Update to aligned networking flags

.github/workflows/kind-e2e.yaml

@@ -31,6 +31,10 @@ jobs:
         istio-version:
         - latest
 
+        system-internal-tls:
+          - disabled
+          - enabled
+
         istio-profile:
         - no-mesh
         - ambient
@@ -90,6 +94,21 @@ jobs:
 
         echo "GATEWAY_NAMESPACE_OVERRIDE=istio-system" >> $GITHUB_ENV
 
+    - name: Generate certificates and enable system-internal-tls
+      if: matrix.system-internal-tls == 'enabled'
+      run: |
+        set -o pipefail
+        
+        echo ">> Deploy certificate for upstream traffic"
+        ./test/generate-upstream-cert.sh
+        
+        echo ">> Setting environment variables for upstream tls"
+        echo "UPSTREAM_TLS_CERT=serving-certs" >> $GITHUB_ENV
+        echo "SERVER_NAME=kn-user-serving-tests" >> $GITHUB_ENV
+        
+        echo ">> Enabling system-internal-tls in config-network"
+        ko resolve -f test/config/system-internal-tls | kubectl apply -f - 
+
     - name: Upload Test Images
       run: |
         # Build and Publish our test images to the docker daemon.
@@ -118,12 +137,6 @@ jobs:
            --ingressendpoint="${IPS[0]}" \
            --ingressClass=istio.ingress.networking.knative.dev \
            --cluster-suffix=$CLUSTER_SUFFIX
-        
-        echo "# DEBUG"
-        env
-        kubectl get cm -A -o yaml
-        kubectl get king -A -o yaml
-        echo "# DEBUG"
 
     - name: Post failure notice to Slack
       uses: rtCamp/action-slack-notify@v2.1.0

DEVELOPMENT.md

@@ -94,17 +94,17 @@ Run the following command to install net-istio components
 ko apply -f config/
 ```
 
-### Internal Encryption (optional)
+### System Internal TLS (optional)
 
-If you want to work with `internal-encryption` enabled you can either:
+If you want to work with `system-internal-tls` enabled you can either:
 
 * Install `Knative Serving` to automatically generate the certificates. The CA will be injected in [700-istio-secret.yaml](./config/700-istio-secret.yaml).
 * Or use [./test/generate-upstream-cert.sh)](./test/generate-upstream-cert.sh) to manually generate the secrets.
 
-You can then enable `internal-encryption` in `config-network` like in [our test resources](./test/config/internal-encryption/config-network.yaml)
+You can then enable `system-internal-tls` in `config-network` like in [our test resources](./test/config/system-internal-tls/config-network.yaml)
 and specify the following environment variables before you run the e2e/conformance tests:
 
 ```bash
-export UPSTREAM_TLS_CERT=server-certs
-export SERVER_NAME=data-plane.knative.dev
+export UPSTREAM_TLS_CERT=serving-certs
+export SERVER_NAME=kn-user-serving-tests
 ```

config/700-istio-secret.yaml

@@ -15,9 +15,9 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: knative-serving-certs
+  name: routing-serving-certs
   namespace: istio-system
   labels:
-    serving-certs-ctrl: "data-plane"
+    serving-certs-ctrl: "data-plane-routing"
     networking.internal.knative.dev/certificate-uid: "serving-certs"
-# The data is populated when internal-encryption is enabled.
+# The data is populated when system-internal-tls is enabled.

pkg/reconciler/ingress/ingress.go

@@ -189,8 +189,8 @@ func (r *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress
 	}
 	gatewayNames[v1alpha1.IngressVisibilityExternalIP].Insert(resources.GetQualifiedGatewayNames(ingressGateways)...)
 
-	if config.FromContext(ctx).Network.InternalEncryption {
-		logger.Info("Creating/Updating DestinationRules for internal-encryption")
+	if config.FromContext(ctx).Network.SystemInternalTLSEnabled() {
+		logger.Info("Creating/Updating DestinationRules for system-internal-tls")
 		if err := r.reconcileDestinationRules(ctx, ing); err != nil {
 			return err
 		}