Adding flags for different TLS levels resulting in diffeerent quarkus env vars

matzew · matzew · commit 2a079611535e · 2024-12-17T15:40:18.000+01:00
Signed-off-by: Matthias Wessendorf &lt;mwessend@redhat.com&gt;
diff --git a/pkg/reconciler/integration/sink/integrationsink.go b/pkg/reconciler/integration/sink/integrationsink.go
@@ -93,7 +93,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, sink *sinks.IntegrationS
 		}
 	}
 
-	_, err := r.reconcileDeployment(ctx, sink)
+	_, err := r.reconcileDeployment(ctx, sink, featureFlags)
 	if err != nil {
 		logging.FromContext(ctx).Errorw("Error reconciling Pod", zap.Error(err))
 		return err
@@ -117,9 +117,9 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, sink *sinks.IntegrationS
 	return newReconciledNormal(sink.Namespace, sink.Name)
 }
 
-func (r *Reconciler) reconcileDeployment(ctx context.Context, sink *sinks.IntegrationSink) (*v1.Deployment, error) {
+func (r *Reconciler) reconcileDeployment(ctx context.Context, sink *sinks.IntegrationSink, featureFlags feature.Flags) (*v1.Deployment, error) {
 
-	expected := resources.MakeDeploymentSpec(sink)
+	expected := resources.MakeDeploymentSpec(sink, featureFlags)
 	deployment, err := r.deploymentLister.Deployments(sink.Namespace).Get(expected.Name)
 	if apierrors.IsNotFound(err) {
 		deployment, err = r.kubeClientSet.AppsV1().Deployments(sink.Namespace).Create(ctx, expected, metav1.CreateOptions{})
diff --git a/pkg/reconciler/integration/sink/resources/container_image.go b/pkg/reconciler/integration/sink/resources/container_image.go
@@ -22,6 +22,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	commonv1a1 "knative.dev/eventing/pkg/apis/common/integration/v1alpha1"
+	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/eventing/pkg/apis/sinks/v1alpha1"
 	"knative.dev/eventing/pkg/reconciler/integration"
 	"knative.dev/pkg/kmeta"
@@ -34,7 +35,7 @@ var sinkImageMap = map[string]string{
 	"aws-sns": "gcr.io/knative-nightly/aws-sns-sink:latest",
 }
 
-func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink) *appsv1.Deployment {
+func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) *appsv1.Deployment {
 	t := true
 
 	deploy := &appsv1.Deployment{
@@ -86,7 +87,7 @@ func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink) *appsv1.Deployment {
 									Protocol:      corev1.ProtocolTCP,
 									Name:          "https",
 								}},
-							Env: makeEnv(sink),
+							Env: makeEnv(sink, featureFlags),
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      CertificateName(sink),
@@ -138,26 +139,32 @@ func MakeService(sink *v1alpha1.IntegrationSink) *corev1.Service {
 	}
 }
 
-func DeploymentName(sink *v1alpha1.IntegrationSink) string {
-	return kmeta.ChildName(sink.Name, "-deployment")
-}
-
-func makeEnv(sink *v1alpha1.IntegrationSink) []corev1.EnvVar {
+func makeEnv(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) []corev1.EnvVar {
 	var envVars []corev1.EnvVar
 
-	//QUARKUS_HTTP_SSL_CERTIFICATE_FILES=/mount/certs/server.crt
-	//QUARKUS_HTTP_SSL_CERTIFICATE_KEY-FILES=/mount/certs/server.key
+	// Transport encryption environment variables
+	if !featureFlags.IsDisabledTransportEncryption() {
+		envVars = append(envVars, []corev1.EnvVar{
+			{
+				Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
+				Value: "/etc/" + CertificateName(sink) + "/tls.crt",
+			},
+			{
+				Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_KEY-FILES",
+				Value: "/etc/" + CertificateName(sink) + "/tls.key",
+			},
+		}...)
+	}
 
-	envVars = append(envVars, []corev1.EnvVar{
-		{
-			Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
-			Value: "/etc/" + CertificateName(sink) + "/tls.crt",
-		},
-		{
-			Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_KEY-FILES",
-			Value: "/etc/" + CertificateName(sink) + "/tls.key",
-		},
-	}...)
+	// No HTTP with strict TLS
+	if featureFlags.IsStrictTransportEncryption() {
+		envVars = append(envVars, []corev1.EnvVar{
+			{
+				Name:  "QUARKUS_HTTP_INSECURE_REQUESTS",
+				Value: "disabled",
+			},
+		}...)
+	}
 
 	// Log environment variables
 	if sink.Spec.Log != nil {
diff --git a/pkg/reconciler/integration/sink/resources/names.go b/pkg/reconciler/integration/sink/resources/names.go
@@ -24,3 +24,7 @@ import (
 func CertificateName(sink *v1alpha1.IntegrationSink) string {
 	return kmeta.ChildName(sink.Name, "-server-tls")
 }
+
+func DeploymentName(sink *v1alpha1.IntegrationSink) string {
+	return kmeta.ChildName(sink.Name, "-deployment")
+}

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ func (r Reconciler) ReconcileKind(ctx context.Context, sink sinks.IntegrationS`
`93`	`93`	`}`
`94`	`94`	`}`
`95`	`95`
`96`		`- _, err := r.reconcileDeployment(ctx, sink)`
	`96`	`+ _, err := r.reconcileDeployment(ctx, sink, featureFlags)`
`97`	`97`	`if err != nil {`
`98`	`98`	`logging.FromContext(ctx).Errorw("Error reconciling Pod", zap.Error(err))`
`99`	`99`	`return err`
`@@ -117,9 +117,9 @@ func (r Reconciler) ReconcileKind(ctx context.Context, sink sinks.IntegrationS`
`117`	`117`	`return newReconciledNormal(sink.Namespace, sink.Name)`
`118`	`118`	`}`
`119`	`119`
`120`		`-func (r Reconciler) reconcileDeployment(ctx context.Context, sink sinks.IntegrationSink) (*v1.Deployment, error) {`
	`120`	`+func (r Reconciler) reconcileDeployment(ctx context.Context, sink sinks.IntegrationSink, featureFlags feature.Flags) (*v1.Deployment, error) {`
`121`	`121`
`122`		`- expected := resources.MakeDeploymentSpec(sink)`
	`122`	`+ expected := resources.MakeDeploymentSpec(sink, featureFlags)`
`123`	`123`	`deployment, err := r.deploymentLister.Deployments(sink.Namespace).Get(expected.Name)`
`124`	`124`	`if apierrors.IsNotFound(err) {`
`125`	`125`	`deployment, err = r.kubeClientSet.AppsV1().Deployments(sink.Namespace).Create(ctx, expected, metav1.CreateOptions{})`
Original file line number	Diff line number	Diff line change
`@@ -24,3 +24,7 @@ import (`
`24`	`24`	`func CertificateName(sink *v1alpha1.IntegrationSink) string {`
`25`	`25`	`return kmeta.ChildName(sink.Name, "-server-tls")`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+func DeploymentName(sink *v1alpha1.IntegrationSink) string {`
	`29`	`+ return kmeta.ChildName(sink.Name, "-deployment")`
	`30`	`+}`