Align the encryption flags

knative · Sep 18, 2023 · 06ba58e · 06ba58e
1 parent 50368a7
commit 06ba58e
Show file tree

Hide file tree

Showing 3 changed files with 200 additions and 122 deletions.
diff --git a/config/config-network.yaml b/config/config-network.yaml
@@ -22,7 +22,7 @@ metadata:
     app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
   annotations:
-    knative.dev/example-checksum: "cfad3b9a"
+    knative.dev/example-checksum: "8cbfa515"
 data:
   _example: |
     ################################
@@ -73,7 +73,7 @@ data:
     #   namespace-wildcard-cert-selector: {}
     #
     # Useful labels include the "kubernetes.io/metadata.name" label to
-    # avoid provisioning a certifcate for the "kube-system" namespaces.
+    # avoid provisioning a certificate for the "kube-system" namespaces.
     # Use the following selector to match pre-1.0 behavior of using
     # "networking.knative.dev/disableWildcardCert" to exclude namespaces:
     #
@@ -114,16 +114,45 @@ data:
     # domain-template above to determine the full URL for the tag.
     tag-template: "{{.Tag}}-{{.Name}}"
 
-    # Controls whether TLS certificates are automatically provisioned and
-    # installed in the Knative ingress to terminate external TLS connection.
-    # 1. Enabled: enabling auto-TLS feature.
-    # 2. Disabled: disabling auto-TLS feature.
+    # auto-tls is deprecated and replaced by external-domain-tls
     auto-tls: "Disabled"
 
+    # Controls whether TLS certificates are automatically provisioned and
+    # installed in the Knative ingress to terminate TLS connections
+    # for cluster external domains (like: app.example.com)
+    # - Enabled: enables the TLS certificate provisioning feature for cluster external domains.
+    # - Disabled: disables the TLS certificate provisioning feature for cluster external domains.
+    external-domain-tls: "Disabled"
+
+    # Controls weather TLS certificates are automatically provisioned and
+    # installed in the Knative ingress to terminate TLS connections
+    # for cluster local domains (like: app.namespace.svc.cluster.local)
+    # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains.
+    # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    cluster-local-domain-tls: "Disabled"
+
+    # internal-encryption is deprecated and replaced by knative-internal-tls
+    internal-encryption: "false"
+
+    # knative-internal-tls controls weather TLS encryption is used for connections between
+    # the internal components of Knative:
+    # - ingress to activator
+    # - ingress to queue-proxy
+    # - activator to queue-proxy
+    #
+    # Possible values for this flag are:
+    # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains.
+    # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    knative-internal-tls: "Disabled"
+
     # Controls the behavior of the HTTP endpoint for the Knative ingress.
     # It requires auto-tls to be enabled.
-    # 1. Enabled: The Knative ingress will be able to serve HTTP connection.
-    # 2. Redirected: The Knative ingress will send a 301 redirect for all
+    # - Enabled: The Knative ingress will be able to serve HTTP connection.
+    # - Redirected: The Knative ingress will send a 301 redirect for all
     # http connections, asking the clients to use HTTPS.
     #
     # "Disabled" option is deprecated.
@@ -172,35 +201,3 @@ data:
     # fronting Knative with an external loadbalancer that deals with TLS termination and
     # Knative doesn't know about that otherwise.
     default-external-scheme: "http"
-
-    # internal-encryption is deprecated and replaced by dataplane-trust and controlplane-trust
-    # internal-encryption indicates whether internal traffic is encrypted or not.
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    internal-encryption: "false"
-
-    # dataplane-trust indicates the level of trust established in the knative data-plane.
-    # dataplane-trust = "disabled" (the default) - uses no encryption for internal data plane traffic
-    # Using any other value ensures that the following traffic is encrypted using TLS:
-    #  - ingress to activator
-    #  - ingress to queue-proxy
-    #  - activator to queue-proxy
-    #
-    # dataplane-trust = "minimal" ensures data messages are encrypted, Kingress authenticate that the receiver is a Ksvc
-    # dataplane-trust = "enabled" same as "minimal" and in addition, Kingress authenticate that Ksvc is at the correct namespace
-    # dataplane-trust = "mutual" same as "enabled" and in addition, Ksvc authenticate that the messages come from the Kingress
-    # dataplane-trust = "identity" same as "mutual" with Kingress adding a trusted sender identity to the message
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
-    dataplane-trust: "disabled"
-
-    # controlplane-trust indicates the level of trust established in the knative control-plane.
-    # controlplane-trust = "disabled" (the default) - uses no encryption for internal control plane traffic
-    # Using any other value ensures that control traffic is encrypted using TLS.
-    #
-    # controlplane-trust = "enabled" ensures control messages are encrypted using TLS (client authenticate the server)
-    # controlplane-trust = "mutual" ensures control messages are encrypted using mTLS (client and server authenticate each other)
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing for now. Use with caution.
-    controlplane-trust: "disabled"
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -92,8 +92,17 @@ const (
 
