From f8e46e97e30abebbcc5a5f141b2c755947daf4fb Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 19 Sep 2023 08:18:29 +0200 Subject: [PATCH 1/4] Use aligned flags and secrets for `knative-internal-tls` --- go.mod | 2 ++ pkg/generator/ingress_translator.go | 37 +++++++++++++++--------- pkg/generator/ingress_translator_test.go | 27 +++++++++++------ pkg/reconciler/ingress/config/store.go | 2 +- test/config/tls/config-network.yaml | 2 +- test/upgrade/probe_test.go | 6 ++-- 6 files changed, 48 insertions(+), 28 deletions(-) diff --git a/go.mod b/go.mod index 2f54f03e7..8a83b6185 100644 --- a/go.mod +++ b/go.mod @@ -103,3 +103,5 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) + +replace knative.dev/networking => github.com/ReToCode/networking v0.0.0-20230918124119-ce04c96e518c diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index 9b03fef3a..974cf3ac9 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -151,10 +151,10 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre // Match the ingress' port with a port on the Service to find the target. // Also find out if the target supports HTTP2. var ( - externalPort = int32(80) - targetPort = int32(80) - http2 = false - internalEncryption = false + externalPort = int32(80) + targetPort = int32(80) + http2 = false + httpsPortUsed = false ) for _, port := range service.Spec.Ports { if port.Port == split.ServicePort.IntVal || port.Name == split.ServicePort.StrVal { @@ -165,7 +165,7 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre http2 = true } if port.Port == split.ServicePort.IntVal && port.Name == "https" { - internalEncryption = true + httpsPortUsed = true } } @@ -209,16 +209,16 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre // // TODO: // Drop this configmap check - issues/968 - // We can determin whether internal-encryption is enabled or disabled via `internalEncryption` only, - // but all conformance tests need to be updated to have the port name so check the configmap as well. + // We could determine whether knative-internal-tls is enabled or disabled via the flag only, + // but all conformance tests need to be updated to have the port name so we check the configmap as well. // // TODO: Or fetch configmap before the loop as per https://github.com/knative-sandbox/net-kourier/pull/959#discussion_r1048441513 cfg := config.FromContextOrDefaults(ctx) // As Ingress with RewriteHost points to ExternalService(kourier-internal), we don't enable TLS. - if (cfg.Network.InternalEncryption || internalEncryption) && httpPath.RewriteHost == "" { + if (cfg.Network.KnativeInternalTLSEnabled() || httpsPortUsed) && httpPath.RewriteHost == "" { var err error - transportSocket, err = translator.createUpstreamTransportSocket(http2) + transportSocket, err = translator.createUpstreamTransportSocket(http2, split.ServiceNamespace) if err != nil { return nil, err } @@ -296,8 +296,8 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre }, nil } -func (translator *IngressTranslator) createUpstreamTransportSocket(http2 bool) (*envoycorev3.TransportSocket, error) { - caSecret, err := translator.secretGetter(pkgconfig.ServingNamespace(), netconfig.ServingInternalCertName) +func (translator *IngressTranslator) createUpstreamTransportSocket(http2 bool, namespace string) (*envoycorev3.TransportSocket, error) { + caSecret, err := translator.secretGetter(pkgconfig.ServingNamespace(), netconfig.ServingRoutingCertName) if err != nil { return nil, fmt.Errorf("failed to fetch activator CA secret: %w", err) } @@ -305,7 +305,7 @@ func (translator *IngressTranslator) createUpstreamTransportSocket(http2 bool) ( if http2 { alpnProtocols = "h2" } - tlsAny, err := anypb.New(createUpstreamTLSContext(caSecret.Data[certificates.CaCertName], alpnProtocols)) + tlsAny, err := anypb.New(createUpstreamTLSContext(caSecret.Data[certificates.CaCertName], namespace, alpnProtocols)) if err != nil { return nil, err } @@ -317,7 +317,7 @@ func (translator *IngressTranslator) createUpstreamTransportSocket(http2 bool) ( }, nil } -func createUpstreamTLSContext(caCertificate []byte, alpnProtocols ...string) *tlsv3.UpstreamTlsContext { +func createUpstreamTLSContext(caCertificate []byte, namespace string, alpnProtocols ...string) *tlsv3.UpstreamTlsContext { return &tlsv3.UpstreamTlsContext{ CommonTlsContext: &tlsv3.CommonTlsContext{ AlpnProtocols: alpnProtocols, @@ -336,7 +336,16 @@ func createUpstreamTLSContext(caCertificate []byte, alpnProtocols ...string) *tl SanType: tlsv3.SubjectAltNameMatcher_DNS, Matcher: &envoymatcherv3.StringMatcher{ MatchPattern: &envoymatcherv3.StringMatcher_Exact{ - Exact: certificates.FakeDnsName, + // SAN used by Activator + Exact: certificates.DataPlaneRoutingSAN, + }, + }, + }, { + SanType: tlsv3.SubjectAltNameMatcher_DNS, + Matcher: &envoymatcherv3.StringMatcher{ + MatchPattern: &envoymatcherv3.StringMatcher_Exact{ + // SAN used by Queue-Proxy in target namespace + Exact: certificates.DataPlaneUserSAN(namespace), }, }, }}, diff --git a/pkg/generator/ingress_translator_test.go b/pkg/generator/ingress_translator_test.go index 9e0ec97e5..ef4fa7d5d 100644 --- a/pkg/generator/ingress_translator_test.go +++ b/pkg/generator/ingress_translator_test.go @@ -684,12 +684,12 @@ func (t *testConfigStore) ToContext(ctx context.Context) context.Context { var ( defaultConfig = &config.Config{ Network: &netconfig.Config{ - AutoTLS: false, + ExternalDomainTLS: false, }, } upstreamTLSConfig = &config.Config{ Network: &netconfig.Config{ - AutoTLS: false, + ExternalDomainTLS: false, }, } ) @@ -937,7 +937,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { false, &envoycorev3.TransportSocket{ Name: wellknown.TransportSocketTls, - ConfigType: typedConfig(false /* http2 */), + ConfigType: typedConfig(false /* http2 */, "servicens"), }, v3.Cluster_STATIC, ), @@ -1009,7 +1009,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { true, /* http2 */ &envoycorev3.TransportSocket{ Name: wellknown.TransportSocketTls, - ConfigType: typedConfig(true /* http2 */), + ConfigType: typedConfig(true /* http2 */, "servicens"), }, v3.Cluster_STATIC, ), @@ -1082,7 +1082,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { false, /* http2 */ &envoycorev3.TransportSocket{ Name: wellknown.TransportSocketTls, - ConfigType: typedConfig(false /* http2 */), + ConfigType: typedConfig(false /* http2 */, "servicens"), }, v3.Cluster_STATIC, ), @@ -1155,7 +1155,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { true, /* http2 */ &envoycorev3.TransportSocket{ Name: wellknown.TransportSocketTls, - ConfigType: typedConfig(true /* http2 */), + ConfigType: typedConfig(true /* http2 */, "servicens"), }, v3.Cluster_STATIC, ), @@ -1574,7 +1574,7 @@ var ( caSecret = &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: "knative-testing", - Name: netconfig.ServingInternalCertName, + Name: netconfig.ServingRoutingCertName, }, Data: map[string][]byte{ certificates.CaCertName: cert, @@ -1592,7 +1592,7 @@ var ( } ) -func typedConfig(http2 bool) *envoycorev3.TransportSocket_TypedConfig { +func typedConfig(http2 bool, namespace string) *envoycorev3.TransportSocket_TypedConfig { alpn := []string{""} if http2 { alpn = []string{"h2"} @@ -1615,7 +1615,16 @@ func typedConfig(http2 bool) *envoycorev3.TransportSocket_TypedConfig { SanType: auth.SubjectAltNameMatcher_DNS, Matcher: &envoymatcherv3.StringMatcher{ MatchPattern: &envoymatcherv3.StringMatcher_Exact{ - Exact: