
     #
     # "Disabled" option is deprecated.
@@ -201,3 +172,35 @@ data:
     # fronting Knative with an external loadbalancer that deals with TLS termination and
     # Knative doesn't know about that otherwise.
     default-external-scheme: "http"
+
+    # internal-encryption is deprecated and replaced by dataplane-trust and controlplane-trust
+    # internal-encryption indicates whether internal traffic is encrypted or not.
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    internal-encryption: "false"
+
+    # dataplane-trust indicates the level of trust established in the knative data-plane.
+    # dataplane-trust = "disabled" (the default) - uses no encryption for internal data plane traffic
+    # Using any other value ensures that the following traffic is encrypted using TLS:
+    #  - ingress to activator
+    #  - ingress to queue-proxy
+    #  - activator to queue-proxy
+    #
+    # dataplane-trust = "minimal" ensures data messages are encrypted, Kingress authenticate that the receiver is a Ksvc
+    # dataplane-trust = "enabled" same as "minimal" and in addition, Kingress authenticate that Ksvc is at the correct namespace
+    # dataplane-trust = "mutual" same as "enabled" and in addition, Ksvc authenticate that the messages come from the Kingress
+    # dataplane-trust = "identity" same as "mutual" with Kingress adding a trusted sender identity to the message
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
+    dataplane-trust: "disabled"
+
+    # controlplane-trust indicates the level of trust established in the knative control-plane.
+    # controlplane-trust = "disabled" (the default) - uses no encryption for internal control plane traffic
+    # Using any other value ensures that control traffic is encrypted using TLS.
+    #
+    # controlplane-trust = "enabled" ensures control messages are encrypted using TLS (client authenticate the server)
+    # controlplane-trust = "mutual" ensures control messages are encrypted using mTLS (client and server authenticate each other)
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
+    controlplane-trust: "disabled"

vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go

@@ -29,7 +29,6 @@ var (
 		IngressClassAnnotationKey,
 		CertificateClassAnnotationKey,
 		DisableAutoTLSAnnotationKey,
-		DisableExternalDomainTLSAnnotationKey,
 		HTTPOptionAnnotationKey,
 
 		IngressClassAnnotationAltKey,

vendor/knative.dev/networking/pkg/apis/networking/register.go

@@ -70,17 +70,11 @@ const (
 
 	// DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
 	// to indicate that AutoTLS should not be enabled for it.
-	// Deprecated: use DisableExternalDomainTLSAnnotationKey instead.
 	DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS"
 
 	// DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey
-	// Deprecated: use DisableExternalDomainTLSAnnotationKey instead.
 	DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls"
 
-	// DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
-	// to indicate that external-domain-tls should not be enabled for it.
-	DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls"
-
 	// HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
 	// to indicate the HTTP option of it.
 	HTTPOptionAnnotationKey = PublicGroupName + "/httpOption"
@@ -136,15 +130,9 @@ var (
 		CertificateClassAnnotationAltKey,
 	}
 
-	// Deprecated: use DisableExternalDomainTLSAnnotation instead.
-	DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation
-
-	DisableExternalDomainTLSAnnotation = kmap.KeyPriority{
-		// backward compatibility
+	DisableAutoTLSAnnotation = kmap.KeyPriority{
 		DisableAutoTLSAnnotationKey,
 		DisableAutoTLSAnnotationAltKey,
-
-		DisableExternalDomainTLSAnnotationKey,
 	}
 
 	HTTPProtocolAnnotation = kmap.KeyPriority{
@@ -165,9 +153,6 @@ func GetHTTPProtocol(annotations map[string]string) (val string) {
 	return HTTPProtocolAnnotation.Value(annotations)
 }
 
-// Deprecated: use GetDisableExternalDomainTLS instead.
-var GetDisableAutoTLS = GetDisableExternalDomainTLS
-
-func GetDisableExternalDomainTLS(annotations map[string]string) (val string) {
-	return DisableExternalDomainTLSAnnotation.Value(annotations)
+func GetDisableAutoTLS(annotations map[string]string) (val string) {
+	return DisableAutoTLSAnnotation.Value(annotations)
 }

vendor/knative.dev/networking/pkg/config/config.go

@@ -92,17 +92,8 @@ const (
 
 	// AutoTLSKey is the name of the configuration entry
 	// that specifies enabling auto-TLS or not.
-	// Deprecated: please use ExternalDomainTLSKey.
 	AutoTLSKey = "auto-tls"
 
