From f182a5e5b402dd8c9f42f74ec020eece401f3d67 Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Mon, 30 Jan 2023 10:29:08 -0500 Subject: [PATCH] wip: set internal certs on clusterlocal domains when internal encryption enabled --- pkg/reconciler/route/resources/ingress.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go index 5046b486120d..b4a0cd66b40b 100644 --- a/pkg/reconciler/route/resources/ingress.go +++ b/pkg/reconciler/route/resources/ingress.go @@ -29,10 +29,12 @@ import ( "knative.dev/networking/pkg/apis/networking" netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" + netcfg "knative.dev/networking/pkg/config" netheader "knative.dev/networking/pkg/http/header" ingress "knative.dev/networking/pkg/ingress" "knative.dev/pkg/kmeta" "knative.dev/pkg/logging" + "knative.dev/pkg/system" "knative.dev/serving/pkg/activator" apicfg "knative.dev/serving/pkg/apis/config" "knative.dev/serving/pkg/apis/serving" @@ -183,6 +185,18 @@ func makeIngressSpec( rule.HTTP.Paths[0].AppendHeaders[netheader.RouteTagKey] = name } } + + // if this is a private rule, and internal encryption is on, we need to stick the certs in the tls seciton + if visibility == netv1alpha1.IngressVisibilityClusterLocal && networkConfig.InternalEncryption { + for domain := range domains { + tls = append(tls, netv1alpha1.IngressTLS{ + Hosts: []string{domain}, + SecretName: netcfg.ServingInternalCertName, + SecretNamespace: system.Namespace(), + }) + } + + } // If this is a public rule, we need to configure ACME challenge paths. if visibility == netv1alpha1.IngressVisibilityExternalIP { paths, hosts := MakeACMEIngressPaths(acmeChallenges, domains)