certificates.FakeDnsName, + // SAN of Activator + Exact: certificates.DataPlaneRoutingSAN, + }, + }, + }, { + SanType: auth.SubjectAltNameMatcher_DNS, + Matcher: &envoymatcherv3.StringMatcher{ + MatchPattern: &envoymatcherv3.StringMatcher_Exact{ + // SAN of Queue-Proxy in target namespace + Exact: certificates.DataPlaneUserSAN(namespace), }, }, }}, diff --git a/pkg/reconciler/ingress/config/store.go b/pkg/reconciler/ingress/config/store.go index 7cd91ed7f..fdc0b7364 100644 --- a/pkg/reconciler/ingress/config/store.go +++ b/pkg/reconciler/ingress/config/store.go @@ -51,7 +51,7 @@ func FromContextOrDefaults(ctx context.Context) *Config { func defaultConfig() *netconfig.Config { return &netconfig.Config{ - InternalEncryption: false, + ClusterLocalDomainTLS: netconfig.EncryptionDisabled, } } diff --git a/test/config/tls/config-network.yaml b/test/config/tls/config-network.yaml index 963e10e85..93956f073 100644 --- a/test/config/tls/config-network.yaml +++ b/test/config/tls/config-network.yaml @@ -22,4 +22,4 @@ metadata: app.kubernetes.io/component: networking app.kubernetes.io/version: devel data: - internal-encryption: "true" + knative-internal-tls: "enabled" diff --git a/test/upgrade/probe_test.go b/test/upgrade/probe_test.go index 27bd945ec..36617aed0 100644 --- a/test/upgrade/probe_test.go +++ b/test/upgrade/probe_test.go @@ -59,14 +59,14 @@ func TestProbe(t *testing.T) { portName := networking.ServicePortNameHTTP1 - // Set "https" to the port name when internal-encryption is enabled. - // Controller determines the internal-encryption is enabled or not by the port instead of configmap. + // Set "https" to the port name when knative-internal-tls is enabled. + // Controller determines the knative-internal-tls is enabled or not by the port instead of configmap. // ConfigMap does not work during the upgrade test - issues/968. cm, err := clients.KubeClient.CoreV1().ConfigMaps(system.Namespace()).Get(ctx, "config-network", metav1.GetOptions{}) if err != nil { t.Fatal("Failed to fetch configmap:", err) } - if strings.EqualFold(cm.Data[config.InternalEncryptionKey], "true") { + if strings.EqualFold(cm.Data[config.KnativeInternalTLSKey], config.EncryptionEnabled) { portName = networking.ServicePortNameHTTPS } From add240797266d90de7e8adb9149d72bb51d20603 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 19 Sep 2023 08:35:30 +0200 Subject: [PATCH 2/4] Fix string conversion --- test/upgrade/probe_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/upgrade/probe_test.go b/test/upgrade/probe_test.go index 36617aed0..1f7834207 100644 --- a/test/upgrade/probe_test.go +++ b/test/upgrade/probe_test.go @@ -66,7 +66,7 @@ func TestProbe(t *testing.T) { if err != nil { t.Fatal("Failed to fetch configmap:", err) } - if strings.EqualFold(cm.Data[config.KnativeInternalTLSKey], config.EncryptionEnabled) { + if strings.EqualFold(cm.Data[config.KnativeInternalTLSKey], string(config.EncryptionEnabled)) { portName = networking.ServicePortNameHTTPS } From c8a61106ab40d900b794ed1960e64392338cface Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 3 Oct 2023 07:31:26 +0200 Subject: [PATCH 3/4] Change config key to system-internal-tls --- go.mod | 2 -- pkg/generator/ingress_translator.go | 4 ++-- pkg/reconciler/ingress/config/store.go | 2 +- test/config/tls/config-network.yaml | 2 +- test/upgrade/probe_test.go | 6 +++--- 5 files changed, 7 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 8a83b6185..2f54f03e7 100644 --- a/go.mod +++ b/go.mod @@ -103,5 +103,3 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) - -replace knative.dev/networking => github.com/ReToCode/networking v0.0.0-20230918124119-ce04c96e518c diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index 