Update net-istio to use KnativeCertificate instead of control-proto…

…col secret (#1221) * Update net-istio to use `KnativeCertificate` instead of control-protocol Secret * Delete `KnativeCertificate` in e2e tests
knative-extensions · Dec 4, 2023 · e6e6cb7 · e6e6cb7
1 parent b3007f4
commit e6e6cb7
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 6 deletions.
diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml
@@ -83,6 +83,9 @@ jobs:
         # Deploy Istio
         ./third_party/istio-${{ matrix.istio-version }}/install-istio.sh istio-kind-${{ matrix.istio-profile }}
 
+        # Remove Knative Certificate as we are running without Serving CRs
+        rm -f config/700-istio-knative-certificate.yaml
+  
         # Build and Publish our containers to the docker daemon (including test assets)
         ko resolve --platform=linux/amd64 -f test/config/ -f config/ | kubectl apply -f -
 

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -98,7 +98,7 @@ ko apply -f config/
 
 If you want to work with `system-internal-tls` enabled you can either:
 
-* Install `Knative Serving` to automatically generate the certificates. The CA will be injected in [700-istio-secret.yaml](./config/700-istio-secret.yaml).
+* Install `Knative Serving`, `cert-manager` and `net-certmanager` to automatically generate the certificates. The CA will be injected for the Knative Certificate in [700-istio-knative-certificate.yaml](./config/700-istio-knative-certificate.yaml).
 * Or use [./test/generate-upstream-cert.sh)](./test/generate-upstream-cert.sh) to manually generate the secrets.
 
 You can then enable `system-internal-tls` in `config-network` like in [our test resources](./test/config/system-internal-tls/config-network.yaml)

diff --git a/config/700-istio-secret.yaml → config/700-istio-knative-certificate.yaml b/config/700-istio-secret.yaml → config/700-istio-knative-certificate.yaml
@@ -12,12 +12,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: v1
-kind: Secret
+apiVersion: networking.internal.knative.dev/v1alpha1
+kind: Certificate
 metadata:
+  annotations:
+    networking.knative.dev/certificate.class: cert-manager.certificate.networking.knative.dev
+  labels:
+    networking.knative.dev/certificate-type: system-internal
   name: routing-serving-certs
   namespace: istio-system
-  labels:
-    serving-certs-ctrl: "data-plane-routing"
-    networking.internal.knative.dev/certificate-uid: "serving-certs"
+spec:
+  dnsNames:
+    - kn-routing
+  secretName: routing-serving-certs
 # The data is populated when system-internal-tls is enabled.
diff --git a/test/e2e-common.sh b/test/e2e-common.sh
@@ -69,6 +69,9 @@ function test_setup() {
 
   ${istio_dir}/install-istio.sh ${istio_profile} || return 1
 
+  # Remove Knative Certificate as we are running without Serving CRs
+  rm -f config/700-istio-knative-certificate.yaml
+
   echo ">> Bringing up net-istio Ingress Controller"
   ko apply --platform=linux/amd64 -f config/ || return 1