From 79d9382c3f4cbadeaa9972f91c0e9d0e183e885a Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Wed, 8 May 2024 12:11:50 +0200 Subject: [PATCH 1/2] Remove SelfSigned issuer from released `transport-encryption` artifacts Using a SelfSigned issuer is not recommended by cert-manager and currently we're shipping it in the tranport-encryption feature artifact. Moving forward, we will not ship a SelfSigned issuer in the `eventing-tls-networking.yaml` artifacts and we will document, as a prerequisite, how to create a `ClusterIssuer` for eventing components so that by users can bring their own choosen issuers [1]. [1] https://cert-manager.io/docs/concepts/issuer/ Signed-off-by: Pierangelo Di Pilato --- hack/generate-yamls.sh | 2 +- .../bundle-configmap.yaml | 0 .../config-transport-encryption}/bundle.yaml | 2 +- .../eventing-ca-issuer.yaml | 0 .../placeholder.go | 19 +++++++++++++++++++ .../selfsigned-issuer.yaml | 0 6 files changed, 21 insertions(+), 2 deletions(-) rename {config/tls/trust-manager => test/config-transport-encryption}/bundle-configmap.yaml (100%) rename {config/tls/trust-manager => test/config-transport-encryption}/bundle.yaml (98%) rename {config/tls/issuers => test/config-transport-encryption}/eventing-ca-issuer.yaml (100%) create mode 100644 test/config-transport-encryption/placeholder.go rename {config/tls/issuers => test/config-transport-encryption}/selfsigned-issuer.yaml (100%) diff --git a/hack/generate-yamls.sh b/hack/generate-yamls.sh index 8f224fd5a5b..1bee6f7e3e0 100755 --- a/hack/generate-yamls.sh +++ b/hack/generate-yamls.sh @@ -97,7 +97,7 @@ ko resolve ${KO_YAML_FLAGS} -f config/brokers/mt-channel-broker/ | "${LABEL_YAML ko resolve ${KO_YAML_FLAGS} -Rf config/channels/in-memory-channel/ | "${LABEL_YAML_CMD[@]}" > "${EVENTING_IN_MEMORY_CHANNEL_YAML}" # Create eventing TLS yaml -ko resolve ${KO_YAML_FLAGS} -Rf config/tls/ \ +ko resolve ${KO_YAML_FLAGS} \ -Rf config/channels/in-memory-channel-tls/ \ -Rf config/brokers/mt-channel-broker-tls/ \ | "${LABEL_YAML_CMD[@]}" > "${EVENTING_TLS_YAML}" diff --git a/config/tls/trust-manager/bundle-configmap.yaml b/test/config-transport-encryption/bundle-configmap.yaml similarity index 100% rename from config/tls/trust-manager/bundle-configmap.yaml rename to test/config-transport-encryption/bundle-configmap.yaml diff --git a/config/tls/trust-manager/bundle.yaml b/test/config-transport-encryption/bundle.yaml similarity index 98% rename from config/tls/trust-manager/bundle.yaml rename to test/config-transport-encryption/bundle.yaml index f66a48ac27d..e5d7ed9124d 100644 --- a/config/tls/trust-manager/bundle.yaml +++ b/test/config-transport-encryption/bundle.yaml @@ -21,7 +21,7 @@ spec: # Include a bundle of publicly trusted certificates which can be # used to validate most TLS certificates on the internet, such as # those issued by Let's Encrypt, Google, Amazon and others. - - useDefaultCAs: true + - useDefaultCAs: false # A Secret in the "trust" namespace; see "Trust Namespace" below for further details - secret: diff --git a/config/tls/issuers/eventing-ca-issuer.yaml b/test/config-transport-encryption/eventing-ca-issuer.yaml similarity index 100% rename from config/tls/issuers/eventing-ca-issuer.yaml rename to test/config-transport-encryption/eventing-ca-issuer.yaml diff --git a/test/config-transport-encryption/placeholder.go b/test/config-transport-encryption/placeholder.go new file mode 100644 index 00000000000..60b444a7619 --- /dev/null +++ b/test/config-transport-encryption/placeholder.go @@ -0,0 +1,19 @@ +/* +Copyright 2020 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package config_transport_encryption is a placeholder that allows us to pull in config files +// via go mod vendor. +package config_transport_encryption diff --git a/config/tls/issuers/selfsigned-issuer.yaml