974cf3ac9..20a2e8f72 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -209,14 +209,14 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre // // TODO: // Drop this configmap check - issues/968 - // We could determine whether knative-internal-tls is enabled or disabled via the flag only, + // We could determine whether system-internal-tls is enabled or disabled via the flag only, // but all conformance tests need to be updated to have the port name so we check the configmap as well. // // TODO: Or fetch configmap before the loop as per https://github.com/knative-sandbox/net-kourier/pull/959#discussion_r1048441513 cfg := config.FromContextOrDefaults(ctx) // As Ingress with RewriteHost points to ExternalService(kourier-internal), we don't enable TLS. - if (cfg.Network.KnativeInternalTLSEnabled() || httpsPortUsed) && httpPath.RewriteHost == "" { + if (cfg.Network.SystemInternalTLSEnabled() || httpsPortUsed) && httpPath.RewriteHost == "" { var err error transportSocket, err = translator.createUpstreamTransportSocket(http2, split.ServiceNamespace) if err != nil { diff --git a/pkg/reconciler/ingress/config/store.go b/pkg/reconciler/ingress/config/store.go index fdc0b7364..80049b2a0 100644 --- a/pkg/reconciler/ingress/config/store.go +++ b/pkg/reconciler/ingress/config/store.go @@ -51,7 +51,7 @@ func FromContextOrDefaults(ctx context.Context) *Config { func defaultConfig() *netconfig.Config { return &netconfig.Config{ - ClusterLocalDomainTLS: netconfig.EncryptionDisabled, + SystemInternalTLS: netconfig.EncryptionDisabled, } } diff --git a/test/config/tls/config-network.yaml b/test/config/tls/config-network.yaml index 93956f073..a7a5cb656 100644 --- a/test/config/tls/config-network.yaml +++ b/test/config/tls/config-network.yaml @@ -22,4 +22,4 @@ metadata: app.kubernetes.io/component: networking app.kubernetes.io/version: devel data: - knative-internal-tls: "enabled" + system-internal-tls: "enabled" diff --git a/test/upgrade/probe_test.go b/test/upgrade/probe_test.go index 1f7834207..171298f9b 100644 --- a/test/upgrade/probe_test.go +++ b/test/upgrade/probe_test.go @@ -59,14 +59,14 @@ func TestProbe(t *testing.T) { portName := networking.ServicePortNameHTTP1 - // Set "https" to the port name when knative-internal-tls is enabled. - // Controller determines the knative-internal-tls is enabled or not by the port instead of configmap. + // Set "https" to the port name when system-internal-tls is enabled. + // Controller determines the system-internal-tls is enabled or not by the port instead of configmap. // ConfigMap does not work during the upgrade test - issues/968. cm, err := clients.KubeClient.CoreV1().ConfigMaps(system.Namespace()).Get(ctx, "config-network", metav1.GetOptions{}) if err != nil { t.Fatal("Failed to fetch configmap:", err) } - if strings.EqualFold(cm.Data[config.KnativeInternalTLSKey], string(config.EncryptionEnabled)) { + if strings.EqualFold(cm.Data[config.SystemInternalTLSKey], string(config.EncryptionEnabled)) { portName = networking.ServicePortNameHTTPS } From c328c40ce91a3facea2679b5c40ea3285f93599e Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 3 Oct 2023 08:38:00 +0200 Subject: [PATCH 4/4] Fix lint warnings and create certificates with new names + SANs --- pkg/generator/ingress_translator_test.go | 12 +++--- test/e2e-kind.sh | 8 ++-- test/generate-upstream-cert.sh | 37 +++++++++++-------- ...rate-cert.sh => generate-wildcard-cert.sh} | 0 4 files changed, 32 insertions(+), 25 deletions(-) rename test/{generate-cert.sh => generate-wildcard-cert.sh} (100%) diff --git a/pkg/generator/ingress_translator_test.go b/pkg/generator/ingress_translator_test.go index ef4fa7d5d..f4fa08300 100644 --- a/pkg/generator/ingress_translator_test.go +++ b/pkg/generator/ingress_translator_test.go @@ -937,7 +937,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { false, &envoycorev3.TransportSocket{ Name: wellknown.TransportSocketTls, - ConfigType: typedConfig(false /* http2 */, "servicens"), + ConfigType: typedConfig(false), }, v3.Cluster_STATIC, ), @@ -1009,7 +1009,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { true, /* http2 */ &envoycorev3.TransportSocket{ Name: wellknown.TransportSocketTls, - ConfigType: typedConfig(true /* http2 */, "servicens"), + ConfigType: typedConfig(true), }, v3.Cluster_STATIC, ), @@ -1082,7 +1082,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { false, /* http2 */ &envoycorev3.TransportSocket{ Name: wellknown.TransportSocketTls, - ConfigType: typedConfig(false /* http2 */, "servicens"), + ConfigType: typedConfig(false), }, v3.Cluster_STATIC, ), @@ -1155,7 +1155,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { true, /* http2 */ &envoycorev3.TransportSocket{ Name: wellknown.TransportSocketTls, - ConfigType: typedConfig(true /* http2 */, "servicens"), + ConfigType: typedConfig(true), }, v3.Cluster_STATIC, ), @@ -1592,7 +1592,7 @@ var ( } ) -func typedConfig(http2 bool, namespace string) *envoycorev3.TransportSocket_TypedConfig { +func typedConfig(http2 bool) *envoycorev3.TransportSocket_TypedConfig { alpn := []string{""} if http2 { alpn = []string{"h2"} @@ -1624,7 +1624,7 @@ func typedConfig(http2 bool, namespace string) *envoycorev3.TransportSocket_Type Matcher: &envoymatcherv3.StringMatcher{ MatchPattern: &envoymatcherv3.StringMatcher_Exact{ // SAN of Queue-Proxy in target namespace - Exact: certificates.DataPlaneUserSAN(namespace), + Exact: certificates.DataPlaneUserSAN("servicens"), }, }, }}, diff --git a/test/e2e-kind.sh b/test/e2e-kind.sh index b76f0d32f..ea07652ab 100755 --- a/test/e2e-kind.sh +++ b/test/e2e-kind.sh @@ -28,13 +28,13 @@ $(dirname $0)/upload-test-images.sh echo ">> Setup test resources" ko apply -f test/config if [[ $(kubectl get secret server-certs -n "${TEST_NAMESPACE}" -o name | wc -l) -eq 1 ]]; then - echo ">> Enable tls against upstream" + echo ">> Enabling TLS on kourier gateway (one static certificate) and upstream TLS with system-internal-tls" ko apply -f test/config/tls export "UPSTREAM_TLS_CERT=server-certs" export "UPSTREAM_CA_CERT=server-ca" # Use OpenSSL subjectAltName/serverName to enable the certificate for various # application URLs with this pattern: ..svc.X.X - export "SERVER_NAME=data-plane.knative.dev" + export "SERVER_NAME=kn-user-serving-tests" fi IPS=($(kubectl get nodes -lkubernetes.io/hostname!=kind-control-plane -ojsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}')) @@ -74,8 +74,8 @@ go test -v -tags=e2e ./test/tls/... \ kubectl -n "${KOURIER_CONTROL_NAMESPACE}" patch configmap/config-kourier --type merge -p '{"data":{"cipher-suites":""}}' -echo ">> Setup one certificate" -$(dirname $0)/generate-cert.sh +echo ">> Setup one wildcard certificate" +$(dirname $0)/generate-wildcard-cert.sh kubectl -n "${KOURIER_CONTROL_NAMESPACE}" set env deployment net-kourier-controller CERTS_SECRET_NAMESPACE="${KOURIER_CONTROL_NAMESPACE}" CERTS_SECRET_NAME=wildcard-certs kubectl -n "${KOURIER_CONTROL_NAMESPACE}" rollout status deployment/net-kourier-controller --timeout=300s diff --git a/test/generate-upstream-cert.sh b/test/generate-upstream-cert.sh index 8ab979ee3..93d3d8ac4 100755 --- a/test/generate-upstream-cert.sh +++ b/test/generate-upstream-cert.sh @@ -17,7 +17,8 @@ SERVING_SYSTEM_NAMESPACE=knative-serving TEST_NAMESPACE=serving-tests out_dir="$(mktemp -d /tmp/certs-XXX)" -san="data-plane.knative.dev" +activatorSAN="kn-routing" +serviceSAN="kn-user-$TEST_NAMESPACE" kubectl