Add support for sending events to HTTPS endpoints in Eventshub#526
Conversation
|
@Rahul-Kumar-prog: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
knative-prow
bot
added
the
needs-ok-to-test
|
Hi @Rahul-Kumar-prog. Thanks for your PR. I'm waiting for a knative-sandbox member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
knative-prow
bot
added
the
size/M
pierDipi
left a comment
pierDipi
left a comment
There was a problem hiding this comment.
we need to solve the requirement number 2 on the issue.
This is just for an idea, in my PR I added another env variable to enforce TLS and the sender would check and enforce TLS regardless of the "is HTTPS sink", see #527
In addition, we need functions to configure the sender with CA Certs, similar to https://github.com/knative-sandbox/reconciler-test/blob/7e6edebb371797610b06b117670ba9bd22b6dbcc/pkg/eventshub/options.go#L62-L94
|
@pierDipi
|
No, I sent you the reference on where to do point 1 ( For point 1, we're trying to offer a way to use the new feature you have implemented, when we implement a new feature, we need to think about "how users will use such feature?" and "how are users using similar features?"; that's what point 2 is trying to address, does that make sense? |
|
Hi @Rahul-Kumar-prog! Do you need any help, are the requirements clear to you? |
|
Hey @vishal-chdhry yes I need help. I will contact with you on slack for some doubts. Please have a look |
|
@Rahul-Kumar-prog do you have any updates on this? |
|
How can we help you? |
|
Hey @pierDipi i have talk to vishal and I got solution just little more time and I will be commit with the solution. |
|
Thank you both! |
knative-prow
bot
added
size/L
pkg/eventshub/options.go
Outdated
| } | ||
|
|
||
| func StartsenderTLS(sinkSvc string) EventsHubOption { | ||
| return compose(envAdditive(EventGeneratorsEnv, "CACerts"), func(ctx context.Context, envs map[string]string) error { |
There was a problem hiding this comment.
EventGeneratorsEnv set to CACerts is not a valid generator, we need to set this to sender
pkg/eventshub/options.go
Outdated
|
|
||
| func StartsenderTLS(sinkSvc string) EventsHubOption { | ||
| return compose(envAdditive(EventGeneratorsEnv, "CACerts"), func(ctx context.Context, envs map[string]string) error { | ||
| envs["SINK"] = "https://" + network.GetServiceHostname(sinkSvc, environment.FromContext(ctx).Namespace()) |
There was a problem hiding this comment.
Is SINK env variable enough to make an HTTPS request? do we need CA certs?
pkg/eventshub/options.go
Outdated
| if u == nil { | ||
| return fmt.Errorf("resource %v named %s is not addressable", gvr, name) | ||
| } | ||
| envs["SINK"] = "https://" + u.String() |
There was a problem hiding this comment.
Is SINK env variable enough to make an HTTPS request? do we need CA certs?
pkg/eventshub/options.go
Outdated
|
|
||
| func StartSenderURLTLS(sink string) EventsHubOption { | ||
| return compose(envAdditive(EventGeneratorsEnv, "CACerts"), func(ctx context.Context, envs map[string]string) error { | ||
| envs["SINK"] = "https://" + sink |
There was a problem hiding this comment.
Is SINK env variable enough to make an HTTPS request? do we need CA certs?
There was a problem hiding this comment.
ohh i miss this sorry?
pkg/eventshub/options.go
Outdated
| func StartsenderTLS(sinkSvc string) EventsHubOption { | ||
| return compose(envAdditive(EventGeneratorsEnv, "CACerts"), func(ctx context.Context, envs map[string]string) error { | ||
| envs["SINK"] = "https://" + network.GetServiceHostname(sinkSvc, environment.FromContext(ctx).Namespace()) | ||
| return nil | ||
| }) | ||
| } | ||
|
|
||
| func StartSenderToResourceTLS(gvr schema.GroupVersionResource, name string) EventsHubOption { | ||
| return compose(envAdditive(EventGeneratorsEnv, "CACerts"), func(ctx context.Context, envs map[string]string) error { | ||
| u, err := k8s.Address(ctx, gvr, name) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| if u == nil { | ||
| return fmt.Errorf("resource %v named %s is not addressable", gvr, name) | ||
| } | ||
| envs["SINK"] = "https://" + u.String() | ||
| return nil | ||
| }) | ||
| } | ||
|
|
||
| func StartSenderURLTLS(sink string) EventsHubOption { | ||
| return compose(envAdditive(EventGeneratorsEnv, "CACerts"), func(ctx context.Context, envs map[string]string) error { | ||
| envs["SINK"] = "https://" + sink | ||
| return nil | ||
| }) | ||
| } |
There was a problem hiding this comment.
