Update certificates and SANs used in Serving

[ReToCode]

Proposed Changes

• Includes use new encryption flags from https://github.com/knative/networking/pull/858 #14379
• Includes [Automated] Update net-kourier nightly #14469
• Includes [main] Upgrade to latest dependencies #14467
• Updates the certificates and SANs used in Serving (Activator and QP certs)

Release Note

Renames the flags that control encryption
- `auto-tls` is now named `external-domain-tls`
- `internal-encryption` is now named `system-internal-tls`
- `cluster-local-domain-tls` is introduced as a new alpha state flag to control TLS certificates for cluster-local domains

Docs
PRs for docs will follow separately in #14368

[codecov]

Codecov Report

Attention: 7 lines in your changes are missing coverage. Please review.

Comparison is base (4c3aaee) 86.08% compared to head (90aa5b3) 86.06%.
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14472      +/-   ##
==========================================
- Coverage   86.08%   86.06%   -0.03%     
==========================================
  Files         196      196              
  Lines       14880    14880              
==========================================
- Hits        12810    12807       -3     
- Misses       1759     1761       +2     
- Partials      311      312       +1     

Files	Coverage Δ
pkg/reconciler/autoscaling/kpa/kpa.go	95.26% <100.00%> (ø)
pkg/reconciler/route/resources/ingress.go	94.80% <100.00%> (ø)
pkg/reconciler/revision/reconcile_resources.go	67.33% <0.00%> (ø)
pkg/reconciler/revision/resources/deploy.go	90.13% <0.00%> (ø)
pkg/reconciler/revision/revision.go	92.13% <0.00%> (ø)
cmd/activator/main.go	0.00% <0.00%> (ø)
pkg/activator/certificate/cache.go	41.81% <0.00%> (ø)

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ReToCode]

@dprotaso any idea what that could be? Checksums in config-networking seem fine and the code clearly does not patch the _example stuff:

• kubectl patch cm config-network -n 0af4ed85-a6ca-4c44-b88c-f692d760a858 -p '{"data":{"system-internal-tls":"Enabled"}}'
  Error from server (BadRequest): admission webhook "config.webhook.serving.knative.dev" denied the request: validation failed: the update modifies a key in "_example" which is probably not what you want. Instead, copy the respective setting to the top-level of the ConfigMap, directly below "data"
  Setting feature system-internal-tls to Enabled

[nak3]

any idea what that could be? Checksums in config-networking seem fine and the code clearly does not patch the _example stuff:

It seems that it was caused by this override https://github.com/knative/serving/blob/main/test/config/ytt/core/overlay-cluster-local-override.yaml

It replaces all of cluster.local with a custom domain (like c6401203910.local). So the following comment line is replaced and the checksums makes mismatch.

https://github.com/knative/networking/blob/97dab159e1855d6165151ca66c16f69f7091d375/config/config-network.yaml#L129

[ReToCode]

Aww, makes sense. Nice find @nak3! Here a PR to fix this: knative/networking#872.

[ReToCode]

/test upgrade-tests

[ReToCode]

🎉

/assign @nak3
/assign @KauzClay
/assign @dprotaso

[KauzClay]

looks good to me, but I can hold for others

/lgtm
/hold

[skonto]

Do we need to have release notes, do we break anything wrt flags supported etc?

[skonto]

/approve

@ReToCode Just one comment above. Seems most work is refactoring for experimental flags.

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ReToCode, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [skonto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nak3]

/hold cancel

[nak3]

Sorry I missed Stavros's comment but Release Notes can be updated after the merge.

[ReToCode]

I added them above. I hope they are still picked up?

[nak3]

Yes, the release note should be picked up when new release is created (more precisely, that is done when we generated the release note by github action).