create ns $SERVING_SYSTEM_NAMESPACE kubectl create ns $TEST_NAMESPACE @@ -25,28 +26,34 @@ kubectl create ns $TEST_NAMESPACE # Generate Root key and cert. openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=Example/CN=Example' -keyout "${out_dir}"/root.key -out "${out_dir}"/root.crt -# Create server key -openssl req -out "${out_dir}"/tls.csr -newkey rsa:2048 -nodes -keyout "${out_dir}"/tls.key -subj "/CN=Example/O=Example" -addext "subjectAltName = DNS:$san" +# Create activator key + cert +openssl req -out "${out_dir}"/activator-tls.csr -newkey rsa:2048 -nodes -keyout "${out_dir}"/activator-tls.key -subj "/CN=Example/O=Example" -addext "subjectAltName = DNS:$activatorSAN" +openssl x509 -req -extfile <(printf "subjectAltName=DNS:$activatorSAN") -days 365 -in "${out_dir}"/activator-tls.csr -CA "${out_dir}"/root.crt -CAkey "${out_dir}"/root.key -CAcreateserial -out "${out_dir}"/activator-tls.crt -# Create server certs -openssl x509 -req -extfile <(printf "subjectAltName=DNS:$san") -days 365 -in "${out_dir}"/tls.csr -CA "${out_dir}"/root.crt -CAkey "${out_dir}"/root.key -CAcreateserial -out "${out_dir}"/tls.crt +# Create test service key + cert +openssl req -out "${out_dir}"/service-tls.csr -newkey rsa:2048 -nodes -keyout "${out_dir}"/service-tls.key -subj "/CN=Example/O=Example" -addext "subjectAltName = DNS:$serviceSAN" +openssl x509 -req -extfile <(printf "subjectAltName=DNS:$serviceSAN") -days 365 -in "${out_dir}"/service-tls.csr -CA "${out_dir}"/root.crt -CAkey "${out_dir}"/root.key -CAcreateserial -out "${out_dir}"/service-tls.crt -# Create secret -# TODO: drop ca-cert.pem after v1.9 released. It is used for upgrade e2e test since previous version uses the old file name. -kubectl create -n ${SERVING_SYSTEM_NAMESPACE} secret generic knative-serving-certs \ +# Create activator secret for system-internal-tls +kubectl create -n ${SERVING_SYSTEM_NAMESPACE} secret generic routing-serving-certs \ --from-file=ca.crt="${out_dir}"/root.crt \ - --from-file=ca-cert.pem="${out_dir}"/root.crt \ --dry-run=client -o yaml | \ sed '/^metadata:/a\ \ labels: {"networking.internal.knative.dev/certificate-uid":"test-id"}' | kubectl apply -f - -kubectl create -n ${TEST_NAMESPACE} secret tls server-certs \ - --key="${out_dir}"/tls.key \ - --cert="${out_dir}"/tls.crt --dry-run=client -o yaml | kubectl apply -f - +# Create test service secret for system-internal-tls +kubectl create -n ${TEST_NAMESPACE} secret tls serving-certs \ + --key="${out_dir}"/service-tls.key \ + --cert="${out_dir}"/service-tls.crt --dry-run=client -o yaml | kubectl apply -f - + + +# Create a certificate for testing kourier encryption with a static certificate +san="example.com" +openssl req -out "${out_dir}"/san-tls.csr -newkey rsa:2048 -nodes -keyout "${out_dir}"/san-tls.key -subj "/CN=Example/O=Example" -addext "subjectAltName = DNS:$san" +openssl x509 -req -extfile <(printf "subjectAltName=DNS:$san") -days 365 -in "${out_dir}"/san-tls.csr -CA "${out_dir}"/root.crt -CAkey "${out_dir}"/root.key -CAcreateserial -out "${out_dir}"/san-tls.crt -# For testing encryption with Kourier local gateway kubectl create -n ${TEST_NAMESPACE} secret generic server-ca \ --from-file=ca.crt="${out_dir}"/root.crt kubectl create -n ${SERVING_SYSTEM_NAMESPACE} secret tls server-certs \ - --key="${out_dir}"/tls.key \ - --cert="${out_dir}"/tls.crt --dry-run=client -o yaml | kubectl apply -f - + --key="${out_dir}"/san-tls.key \ + --cert="${out_dir}"/san-tls.crt --dry-run=client -o yaml | kubectl apply -f - diff --git a/test/generate-cert.sh b/test/generate-wildcard-cert.sh similarity index 100% rename from test/generate-cert.sh rename to test/generate-wildcard-cert.sh