 	// AutoTLSKey is the name of the configuration entry
 	// that specifies enabling auto-TLS or not.
+	// Deprecated: please use ExternalDomainTLSKey.
 	AutoTLSKey = "auto-tls"
 
+	// ExternalDomainTLSKey is the name of the configuration entry
+	// that specifies if external-domain-tls is enabled or not.
+	ExternalDomainTLSKey = "external-domain-tls"
+
+	// ClusterLocalDomainTLSKey is the name of the configuration entry
+	// that specifies if cluster-local-domain-tls is enabled or not.
+	ClusterLocalDomainTLSKey = "cluster-local-domain-tls"
+
 	// DefaultCertificateClassKey is the name of the configuration entry
 	// that specifies the default Certificate.
 	DefaultCertificateClassKey = "certificate-class"
@@ -134,39 +143,26 @@ const (
 	// hostname for a Route's tag.
 	TagTemplateKey = "tag-template"
 
-	// InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and ControlplaneTrustKey.
 	// InternalEncryptionKey is the name of the configuration whether
 	// internal traffic is encrypted or not.
+	// Deprecated: please use KnativeInternalTLSKey.
 	InternalEncryptionKey = "internal-encryption"
 
-	// DataplaneTrustKey is the name of the configuration entry
-	// defining the level of trust used for data plane traffic.
-	DataplaneTrustKey = "dataplane-trust"
-
-	// ControlplaneTrustKey is the name of the configuration entry
-	// defining the level of trust used for control plane traffic.
-	ControlplaneTrustKey = "controlplane-trust"
+	// KnativeInternalTLSKey is the name of the configuration whether
+	// knative internal traffic is encrypted or not.
+	KnativeInternalTLSKey = "knative-internal-tls"
 )
 
-// HTTPProtocol indicates a type of HTTP endpoint behavior
-// that Knative ingress could take.
-type Trust string
+// EncryptionConfig indicates the encryption configuration
+// used for TLS connections.
+type EncryptionConfig string
 
 const (
-	// TrustDisabled - TLS not used
-	TrustDisabled Trust = "disabled"
-
-	// TrustMinimal - TLS used. We verify that the server is using Knative certificates
-	TrustMinimal Trust = "minimal"
-
-	// TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace
-	TrustEnabled Trust = "enabled"
+	// EncryptionDisabled - TLS not used.
+	EncryptionDisabled EncryptionConfig = "disabled"
 
-	// TrustMutual - same as TrustEnabled and we also verify the identity of the client.
-	TrustMutual Trust = "mutual"
-
-	// TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message.
-	TrustIdentity Trust = "identity"
+	// EncryptionEnabled - TLS used. The client verifies the servers certificate.
+	EncryptionEnabled EncryptionConfig = "enabled"
 )
 
 // HTTPProtocol indicates a type of HTTP endpoint behavior
@@ -244,8 +240,12 @@ type Config struct {
 	TagTemplate string
 
 	// AutoTLS specifies if auto-TLS is enabled or not.
+	// Deprecated: please use ExternalDomainTLS instead.
 	AutoTLS bool
 
+	// ExternalDomainTLS specifies if external-domain-tls is enabled or not.
+	ExternalDomainTLS bool
+
 	// HTTPProtocol specifics the behavior of HTTP endpoint of Knative
 	// ingress.
 	HTTPProtocol HTTPProtocol
@@ -293,15 +293,15 @@ type Config struct {
 	// not enabled. Defaults to "http".
 	DefaultExternalScheme string
 
-	// Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust
 	// InternalEncryption specifies whether internal traffic is encrypted or not.
+	// Deprecated: please use KnativeInternalTLSKey instead.
 	InternalEncryption bool
 
-	// DataplaneTrust specifies the level of trust used for date plane.
-	DataplaneTrust Trust
+	// KnativeInternalTLS specifies whether knative internal traffic is encrypted or not.
+	KnativeInternalTLS EncryptionConfig
 
-	// ControlplaneTrust specifies the level of trust used for control plane.
-	ControlplaneTrust Trust
+	// ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not.
+	ClusterLocalDomainTLS EncryptionConfig
 }
 
 func defaultConfig() *Config {
@@ -311,14 +311,15 @@ func defaultConfig() *Config {
 		DomainTemplate:                DefaultDomainTemplate,
 		TagTemplate:                   DefaultTagTemplate,
 		AutoTLS:                       false,
+		ExternalDomainTLS:             false,
 		NamespaceWildcardCertSelector: nil,
 		HTTPProtocol:                  HTTPEnabled,
 		AutocreateClusterDomainClaims: false,
 		DefaultExternalScheme:         "http",
 		MeshCompatibilityMode:         MeshCompatibilityModeAuto,
 		InternalEncryption:            false,
-		DataplaneTrust:                TrustDisabled,
-		ControlplaneTrust:             TrustDisabled,
+		KnativeInternalTLS:            EncryptionDisabled,
+		ClusterLocalDomainTLS:         EncryptionDisabled,
 	}
 }
 
