http01 challenge must support K-Network-Probe #44
Comments
cc @ZhiminXiang |
/assign |
The difference btw net-certmanager and net-http01 is that the service for serving HTTP01 challenge is not controlled by Knative. It is set up by cert-manager. I am gonna look into cert-manager and see how we can add the logic into cert-manager. |
Alternately we could create a way in our dataplane contract to express that certain services do not need (or don't support) probing. |
Right now net-contour doesn't properly support certmanager-based http01 challenges because it expects all references services to adhere to the dataplane contract around probing. Related: knative-extensions/net-certmanager#44
SGTM. This could be a workaround. |
Right now net-contour doesn't properly support certmanager-based http01 challenges because it expects all references services to adhere to the dataplane contract around probing. Related: knative-extensions/net-certmanager#44
Just for record, the Ingress prober implementation of Istio is based on hosts of Ingress. See the code here. So It just probes host without I think we should still pursue wrapping the http01 challenge service in the cert-manager side. Once that lands, we can extend the prober to support probing |
It's either our dataplane contract or it's not. cc @tcnghia since he was considering doing the same thing I did in net-contour in net-istio. |
All of the known remaining issues with Contour have been resolved, and I've been carefully monitoring testgrid and digging into any 503s (or other dataplane related failures). As of me writing this: 1. The only failure in the net-contour testgrid is due to its workaround for knative-extensions/net-certmanager#44, which shouldn't practically manifest in the context of Serving. 2. The only failures in the contour leg on Serving testgrid are due to infrastructure (Go, etcd, GKE, resource exhaustion) I will continue to track testgrid carefully as we head towards 0.18, but at present it is likely as solid as any of our ingress options.
All of the known remaining issues with Contour have been resolved, and I've been carefully monitoring testgrid and digging into any 503s (or other dataplane related failures). As of me writing this: 1. The only failure in the net-contour testgrid is due to its workaround for knative-extensions/net-certmanager#44, which shouldn't practically manifest in the context of Serving. 2. The only failures in the contour leg on Serving testgrid are due to infrastructure (Go, etcd, GKE, resource exhaustion) I will continue to track testgrid carefully as we head towards 0.18, but at present it is likely as solid as any of our ingress options.
This issue is stale because it has been open for 90 days with no |
/lifecycle frozen @ZhiminXiang any update? |
/unassign @ZhiminXiang |
In order to assess readiness, we expect services included in kingress to support the K-Network-Probe handshake.
See related issue for net-http01: knative-extensions/net-http01#48
The text was updated successfully, but these errors were encountered: