From e5e9ab737575cd58d800cc99caca67eda71fad59 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Thu, 30 Nov 2023 15:27:49 +0100 Subject: [PATCH 1/2] Update net-istio to use `KnativeCertificate` instead of control-protocol Secret --- DEVELOPMENT.md | 2 +- ...et.yaml => 700-istio-knative-certificate.yaml} | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) rename config/{700-istio-secret.yaml => 700-istio-knative-certificate.yaml} (69%) diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index ba0a4183ee..dba40a8c74 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -98,7 +98,7 @@ ko apply -f config/ If you want to work with `system-internal-tls` enabled you can either: -* Install `Knative Serving` to automatically generate the certificates. The CA will be injected in [700-istio-secret.yaml](./config/700-istio-secret.yaml). +* Install `Knative Serving`, `cert-manager` and `net-certmanager` to automatically generate the certificates. The CA will be injected for the Knative Certificate in [700-istio-knative-certificate.yaml](./config/700-istio-knative-certificate.yaml). * Or use [./test/generate-upstream-cert.sh)](./test/generate-upstream-cert.sh) to manually generate the secrets. You can then enable `system-internal-tls` in `config-network` like in [our test resources](./test/config/system-internal-tls/config-network.yaml) diff --git a/config/700-istio-secret.yaml b/config/700-istio-knative-certificate.yaml similarity index 69% rename from config/700-istio-secret.yaml rename to config/700-istio-knative-certificate.yaml index 259efea991..f224e05443 100644 --- a/config/700-istio-secret.yaml +++ b/config/700-istio-knative-certificate.yaml @@ -12,12 +12,17 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Secret +apiVersion: networking.internal.knative.dev/v1alpha1 +kind: Certificate metadata: + annotations: + networking.knative.dev/certificate.class: cert-manager.certificate.networking.knative.dev + labels: + networking.knative.dev/certificate-type: system-internal name: routing-serving-certs namespace: istio-system - labels: - serving-certs-ctrl: "data-plane-routing" - networking.internal.knative.dev/certificate-uid: "serving-certs" +spec: + dnsNames: + - kn-routing + secretName: routing-serving-certs # The data is populated when system-internal-tls is enabled. From e04299139b66593d2402f2bffe805f92b1eb70a0 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Thu, 30 Nov 2023 15:47:34 +0100 Subject: [PATCH 2/2] Delete `KnativeCertificate` in e2e tests --- .github/workflows/kind-e2e.yaml | 3 +++ test/e2e-common.sh | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml index 8612654c24..6d4859461a 100644 --- a/.github/workflows/kind-e2e.yaml +++ b/.github/workflows/kind-e2e.yaml @@ -83,6 +83,9 @@ jobs: # Deploy Istio ./third_party/istio-${{ matrix.istio-version }}/install-istio.sh istio-kind-${{ matrix.istio-profile }} + # Remove Knative Certificate as we are running without Serving CRs + rm -f config/700-istio-knative-certificate.yaml + # Build and Publish our containers to the docker daemon (including test assets) ko resolve --platform=linux/amd64 -f test/config/ -f config/ | kubectl apply -f - diff --git a/test/e2e-common.sh b/test/e2e-common.sh index fcf227f59c..a174a2a796 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -69,6 +69,9 @@ function test_setup() { ${istio_dir}/install-istio.sh ${istio_profile} || return 1 + # Remove Knative Certificate as we are running without Serving CRs + rm -f config/700-istio-knative-certificate.yaml + echo ">> Bringing up net-istio Ingress Controller" ko apply --platform=linux/amd64 -f config/ || return 1