-	// ExternalDomainTLSKey is the name of the configuration entry
-	// that specifies if external-domain-tls is enabled or not.
-	ExternalDomainTLSKey = "external-domain-tls"
-
-	// ClusterLocalDomainTLSKey is the name of the configuration entry
-	// that specifies if cluster-local-domain-tls is enabled or not.
-	ClusterLocalDomainTLSKey = "cluster-local-domain-tls"
-
 	// DefaultCertificateClassKey is the name of the configuration entry
 	// that specifies the default Certificate.
 	DefaultCertificateClassKey = "certificate-class"
@@ -143,26 +134,39 @@ const (
 	// hostname for a Route's tag.
 	TagTemplateKey = "tag-template"
 
+	// InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and ControlplaneTrustKey.
 	// InternalEncryptionKey is the name of the configuration whether
 	// internal traffic is encrypted or not.
-	// Deprecated: please use SystemInternalTLSKey.
 	InternalEncryptionKey = "internal-encryption"
 
-	// SystemInternalTLSKey is the name of the configuration whether
-	// traffic between Knative system components is encrypted or not.
-	SystemInternalTLSKey = "system-internal-tls"
+	// DataplaneTrustKey is the name of the configuration entry
+	// defining the level of trust used for data plane traffic.
+	DataplaneTrustKey = "dataplane-trust"
+
+	// ControlplaneTrustKey is the name of the configuration entry
+	// defining the level of trust used for control plane traffic.
+	ControlplaneTrustKey = "controlplane-trust"
 )
 
-// EncryptionConfig indicates the encryption configuration
-// used for TLS connections.
-type EncryptionConfig string
+// HTTPProtocol indicates a type of HTTP endpoint behavior
+// that Knative ingress could take.
+type Trust string
 
 const (
-	// EncryptionDisabled - TLS not used.
-	EncryptionDisabled EncryptionConfig = "disabled"
+	// TrustDisabled - TLS not used
+	TrustDisabled Trust = "disabled"
+
+	// TrustMinimal - TLS used. We verify that the server is using Knative certificates
+	TrustMinimal Trust = "minimal"
+
+	// TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace
+	TrustEnabled Trust = "enabled"
 
-	// EncryptionEnabled - TLS used. The client verifies the servers certificate.
-	EncryptionEnabled EncryptionConfig = "enabled"
+	// TrustMutual - same as TrustEnabled and we also verify the identity of the client.
+	TrustMutual Trust = "mutual"
+
+	// TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message.
+	TrustIdentity Trust = "identity"
 )
 
 // HTTPProtocol indicates a type of HTTP endpoint behavior
@@ -240,12 +244,8 @@ type Config struct {
 	TagTemplate string
 
 	// AutoTLS specifies if auto-TLS is enabled or not.
-	// Deprecated: please use ExternalDomainTLS instead.
 	AutoTLS bool
 
-	// ExternalDomainTLS specifies if external-domain-tls is enabled or not.
-	ExternalDomainTLS bool
-
 	// HTTPProtocol specifics the behavior of HTTP endpoint of Knative
 	// ingress.
 	HTTPProtocol HTTPProtocol
@@ -293,15 +293,15 @@ type Config struct {
 	// not enabled. Defaults to "http".
 	DefaultExternalScheme string
 
+	// Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust
 	// InternalEncryption specifies whether internal traffic is encrypted or not.
-	// Deprecated: please use SystemInternalTLSKey instead.
 	InternalEncryption bool
 
-	// SystemInternalTLS specifies whether knative internal traffic is encrypted or not.
-	SystemInternalTLS EncryptionConfig
+	// DataplaneTrust specifies the level of trust used for date plane.
+	DataplaneTrust Trust
 
-	// ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not.
-	ClusterLocalDomainTLS EncryptionConfig
+	// ControlplaneTrust specifies the level of trust used for control plane.
+	ControlplaneTrust Trust
 }
 
 func defaultConfig() *Config {
@@ -311,15 +311,14 @@ func defaultConfig() *Config {
 		DomainTemplate:                DefaultDomainTemplate,
 		TagTemplate:                   DefaultTagTemplate,
 		AutoTLS:                       false,
-		ExternalDomainTLS:             false,
 		NamespaceWildcardCertSelector: nil,
 		HTTPProtocol:                  HTTPEnabled,
 		AutocreateClusterDomainClaims: false,
 		DefaultExternalScheme:         "http",
 		MeshCompatibilityMode:         MeshCompatibilityModeAuto,
 		InternalEncryption:            false,
-		SystemInternalTLS:             EncryptionDisabled,
-		ClusterLocalDomainTLS:         EncryptionDisabled,
+		DataplaneTrust:                TrustDisabled,
+		ControlplaneTrust:             TrustDisabled,
 	}
 }
 