@@ -383,12 +384,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 	}
 	templateCache.Add(nc.TagTemplate, t)
 
+	// external-domain-tls and auto-tls
 	if val, ok := data["autoTLS"]; ok {
 		nc.AutoTLS = strings.EqualFold(val, "enabled")
 	}
 	if val, ok := data[AutoTLSKey]; ok {
 		nc.AutoTLS = strings.EqualFold(val, "enabled")
 	}
+	if val, ok := data[ExternalDomainTLSKey]; ok {
+		nc.ExternalDomainTLS = strings.EqualFold(val, "enabled")
+
+		// The new key takes precedence, but we support compatibility
+		// for code that has not updated to the new field yet.
+		nc.AutoTLS = nc.ExternalDomainTLS
+	} else {
+		// backward compatibility: if the new key is not set, use the value from the old key
+		nc.ExternalDomainTLS = nc.AutoTLS
+	}
 
 	var httpProtocol string
 	if val, ok := data["httpProtocol"]; ok {
@@ -410,52 +422,52 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey])
 	}
 
-	switch strings.ToLower(data[DataplaneTrustKey]) {
-	case "", string(TrustDisabled):
-		// If DataplaneTrus is not set in the config-network, default is already
-		// set to TrustDisabled.
+	switch strings.ToLower(data[KnativeInternalTLSKey]) {
+	case "", string(EncryptionDisabled):
+		// If KnativeInternalTLSKey is not set in the config-network, default is already
+		// set to EncryptionDisabled.
 		if nc.InternalEncryption {
 			// Backward compatibility
-			nc.DataplaneTrust = TrustMinimal
+			nc.KnativeInternalTLS = EncryptionEnabled
 		}
-	case string(TrustMinimal):
-		nc.DataplaneTrust = TrustMinimal
-	case string(TrustEnabled):
-		nc.DataplaneTrust = TrustEnabled
-	case string(TrustMutual):
-		nc.DataplaneTrust = TrustMutual
-	case string(TrustIdentity):
-		nc.DataplaneTrust = TrustIdentity
+	case string(EncryptionEnabled):
+		nc.KnativeInternalTLS = EncryptionEnabled
+
+		// The new key takes precedence, but we support compatibility
+		// for code that has not updated to the new field yet.
+		nc.InternalEncryption = true
 	default:
-		return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey])
+		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
+			KnativeInternalTLSKey, data[KnativeInternalTLSKey])
 	}
 
-	switch strings.ToLower(data[ControlplaneTrustKey]) {
-	case "", string(TrustDisabled):
-		// If ControlplaneTrust is not set in the config-network, default is already
-		// set to TrustDisabled.
-	case string(TrustEnabled):
-		nc.ControlplaneTrust = TrustEnabled
-	case string(TrustMutual):
-		nc.ControlplaneTrust = TrustMutual
+	switch strings.ToLower(data[ClusterLocalDomainTLSKey]) {
+	case "", string(EncryptionDisabled):
+		// If ClusterLocalDomainTLSKey is not set in the config-network, default is already
+		// set to EncryptionDisabled.
+	case string(EncryptionEnabled):
+		nc.ClusterLocalDomainTLS = EncryptionEnabled
 	default:
-		return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey])
+		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
+			ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey])
 	}
 
 	return nc, nil
 }
 
-// InternalTLSEnabled returns whether or not InternalEncyrption is enabled.
-// Currently only DataplaneTrust is considered.
+// InternalTLSEnabled returns whether InternalEncryption is enabled or not.
+// Deprecated: please use KnativeInternalTLSEnabled()
 func (c *Config) InternalTLSEnabled() bool {
-	return tlsEnabled(c.DataplaneTrust)
+	return tlsEnabled(c.KnativeInternalTLS)
+}
+
+// KnativeInternalTLSEnabled returns whether KnativeInternalTLS is enabled or not.
+func (c *Config) KnativeInternalTLSEnabled() bool {
+	return tlsEnabled(c.KnativeInternalTLS)
 }
 
-func tlsEnabled(trust Trust) bool {
-	return trust == TrustMinimal ||
-		trust == TrustEnabled ||
-		trust == TrustMutual ||
-		trust == TrustIdentity
+func tlsEnabled(encryptionConfig EncryptionConfig) bool {
+	return encryptionConfig == EncryptionEnabled
 }
 
 // GetDomainTemplate returns the golang Template from the config map