b/test/config-transport-encryption/selfsigned-issuer.yaml similarity index 100% rename from config/tls/issuers/selfsigned-issuer.yaml rename to test/config-transport-encryption/selfsigned-issuer.yaml From 0cbefa364fb10d402f0b9ea696aa7beca23fd9ae Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Thu, 9 May 2024 09:20:48 +0200 Subject: [PATCH 2/2] Apply TLS configs for the entire tests suite Signed-off-by: Pierangelo Di Pilato --- .../tls}/bundle-configmap.yaml | 0 .../{config-transport-encryption => config/tls}/bundle.yaml | 0 .../tls}/eventing-ca-issuer.yaml | 0 .../tls}/placeholder.go | 6 +++--- .../tls}/selfsigned-issuer.yaml | 0 test/e2e-common.sh | 4 ++++ 6 files changed, 7 insertions(+), 3 deletions(-) rename test/{config-transport-encryption => config/tls}/bundle-configmap.yaml (100%) rename test/{config-transport-encryption => config/tls}/bundle.yaml (100%) rename test/{config-transport-encryption => config/tls}/eventing-ca-issuer.yaml (100%) rename test/{config-transport-encryption => config/tls}/placeholder.go (75%) rename test/{config-transport-encryption => config/tls}/selfsigned-issuer.yaml (100%) diff --git a/test/config-transport-encryption/bundle-configmap.yaml b/test/config/tls/bundle-configmap.yaml similarity index 100% rename from test/config-transport-encryption/bundle-configmap.yaml rename to test/config/tls/bundle-configmap.yaml diff --git a/test/config-transport-encryption/bundle.yaml b/test/config/tls/bundle.yaml similarity index 100% rename from test/config-transport-encryption/bundle.yaml rename to test/config/tls/bundle.yaml diff --git a/test/config-transport-encryption/eventing-ca-issuer.yaml b/test/config/tls/eventing-ca-issuer.yaml similarity index 100% rename from test/config-transport-encryption/eventing-ca-issuer.yaml rename to test/config/tls/eventing-ca-issuer.yaml diff --git a/test/config-transport-encryption/placeholder.go b/test/config/tls/placeholder.go similarity index 75% rename from test/config-transport-encryption/placeholder.go rename to test/config/tls/placeholder.go index 60b444a7619..9ca909ce62a 100644 --- a/test/config-transport-encryption/placeholder.go +++ b/test/config/tls/placeholder.go @@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -14,6 +14,6 @@ See the License for the specific language governing permissions and limitations under the License. */ -// Package config_transport_encryption is a placeholder that allows us to pull in config files +// Package tls is a placeholder that allows us to pull in config files // via go mod vendor. -package config_transport_encryption +package tls diff --git a/test/config-transport-encryption/selfsigned-issuer.yaml b/test/config/tls/selfsigned-issuer.yaml similarity index 100% rename from test/config-transport-encryption/selfsigned-issuer.yaml rename to test/config/tls/selfsigned-issuer.yaml diff --git a/test/e2e-common.sh b/test/e2e-common.sh index d629cc6081f..20e052c9335 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -42,6 +42,8 @@ readonly MT_CHANNEL_BASED_BROKER_CONFIG_DIR="config/brokers/mt-channel-broker" # MT Channel Based Broker config. readonly MT_CHANNEL_BASED_BROKER_DEFAULT_CONFIG="config/core/configmaps/default-broker.yaml" +readonly EVENTING_TLS_TEST_CONFIG_DIR="test/config/tls" + # Config tracing config. readonly CONFIG_TRACING_CONFIG="test/config/config-tracing.yaml" @@ -183,6 +185,8 @@ function install_knative_eventing() { sed "s/namespace: ${KNATIVE_DEFAULT_NAMESPACE}/namespace: ${SYSTEM_NAMESPACE}/g" "${CONFIG_TRACING_CONFIG}" > "${TMP_CONFIG_TRACING_CONFIG}" kubectl replace -f "${TMP_CONFIG_TRACING_CONFIG}" + kubectl apply -Rf "${EVENTING_TLS_TEST_CONFIG_DIR}" + scale_controlplane eventing-webhook eventing-controller wait_until_pods_running "${SYSTEM_NAMESPACE}" || fail_test "Knative Eventing did not come up"