Adding flags for different TLS levels resulting in diffeerent quarkus…

… env vars Signed-off-by: Matthias Wessendorf <[email protected]>
knative · Dec 17, 2024 · 80cb7ab · 80cb7ab
1 parent 42b9b85
commit 80cb7ab
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 22 deletions.
diff --git a/pkg/reconciler/integration/sink/integrationsink.go b/pkg/reconciler/integration/sink/integrationsink.go
@@ -93,7 +93,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, sink *sinks.IntegrationS
 		}
 	}
 
-	_, err := r.reconcileDeployment(ctx, sink)
+	_, err := r.reconcileDeployment(ctx, sink, featureFlags)
 	if err != nil {
 		logging.FromContext(ctx).Errorw("Error reconciling Pod", zap.Error(err))
 		return err
@@ -117,9 +117,9 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, sink *sinks.IntegrationS
 	return newReconciledNormal(sink.Namespace, sink.Name)
 }
 
-func (r *Reconciler) reconcileDeployment(ctx context.Context, sink *sinks.IntegrationSink) (*v1.Deployment, error) {
+func (r *Reconciler) reconcileDeployment(ctx context.Context, sink *sinks.IntegrationSink, featureFlags feature.Flags) (*v1.Deployment, error) {
 
-	expected := resources.MakeDeploymentSpec(sink)
+	expected := resources.MakeDeploymentSpec(sink, featureFlags)
 	deployment, err := r.deploymentLister.Deployments(sink.Namespace).Get(expected.Name)
 	if apierrors.IsNotFound(err) {
 		deployment, err = r.kubeClientSet.AppsV1().Deployments(sink.Namespace).Create(ctx, expected, metav1.CreateOptions{})

diff --git a/pkg/reconciler/integration/sink/resources/container_image.go b/pkg/reconciler/integration/sink/resources/container_image.go
@@ -22,6 +22,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	commonv1a1 "knative.dev/eventing/pkg/apis/common/integration/v1alpha1"
+	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/eventing/pkg/apis/sinks/v1alpha1"
 	"knative.dev/eventing/pkg/reconciler/integration"
 	"knative.dev/pkg/kmeta"
@@ -34,7 +35,7 @@ var sinkImageMap = map[string]string{
 	"aws-sns": "gcr.io/knative-nightly/aws-sns-sink:latest",
 }
 
-func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink) *appsv1.Deployment {
+func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) *appsv1.Deployment {
 	t := true
 
 	deploy := &appsv1.Deployment{
@@ -86,7 +87,7 @@ func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink) *appsv1.Deployment {
 									Protocol:      corev1.ProtocolTCP,
 									Name:          "https",
 								}},
-							Env: makeEnv(sink),
+							Env: makeEnv(sink, featureFlags),
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      CertificateName(sink),
@@ -138,26 +139,32 @@ func MakeService(sink *v1alpha1.IntegrationSink) *corev1.Service {
 	}
 }
 
-func DeploymentName(sink *v1alpha1.IntegrationSink) string {
-	return kmeta.ChildName(sink.Name, "-deployment")
-}
-
-func makeEnv(sink *v1alpha1.IntegrationSink) []corev1.EnvVar {
+func makeEnv(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) []corev1.EnvVar {
 	var envVars []corev1.EnvVar
 
-	//QUARKUS_HTTP_SSL_CERTIFICATE_FILES=/mount/certs/server.crt
-	//QUARKUS_HTTP_SSL_CERTIFICATE_KEY-FILES=/mount/certs/server.key
+	// Transport encryption environment variables
+	if !featureFlags.IsDisabledTransportEncryption() {
+		envVars = append(envVars, []corev1.EnvVar{
+			{
+				Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
+				Value: "/etc/" + CertificateName(sink) + "/tls.crt",
+			},
+			{
+				Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_KEY-FILES",
+				Value: "/etc/" + CertificateName(sink) + "/tls.key",
+			},
+		}...)
+	}
 
-	envVars = append(envVars, []corev1.EnvVar{
-		{
-			Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
-			Value: "/etc/" + CertificateName(sink) + "/tls.crt",
-		},
-		{
-			Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_KEY-FILES",
-			Value: "/etc/" + CertificateName(sink) + "/tls.key",
-		},
-	}...)
+	// No HTTP with strict TLS
+	if featureFlags.IsStrictTransportEncryption() {
+		envVars = append(envVars, []corev1.EnvVar{
+			{
+				Name:  "QUARKUS_HTTP_INSECURE_REQUESTS",
+				Value: "disabled",
+			},
+		}...)
+	}
 
 	// Log environment variables
 	if sink.Spec.Log != nil {

diff --git a/pkg/reconciler/integration/sink/resources/names.go b/pkg/reconciler/integration/sink/resources/names.go
@@ -24,3 +24,7 @@ import (
 func CertificateName(sink *v1alpha1.IntegrationSink) string {
 	return kmeta.ChildName(sink.Name, "-server-tls")
 }
+
+func DeploymentName(sink *v1alpha1.IntegrationSink) string {
+	return kmeta.ChildName(sink.Name, "-deployment")
+}