How to do extended ingress routing with "httpProtocol: Redirected" setting?

[lenalebt]

Describe the change you'd like to see
I am referring to the documentation in https://knative.dev/docs/serving/samples/knative-routing-go/index.html.

I currently have KNative set up together with cert-manager for automatic certificate provisioning (using the autoTLS feature). I would also like to use "httpProtocol": "Redirected" to forward all http traffic to https on the istio-ingressgateway.

Doing so make it impossible to follow the suggested solution for routing (described here: https://knative.dev/docs/serving/samples/knative-routing-go/index.html#how-it-works). KNative / istio will internally forward the traffic back to the istio-ingressgateway with a different setting for the Host header (by using rewrite: authority here: https://github.com/knative/docs/blob/release-0.21/docs/serving/samples/knative-routing-go/routing.yaml#L34). It uses HTTP there, and not HTTPS. I don't necessarily want it to use more than HTTP for the internal stuff.

However, the istio-ingressgateway will try to redirect to HTTPS, making the whole thing fail.

I am willing to make a pull request with documentation updates, but honestly don't really know how one would solve it. If you give me a hint how to do it, I'll make the PR :).

Additional context

[nak3]

Hi @lenalebt IIUC, the problem could be solved if we could set "httpProtocol": "Enabled" to the specific internal services (e.g. login-service and search-service in the picture) while keep global setting "httpProtocol": "Redirected". Is that correct?
If correct, we are trying to introduce an annotation to set the option for each services by knative/networking#301 and that will address your problem.

For now, I guess it is not possible to address it besides changing the configuration "httpProtocol": "Enabled" for the global setting.

[lenalebt]

Hey @nak3 yes, that is correct. More specifically, for my use-case it would be sufficient to be able to set "httpProtocol": "Enabled" for internal services (annotated with networking.knative.dev/visibility: cluster-local) while keeping it "httpProtocol": "Redirected" globally - in theory. That is what I'd love to have in the end, but I guess I need to keep those specific services globally available to make them routable this way anyways, correct?

Should I open an issue in the main project for this?

[nak3]

Oh, you want to set the the internal service to cluster-local. Then, it can be solved by just configuration change.
You can update docs/serving/samples/knative-routing-go/routing.yaml like this:

diff --git a/docs/serving/samples/knative-routing-go/routing.yaml b/docs/serving/samples/knative-routing-go/routing.yaml
index f4bbfef6..bd78e070 100644
--- a/docs/serving/samples/knative-routing-go/routing.yaml
+++ b/docs/serving/samples/knative-routing-go/routing.yaml
@@ -31,13 +31,13 @@ spec:
     rewrite:
       # Rewrite the original host header to the host header of Search service
       # in order to redirect requests to Search service.
-      authority: search-service.default.example.com
+      authority: search-service.default.svc
     route:
       # Basically here we redirect the request to the cluster entry again with
       # updated header "search-service.default.example.com" so the request will
       # eventually be directed to Search service.
       - destination:
-          host: istio-ingressgateway.istio-system.svc.cluster.local
+          host: knative-local-gateway.istio-system.svc.cluster.local
           port:
             number: 80
         weight: 100
@@ -47,13 +47,13 @@ spec:
     rewrite:
       # Rewrite the original host header to the host header of Search service
       # in order to redirect requests to Search service.
-      authority: login-service.default.example.com
+      authority: login-service.default.svc
     route:
       # Basically here we redirect the request to the cluster entry again with
       # updated header "login-service.default.example.com" so the request will
       # eventually be directed to LOgin service.
       - destination:
-          host: istio-ingressgateway.istio-system.svc.cluster.local
+          host: knative-local-gateway.istio-system.svc.cluster.local
           port:
             number: 80
         weight: 100

When setting httpProtocol: Redirected, knative adds httpsRedirect: true in knative-ingress-gateway Gateway in knative-serving namespace but it does not add it in knative-local-gateway Gateway.
Then, knative service with cluster-local uses only knative-local-gateway Gateway so I think we can address your problem with above change.

[lenalebt]

That indeed works!

I'll prepare a PR with updated docs later on today. Thank you very much for your help!