@@ -384,23 +383,12 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 	}
 	templateCache.Add(nc.TagTemplate, t)
 
-	// external-domain-tls and auto-tls
 	if val, ok := data["autoTLS"]; ok {
 		nc.AutoTLS = strings.EqualFold(val, "enabled")
 	}
 	if val, ok := data[AutoTLSKey]; ok {
 		nc.AutoTLS = strings.EqualFold(val, "enabled")
 	}
-	if val, ok := data[ExternalDomainTLSKey]; ok {
-		nc.ExternalDomainTLS = strings.EqualFold(val, "enabled")
-
-		// The new key takes precedence, but we support compatibility
-		// for code that has not updated to the new field yet.
-		nc.AutoTLS = nc.ExternalDomainTLS
-	} else {
-		// backward compatibility: if the new key is not set, use the value from the old key
-		nc.ExternalDomainTLS = nc.AutoTLS
-	}
 
 	var httpProtocol string
 	if val, ok := data["httpProtocol"]; ok {
@@ -422,52 +410,52 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey])
 	}
 
-	switch strings.ToLower(data[SystemInternalTLSKey]) {
-	case "", string(EncryptionDisabled):
-		// If SystemInternalTLSKey is not set in the config-network, default is already
-		// set to EncryptionDisabled.
+	switch strings.ToLower(data[DataplaneTrustKey]) {
+	case "", string(TrustDisabled):
+		// If DataplaneTrus is not set in the config-network, default is already
+		// set to TrustDisabled.
 		if nc.InternalEncryption {
 			// Backward compatibility
-			nc.SystemInternalTLS = EncryptionEnabled
+			nc.DataplaneTrust = TrustMinimal
 		}
-	case string(EncryptionEnabled):
-		nc.SystemInternalTLS = EncryptionEnabled
-
-		// The new key takes precedence, but we support compatibility
-		// for code that has not updated to the new field yet.
-		nc.InternalEncryption = true
+	case string(TrustMinimal):
+		nc.DataplaneTrust = TrustMinimal
+	case string(TrustEnabled):
+		nc.DataplaneTrust = TrustEnabled
+	case string(TrustMutual):
+		nc.DataplaneTrust = TrustMutual
+	case string(TrustIdentity):
+		nc.DataplaneTrust = TrustIdentity
 	default:
-		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
-			SystemInternalTLSKey, data[SystemInternalTLSKey])
+		return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey])
 	}
 
-	switch strings.ToLower(data[ClusterLocalDomainTLSKey]) {
-	case "", string(EncryptionDisabled):
-		// If ClusterLocalDomainTLSKey is not set in the config-network, default is already
-		// set to EncryptionDisabled.
-	case string(EncryptionEnabled):
-		nc.ClusterLocalDomainTLS = EncryptionEnabled
+	switch strings.ToLower(data[ControlplaneTrustKey]) {
+	case "", string(TrustDisabled):
+		// If ControlplaneTrust is not set in the config-network, default is already
+		// set to TrustDisabled.
+	case string(TrustEnabled):
+		nc.ControlplaneTrust = TrustEnabled
+	case string(TrustMutual):
+		nc.ControlplaneTrust = TrustMutual
 	default:
-		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
-			ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey])
+		return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey])
 	}
 
 	return nc, nil
 }
 
-// InternalTLSEnabled returns whether InternalEncryption is enabled or not.
-// Deprecated: please use SystemInternalTLSEnabled()
+// InternalTLSEnabled returns whether or not InternalEncyrption is enabled.
+// Currently only DataplaneTrust is considered.
 func (c *Config) InternalTLSEnabled() bool {
-	return tlsEnabled(c.SystemInternalTLS)
-}
-
-// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not.
-func (c *Config) SystemInternalTLSEnabled() bool {
-	return tlsEnabled(c.SystemInternalTLS)
+	return tlsEnabled(c.DataplaneTrust)
 }
 
-func tlsEnabled(encryptionConfig EncryptionConfig) bool {
-	return encryptionConfig == EncryptionEnabled
+func tlsEnabled(trust Trust) bool {
+	return trust == TrustMinimal ||
+		trust == TrustEnabled ||
+		trust == TrustMutual ||
+		trust == TrustIdentity
 }
 
 // GetDomainTemplate returns the golang Template from the config map