For each new *TLS function we need to also set ENFORCE_TLS to true so that eventshub can enforce TLS
There was a problem hiding this comment.
var startsender EventsHubOption = envAdditive(EventGeneratorsEnv, "sender")
var StartSendertls EventsHubOption = compose(startsender,envAdditive(EnforceTLS, "True"))
like this ?
There was a problem hiding this comment.
Have you tried it? the current startSender is different from what you posted above, so I'm not sure that would work
To each compose function we need to add
envAdditive(EnforceTLS, "true")
as argument
There was a problem hiding this comment.
i made a commit recently for these changes have you check those @pierDipi
There was a problem hiding this comment.
I saw it, I don't think it's correct
pkg/eventshub/sender/sender.go
Outdated
| server := &https.Server{addr: ":8080", Handler: handler} | ||
| serverTLS := &http.Server{ | ||
| Addr: ":8443", | ||
| TLSConfig: &tls.Config{ | ||
| MinVersion: tls.VersionTLS12, | ||
| }, | ||
| Handler: handler, | ||
| } | ||
|
|
||
| var httpErr error | ||
| go func() { | ||
| httpErr = server.ListenAndServe() | ||
| }() | ||
| var httpsErr error | ||
| if env.EnforceTLS { | ||
| go func() { | ||
| httpsErr = serverTLS.ListenAndServe("/etc/tls/certificates/tls.crt", "/etc/tls/certifcates/tls.key") | ||
| }() | ||
| defer serverTLS.Close() | ||
| } | ||
|
|
||
| if httpErr != nil { | ||
| return fmt.Errorf("error while starting the HTTP server: %w", httpErr) | ||
| } | ||
| if httpsErr != nil { | ||
| return fmt.Errorf("error while starting the HTTPS server: %w", httpsErr) | ||
| } |
There was a problem hiding this comment.
I don't get why we need the servers, this is a sender, which means it acts as HTTP(s) client
pkg/eventshub/sender/sender.go
Outdated
| } | ||
|
|
||
| httpClient := &nethttp.Client{} | ||
| if isHTTPSSink(env.Sink) { |
There was a problem hiding this comment.
| if isHTTPSSink(env.Sink) { | |
| if env.EnforceTLS { |
pkg/eventshub/sender/sender.go
Outdated
| if isHTTPSSink(env.Sink) { | ||
| if _, err := httpClient.Do(req); err != nil { | ||
| logging.FromContext(ctx).Error(zap.Error(err)) | ||
| return false, nil | ||
| } | ||
| } else if _, err := nethttp.DefaultClient.Do(req); err != nil { |
There was a problem hiding this comment.
| if isHTTPSSink(env.Sink) { | |
| if _, err := httpClient.Do(req); err != nil { | |
| logging.FromContext(ctx).Error(zap.Error(err)) | |
| return false, nil | |
| } | |
| } else if _, err := nethttp.DefaultClient.Do(req); err != nil { | |
| if _, err := httpClient.Do(req); err != nil { |
pkg/eventshub/sender/sender.go
Outdated
| return fmt.Errorf("error while starting the HTTPS server: %w", httpsErr) | ||
| } | ||
|
|
||
| httpClient := &nethttp.Client{} |
There was a problem hiding this comment.
| httpClient := &nethttp.Client{} | |
| httpClient := nethttp.DefaultClient |
knative-prow-robot
added
the
needs-rebase
|
@pierDipi have a look. |
pkg/eventshub/options.go
Outdated
| var Startsender EventsHubOption = envAdditive(EventGeneratorsEnv, "sender") | ||
|
|
There was a problem hiding this comment.
