openshift · openshift-ci · Aug 3, 2022 · Aug 3, 2022 · Aug 3, 2022
diff --git a/openshift/release/artifacts/2-serving-core.yaml b/openshift/release/artifacts/2-serving-core.yaml
@@ -4440,6 +4440,39 @@ data:
     loglevel.net-istio-controller: "info"
     loglevel.net-contour-controller: "info"
 
+---
+# Copyright 2022 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  # Do not drop -ctrl-ca suffix as control-protocol requires it.
+  # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go
+  name: serving-certs-ctrl-ca
+  namespace: knative-serving
+# The data is populated when internal-encryption is enabled.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knative-serving-certs
+  namespace: knative-serving
+  labels:
+    serving-certs-ctrl: "data-plane"
+# The data is populated when internal-encryption is enabled.
+
 ---
 # Copyright 2018 The Knative Authors
 #
@@ -4616,53 +4649,15 @@ data:
     # Knative doesn't know about that otherwise.
     default-external-scheme: "http"
 
-    # The CA public certificate used to sign the activator TLS certificate.
-    # It is specified by the secret name, which has the "ca.crt" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-ca: ""
-
-    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
-    # It must be set when "activator-ca" is specified.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-san: ""
-
-    # The server certificates to serve the TLS traffic from ingress to activator.
-    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-cert-secret: ""
-
-    # The CA public certificate used to sign the queue-proxy TLS certificate.
-    # It is specified by the secret name, which has the "ca.crt" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    queue-proxy-ca: ""
-
-    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
-    # It must be set when "queue-proxy-ca" is specified.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    queue-proxy-san: ""
-
-    # The server certificates to serve the TLS traffic from activator to queue-proxy.
-    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
-    # Use an empty value to disable the feature (default).
+    # internal-encryption indicates whether internal traffic is encrypted or not.
+    # If this is "true", the following traffic are encrypted:
+    #  - ingress to activator
+    #  - ingress to queue-proxy
+    #  - activator to queue-proxy
     #
     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
     #       for now. Use with caution.
-    queue-proxy-cert-secret: ""
+    internal-encryption: "false"
 
 ---
 # Copyright 2018 The Knative Authors

diff --git a/openshift/release/download_release_artifacts.sh b/openshift/release/download_release_artifacts.sh
@@ -50,3 +50,6 @@ git apply "${manifest_path}/002-openshift-serving-role.patch"
 # TODO: Remove this once upstream fixed https://github.com/knative/operator/issues/376.
 # See also https://issues.redhat.com/browse/SRVKS-670.
 git apply "${manifest_path}/003-serving-pdb.patch"
+
+# Add internal-tls patch. The backport will conflict with the downloaded manifest.
+git apply "${manifest_path}/004-internal-tls.patch"
diff --git a/openshift/release/knative-serving-ci.yaml b/openshift/release/knative-serving-ci.yaml
@@ -3486,6 +3486,38 @@ spec:
                   description: URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix}
                   type: string
 ---
+# Copyright 2022 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  # Do not drop -ctrl-ca suffix as control-protocol requires it.
+  # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go
+  name: serving-certs-ctrl-ca
+  namespace: knative-serving
+# The data is populated when internal-encryption is enabled.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knative-serving-certs
+  namespace: knative-serving
+  labels:
+    serving-certs-ctrl: "data-plane"
+# The data is populated when internal-encryption is enabled.
+---
 # Copyright 2018 The Knative Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -4463,7 +4495,7 @@ metadata:
     app.kubernetes.io/component: networking
     app.kubernetes.io/version: "v1.2.0"
   annotations:
-    knative.dev/example-checksum: "d0b91f80"
+    knative.dev/example-checksum: "73d96d1b"
 data:
   _example: |
     ################################
@@ -4614,53 +4646,15 @@ data:
     # Knative doesn't know about that otherwise.
     default-external-scheme: "http"
 
