From 7b082decba6facc6c671e40745ec9c2817e9349e Mon Sep 17 00:00:00 2001
From: Clay Kauzlaric <ckauzlaric@vmware.com>
Date: Mon, 30 Jan 2023 10:29:08 -0500
Subject: [PATCH] wip: set internal certs on clusterlocal domains when internal
 encryption enabled

---
 pkg/reconciler/route/resources/ingress.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go
index 5046b486120d..10990698094f 100644
--- a/pkg/reconciler/route/resources/ingress.go
+++ b/pkg/reconciler/route/resources/ingress.go
@@ -183,6 +183,18 @@ func makeIngressSpec(
 					rule.HTTP.Paths[0].AppendHeaders[netheader.RouteTagKey] = name
 				}
 			}
+
+			// if this is a private rule, and internal encryption is on, we need to stick the certs in the tls seciton
+			if visibility == netv1alpha1.IngressVisibilityClusterLocal && networkConfig.InternalEncryption {
+				for domain := range domains {
+					tls = append(tls, netv1alpha1.IngressTLS{
+						Hosts:           []string{domain},
+						SecretName:      "default-serving-certs",
+						SecretNamespace: "default",
+					})
+				}
+
+			}
 			// If this is a public rule, we need to configure ACME challenge paths.
 			if visibility == netv1alpha1.IngressVisibilityExternalIP {
 				paths, hosts := MakeACMEIngressPaths(acmeChallenges, domains)