[wip] Fix DomainMappings when InternalEncryption is enabled

[KauzClay]

Fixes #13659

Proposed Changes

• Change lb redirect service to use 443 when internal encryption is enabled
• ClusterLocal domains use internal encryption certs

Release Note

[knative-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: KauzClay
Once this PR has been reviewed and has the lgtm label, please assign tcnghia for approval by writing /assign @tcnghia in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• pkg/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Base: 86.22% // Head: 86.17% // Decreases project coverage by -0.05% ⚠️

Coverage data is based on head (676295d) compared to base (06add5f).
Patch coverage: 77.19% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13660      +/-   ##
==========================================
- Coverage   86.22%   86.17%   -0.05%     
==========================================
  Files         197      197              
  Lines       14783    14824      +41     
==========================================
+ Hits        12746    12775      +29     
- Misses       1735     1746      +11     
- Partials      302      303       +1     

Impacted Files	Coverage Δ
pkg/reconciler/route/resources/service.go	84.39% <61.76%> (-8.17%)	⬇️
pkg/reconciler/domainmapping/reconciler.go	93.77% <100.00%> (+0.09%)	⬆️
pkg/reconciler/domainmapping/resources/ingress.go	100.00% <100.00%> (ø)
pkg/reconciler/route/resources/ingress.go	95.16% <100.00%> (+0.16%)	⬆️
pkg/autoscaler/scaling/multiscaler.go	87.24% <0.00%> (-1.35%)	⬇️
pkg/reconciler/configuration/configuration.go	84.36% <0.00%> (+1.42%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[KauzClay]

seems like this change will break net-kourier. I think net-kourier assumes that if the kingress has a spec.TLS section, then it will always be for the external domain. So when it doesn't exist for the external name, the ksvcs never go ready because it is trying to probe for the external domain on https.

I'm trying to hack at something here which I think addresses that: knative-extensions/net-kourier@main...KauzClay:net-kourier:ck-hack-internal-tls-domains

In a simple happy path on my dev cluster, this change seems to work.

I don't know how to build a new net-kourier release with my changes to try out in this MR though.

EDIT: domain mappings + internal encryption don't work with kourier with the linked changes. Probably because this PR is basically doing TLS for internal routes, and enabling that for kourier seems rather involved.

[KauzClay]

closed because this quickly became a bigger undertaking that I expected