wip: set internal certs on clusterlocal domains when internal encrypt…

…ion enabled
knative · Jan 30, 2023 · 7b082de · 7b082de
1 parent 656e485
commit 7b082de
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go
@@ -183,6 +183,18 @@ func makeIngressSpec(
 					rule.HTTP.Paths[0].AppendHeaders[netheader.RouteTagKey] = name
 				}
 			}
+
+			// if this is a private rule, and internal encryption is on, we need to stick the certs in the tls seciton
+			if visibility == netv1alpha1.IngressVisibilityClusterLocal && networkConfig.InternalEncryption {
+				for domain := range domains {
+					tls = append(tls, netv1alpha1.IngressTLS{
+						Hosts:           []string{domain},
+						SecretName:      "default-serving-certs",
+						SecretNamespace: "default",
+					})
+				}
+
+			}
 			// If this is a public rule, we need to configure ACME challenge paths.
 			if visibility == netv1alpha1.IngressVisibilityExternalIP {
 				paths, hosts := MakeACMEIngressPaths(acmeChallenges, domains)