Add support for system-internal-tls in net-istio

[ReToCode]

Changes

• Adds support for system-internal-tls in net-istio
• Adds a build matrix for conformance and e2e tests with upstream TLS enabled
• Verified on Serving: Test istio with system-internal-tls enabled knative/serving#14494

Things to discuss

1. config/700-istio-secret.yaml is necessary because the CA secrets needs to be in istio-system namespace for istio to pick it up. It's currently the only way to get the CA there. This is why https://docs.google.com/document/d/1YdcdBVg_zpT4WSNRsWlihut5JuLddOTIggFvLni3A28/edit?disco=AAAAtaDADjo proposes to add the CA to KIngress
2. Handling of DomainMappings is a bit hacky. It is adapted based on net-kourier. If we do Provide HTTPS for cluster.local domains knative/serving#13472 this handling can be dropped (here and in net-kourier and net-contour)
3. Handling/detection of http2 is currently based on service naming, which is not ideal. Thus https://docs.google.com/document/d/1YdcdBVg_zpT4WSNRsWlihut5JuLddOTIggFvLni3A28/edit?disco=AAAAtaDADjo also proposes to add the upstream protocol to the KIngress resource to avoid this in the future.

Release Note
No release notes yet, as this is still an internal/alpha feature.

Docs
No docs yet, as this still an internal/alpha feature.

/kind enhancement
Fixes #1063

[ReToCode]

/assign @nak3, @skonto, @evankanderson for review

/cc @dprotaso, @KauzClay for inputs/opinions on the discussion points (and - of course - also review if you'd like)

[ReToCode]

/hold I'm going to look into the test failures.

[evankanderson]

I like the suggestion to do https://github.com/knative/serving/issue/13472, particularly since we've seen it show up three times and within-cluster TLS is not an unreasonable desire.

(Non-blocking, will review the rest soon.)

[evankanderson]

One other thought: with websockets being defined for http2, I wonder whether we should simply run http2 to the queue-proxy and do the down-conversion there.

Downside: we may get scale-from-zero wakeups for requests the app won't actually be able to handle.

Upside: people can stop needing to worry about naming their port.

[evankanderson]

Initial review; this was less painful than I anticipated.

[ReToCode]

I like the suggestion to do https://github.com/knative/serving/issue/13472, particularly since we've seen it show up three times and within-cluster TLS is not an unreasonable desire.

I synced with @KauzClay. Well come up with some GH-issues to track tasks out of the Findings document shortly to start working on that. But we'd need to agree on the contract and KIngress changes first.

One other thought: with websockets being defined for http2, I wonder whether we should simply run http2 to the queue-proxy and do the down-conversion there.

I think it would be worth to look into this. Should we track/discuss this in a new issue?

Initial review; this was less painful than I anticipated.

That's a hopefully a good thing? ;)

[ReToCode]

/test integration-tests

/test latest-mesh

[nak3]

I guess we should add the same #114 for DestinationRules in cmd/controller/main.go?

[ReToCode]

I guess we should add the same #114 for DestinationRules in cmd/controller/main.go?

@nak3 any idea why we are configuring v1beta1 here but are using v1alpha3 everywhere else?

[nak3]

I don't know the reason. As far as I researched the commit history (you might already know but...)

• Move from Istio API v1alpha3 to v1beta1. #147 bumped to v1beta1
• Rollback #147 #203 reverted to v1alpha3 but missed cmd/controller/main.go (not sure if it is accident or intention though)

The revert is waiting for knative/serving#8896 but knative/serving#8896 should be fixed most probably so we should bump the API to v1beta1. I opened #1087

[ReToCode]

/test latest-mesh

[ReToCode]

/unhold

[nak3]

Overall looks good to me.

With said, Istio has a large variety of network configuration so I am worried that adding a non-edge network feature conflicts with their features 😥 For example, does this internal-encryption in net-istio assume that there is no sidecar at all? Or it can work with the partial mesh (moreover using PERMISSIVE mode but it means HTTPS over mTLS)?...etc
This is still alpha feature so we can move forward, though.

[nak3]

@evankanderson Would you like to have another review?

[ReToCode]

For example, does this internal-encryption in net-istio assume that there is no sidecar at all?

My personal take would be, if you use service-mesh, you do not need the Knative internal-encryption feature. I also would not invest in making this compatible with istios internal mesh certificates.

[codecov]

Codecov Report

Merging #1085 (28dd4c5) into main (a271e0b) will increase coverage by 0.24%.
Report is 5 commits behind head on main.
The diff coverage is 87.35%.

@@            Coverage Diff             @@
##             main    #1085      +/-   ##
==========================================
+ Coverage   81.42%   81.66%   +0.24%     
==========================================
  Files          18       19       +1     
  Lines        1599     1680      +81     
==========================================
+ Hits         1302     1372      +70     
- Misses        213      220       +7     
- Partials       84       88       +4     

Files	Coverage Δ
pkg/reconciler/ingress/controller.go	92.30% <100.00%> (+0.48%)	⬆️
...kg/reconciler/ingress/resources/destinationrule.go	100.00% <100.00%> (ø)
pkg/reconciler/ingress/ingress.go	69.49% <69.44%> (-0.01%)	⬇️

[ReToCode]

/test latest-mesh

[ReToCode]

Rebased and istio version bumped.

@evankanderson any thoughts about #1085 (comment) and #1085 (comment)? For the latter, what is the plan to move/migrate stuff from control-protocol to networking? Can we maybe start with migrating the constants instead of adding another dependency on control-protocol?

[github-actions]

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Reopen with /reopen. Mark as fresh by adding the
comment /remove-lifecycle stale.

[ReToCode]

/remove-lifecycle stale

[ReToCode]

/test latest

[ReToCode]

/retest

[nak3]

/lgtm
/approve
/hold please feel free to unhold if there is no other reviewers.

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nak3, ReToCode

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ReToCode,nak3]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ReToCode]

@dprotaso do you want to take a look as well?

[ReToCode]

/unhold