-    # The CA public certificate used to sign the activator TLS certificate.
-    # It is specified by the secret name, which has the "ca.crt" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-ca: ""
-
-    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
-    # It must be set when "activator-ca" is specified.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-san: ""
-
-    # The server certificates to serve the TLS traffic from ingress to activator.
-    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-cert-secret: ""
-
-    # The CA public certificate used to sign the queue-proxy TLS certificate.
-    # It is specified by the secret name, which has the "ca.crt" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    queue-proxy-ca: ""
-
-    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
-    # It must be set when "queue-proxy-ca" is specified.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    queue-proxy-san: ""
-
-    # The server certificates to serve the TLS traffic from activator to queue-proxy.
-    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
-    # Use an empty value to disable the feature (default).
+    # internal-encryption indicates whether internal traffic is encrypted or not.
+    # If this is "true", the following traffic are encrypted:
+    #  - ingress to activator
+    #  - ingress to queue-proxy
+    #  - activator to queue-proxy
     #
     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
     #       for now. Use with caution.
-    queue-proxy-cert-secret: ""
+    internal-encryption: "false"
 ---
 # Copyright 2018 The Knative Authors
 #

diff --git a/openshift/release/manifest-patches/004-internal-tls.patch b/openshift/release/manifest-patches/004-internal-tls.patch
@@ -0,0 +1,104 @@
+diff --git a/openshift/release/artifacts/2-serving-core.yaml b/openshift/release/artifacts/2-serving-core.yaml
+index 12cac6d40..0bd375e60 100644
+--- a/openshift/release/artifacts/2-serving-core.yaml
++++ b/openshift/release/artifacts/2-serving-core.yaml
+@@ -4440,6 +4440,39 @@ data:
+     loglevel.net-istio-controller: "info"
+     loglevel.net-contour-controller: "info"
+
++---
++# Copyright 2022 The Knative Authors
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#     https://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++apiVersion: v1
++kind: Secret
++metadata:
++  # Do not drop -ctrl-ca suffix as control-protocol requires it.
++  # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go
++  name: serving-certs-ctrl-ca
++  namespace: knative-serving
++# The data is populated when internal-encryption is enabled.
++---
++apiVersion: v1
++kind: Secret
++metadata:
++  name: knative-serving-certs
++  namespace: knative-serving
++  labels:
++    serving-certs-ctrl: "data-plane"
++# The data is populated when internal-encryption is enabled.
++
+ ---
+ # Copyright 2018 The Knative Authors
+ #
+@@ -4616,53 +4649,15 @@ data:
+     # Knative doesn't know about that otherwise.
+     default-external-scheme: "http"
+
+-    # The CA public certificate used to sign the activator TLS certificate.
+-    # It is specified by the secret name, which has the "ca.crt" data field.
+-    # Use an empty value to disable the feature (default).
+-    #
+-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+-    #       for now. Use with caution.
+-    activator-ca: ""
+-
+-    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
+-    # It must be set when "activator-ca" is specified.
+-    # Use an empty value to disable the feature (default).
+-    #
+-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+-    #       for now. Use with caution.
+-    activator-san: ""
+-
+-    # The server certificates to serve the TLS traffic from ingress to activator.
+-    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
+-    # Use an empty value to disable the feature (default).
+-    #
+-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+-    #       for now. Use with caution.
+-    activator-cert-secret: ""
+-
+-    # The CA public certificate used to sign the queue-proxy TLS certificate.
+-    # It is specified by the secret name, which has the "ca.crt" data field.
+-    # Use an empty value to disable the feature (default).
+-    #
+-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+-    #       for now. Use with caution.
+-    queue-proxy-ca: ""
+-
+-    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
+-    # It must be set when "queue-proxy-ca" is specified.
+-    # Use an empty value to disable the feature (default).
+-    #
+-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+-    #       for now. Use with caution.
+-    queue-proxy-san: ""
+-
+-    # The server certificates to serve the TLS traffic from activator to queue-proxy.
+-    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
+-    # Use an empty value to disable the feature (default).
++    # internal-encryption indicates whether internal traffic is encrypted or not.
++    # If this is "true", the following traffic are encrypted:
++    #  - ingress to activator
++    #  - ingress to queue-proxy
++    #  - activator to queue-proxy
+     #
+     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+     #       for now. Use with caution.
+-    queue-proxy-cert-secret: ""
++    internal-encryption: "false"
+
+ ---
+ # Copyright 2018 The Knative Authors