| var Startsender EventsHubOption = envAdditive(EventGeneratorsEnv, "sender") |
We don't need this, there is already StartSender
pkg/eventshub/options.go
Outdated
| // StartSendertls starts the sender in the eventshub with TLS enforcement. | ||
| // It requires cert-manager operator to be able to create TLS Certificate.const | ||
| // To get the CA certificate used you can use GetCAcerts | ||
| var StartSendertls EventsHubOption = compose(Startsender, envAdditive(EnforceTLS, "true")) |
There was a problem hiding this comment.
| // StartSendertls starts the sender in the eventshub with TLS enforcement. | |
| // It requires cert-manager operator to be able to create TLS Certificate.const | |
| // To get the CA certificate used you can use GetCAcerts | |
| var StartSendertls EventsHubOption = compose(Startsender, envAdditive(EnforceTLS, "true")) | |
| // StartSenderTLS starts the sender in the eventshub with TLS enforcement. | |
| func StartSenderTLS(sinkSvc string, caCerts *caCerts) EventsHubOption { | |
| return compose(StartSender(sinkSvc), envAdditive(EnforceTLS, "true"), func(ctx context.Context, envs map[string]string) error { | |
| if caCerts != nil { | |
| envs["CA_CERTS"] = *caCerts | |
| } | |
| return nil | |
| }) | |
| } |
There was a problem hiding this comment.
This is the idea for StartSenderTLS function
pkg/eventshub/options.go
Outdated
|
|
||
| func StartSenderTLS(sinkSvc string) EventsHubOption { | ||
| return compose(envAdditive(EventGeneratorsEnv, "sender"), func(ctx context.Context, envs map[string]string) error { | ||
| envs["CACerts"] = "https://" + network.GetServiceHostname(sinkSvc, environment.FromContext(ctx).Namespace()) |
There was a problem hiding this comment.
I left a comment earlier to challenge CA certs set to a URL, if we set CACerts env variabe to a URL, would that work for the updated code you've implmented in pkg/eventshub/sender/sender.go? is that the expected behavior?
There was a problem hiding this comment.
I think so. what you say?
There was a problem hiding this comment.
how would that work if CACerts is not used anywhere?
given the PR change:
// CACert is the certificate for enabling HTTPS in Sink URL
CACerts string `envconfig:"CA_CERTS"`
// EnforceTLS is used to enforce TLS.
EnforceTLS bool `envconfig:"ENFORCE_TLS" default:"false"`
I don't see where CACerts is used, nor how setting CACerts to an HTTP address has a meaning.
In addition, the PR is setting CACerts to a URL that should be set as SINK.
See this comment: #526 (comment)
There was a problem hiding this comment.
@pierDipi You mean in startsendertls function I have to set env as sink right ?
If we set env as a sink then how can start sender tls with Cacerts ?
|
@Rahul-Kumar-prog this is blocking progress on bunch of other tasks, so we need to move forward.
|
|
Sorry @pierDipi i get sick past few days. I understand your comments. Give me some time I will push a commit with the solution/changes. And again sorry for blocking |
Rahul-Kumar-prog
force-pushed
the
Rahulkumar6840
branch
2 times, most recently
from
81ac3b1 to
e7498e2
Compare
knative-prow-robot
added
the
needs-rebase
knative-prow
bot
added
size/L
knative-prow-robot
removed
the
needs-rebase
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
|
@Rahul-Kumar-prog I've sent a PR to your branch Rahul-Kumar-prog#1, please merge it |
knative-prow
bot
added
size/XXL
|
/ok-to-test |
knative-prow
bot
added
ok-to-test
knative-prow
bot
added
lgtm
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pierDipi, Rahul-Kumar-prog The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Manual update since there are a few braking chanages with knative-extensions/reconciler-test#526 first commit upgrade deps and vendor, the rest fixes the issues. --------- Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
Manual update since there are a few braking chanages with knative-extensions/reconciler-test#526 first commit upgrade deps and vendor, the rest fixes the issues. --------- Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
4 participants
Signing-off by : Rahul Kumar rahulkumarrsde@gmail.com
Fixes knative/eventing#6840
Release Note
Docs