Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Change min and max TLS version to v1.3 for internal encryption (between Ingress to Activator) #13930

Closed
wants to merge 1 commit into from
Closed

[WIP] Change min and max TLS version to v1.3 for internal encryption (between Ingress to Activator) #13930

wants to merge 1 commit into from

Conversation

izabelacg
Copy link
Member

@izabelacg izabelacg commented Apr 28, 2023
edited
Loading

Proposed Changes

  • Change minimum and maximum TLS version (from 1.2 to 1.3) when internal encryption is activated (between Ingress to Activator)

TLS 1.3 comes with numerous enhancements, such as a quicker TLS handshake and more secure cipher suites.

Release Note

* Activator uses TLS version 1.3 when internal encryption is activated for communication with Ingress

@knative-prow knative-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 28, 2023
@knative-prow
Copy link

knative-prow bot commented Apr 28, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: izabelacg
Once this PR has been reviewed and has the lgtm label, please assign dprotaso for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot requested review from kauana and KauzClay April 28, 2023 18:36
@knative-prow knative-prow bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. area/API API objects and controllers area/autoscale area/networking labels Apr 28, 2023
@izabelacg izabelacg mentioned this pull request Apr 28, 2023
Merged
@codecov
Copy link

codecov bot commented Apr 28, 2023
edited
Loading

Codecov Report

Patch coverage has no change and project coverage change: -0.03 ⚠️

Comparison is base (d07bf78) 86.21% compared to head (079c20c) 86.18%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #13930      +/-   ##
==========================================
- Coverage   86.21%   86.18%   -0.03%     
==========================================
  Files         199      199              
  Lines       14767    14768       +1     
==========================================
- Hits        12731    12728       -3     
- Misses       1734     1737       +3     
- Partials      302      303       +1
Impacted Files Coverage Δ
cmd/activator/main.go 0.00% <0.00%> (ø)

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@izabelacg izabelacg mentioned this pull request Jun 2, 2023
Closed
@izabelacg
Copy link
Member Author

From #13887 (comment):

It seems TLS 1.3 between Ingress -> activator has an issue - probably related to envoyproxy/envoy#9300

Opened an issue to track this: #14057, and will close this PR.

@izabelacg izabelacg changed the title [WIP] Change min and max TLS version to v1.3 for internal encryption [WIP] Change min and max TLS version to v1.3 for internal encryption (between Ingress to Activator) Jun 2, 2023
@izabelacg izabelacg closed this Jun 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kauana kauana Awaiting requested review from kauana

@KauzClay KauzClay Awaiting requested review from KauzClay

Assignees
No one assigned
Labels
area/API API objects and controllers area/autoscale area/networking do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@izabelacg