Eventing TLS: support creating TLS server for InMemoryChannel dispatcher

[pierDipi]

Problem

After #6865 and #6837, we the foundation bits to enabled the imc-dispatcher to create a TLS server when the transport-encryption feature flag is set to Permissive or Strict.

We need to make sure that the dispatcher is creating such TLS server on the fly without restarts by watching the config-features ConfigMap with the below snippet in pkg/reconciler/inmemorychannel/dispatcher/controller.go:

	featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
		
		impl.GlobalResync(inmemorychannelInformer.Informer())

	})
	featureStore.WatchConfigs(cmw)

and then create the TLS message receiver as part of the NewFanoutMessageHandler

eventing/pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go

Lines 89 to 102 in 193f2df

	handler := r.multiChannelMessageHandler.GetChannelHandler(config.HostName)
	if handler == nil {
	// No handler yet, create one.
	fanoutHandler, err := fanout.NewFanoutMessageHandler(
	logging.FromContext(ctx).Desugar(),
	channel.NewMessageDispatcher(logging.FromContext(ctx).Desugar()),
	config.FanoutConfig,
	r.reporter,
	)
	if err != nil {
	logging.FromContext(ctx).Error("Failed to create a new fanout.MessageHandler", err)
	return err
	}
	r.multiChannelMessageHandler.SetChannelHandler(config.HostName, fanoutHandler)

Even if an handler is present, we need to make sure to have the TLS server is present when transport-encryption feature flag is set to Permissive or Strict

Exit Criteria

imc-dispatcher accepts TLS connections that are handled with path-based routing #6865

Additional context (optional)

/help

[knative-prow]

@pierDipi:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

Details

In response to this:

Problem

After #6865 and #6837, we the foundation bits to enabled the imc-dispatcher to create a TLS server when the transport-encryption feature flag is set to Permissive or Strict.

We need to make sure that the dispatcher is creating such TLS server on the fly without restarts by watching the config-features ConfigMap with the below snippet in pkg/reconciler/inmemorychannel/dispatcher/controller.go:

  featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
  	
  	impl.GlobalResync(inmemorychannelInformer.Informer())

  })
  featureStore.WatchConfigs(cmw)

and then create the TLS message receiver as part of the NewFanoutMessageHandler

eventing/pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go

Lines 89 to 102 in 193f2df

	handler := r.multiChannelMessageHandler.GetChannelHandler(config.HostName)
	if handler == nil {
	// No handler yet, create one.
	fanoutHandler, err := fanout.NewFanoutMessageHandler(
	logging.FromContext(ctx).Desugar(),
	channel.NewMessageDispatcher(logging.FromContext(ctx).Desugar()),
	config.FanoutConfig,
	r.reporter,
	)
	if err != nil {
	logging.FromContext(ctx).Error("Failed to create a new fanout.MessageHandler", err)
	return err
	}
	r.multiChannelMessageHandler.SetChannelHandler(config.HostName, fanoutHandler)

Even if an handler is present, we need to make sure to have the TLS server is present when transport-encryption feature flag is set to Permissive or Strict

Exit Criteria

imc-dispatcher accepts TLS connections that are handled with path-based routing #6865

Additional context (optional)

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gab-satchi]

/assign

[gab-satchi]

Hey @pierDipi, just confirming the imc-dispatcher Deployment (and Service) would also be changing to have 2 ports: 1 for http and 1 for https.

Depending on the transport-encryption value, one of those ports may not get used.

[pierDipi]

Yes, correct!