serving icon indicating copy to clipboard operation
serving copied to clipboard
verified publisher icon knative

Improve TLS conditions on route reconciliation

Open ReToCode opened this issue 1 year ago • 3 comments

Currently the TLS conditions are a bit tricky. We re-use the same condition to reflect the status of external-domain-tls and cluster-local-domain-tls. The first one also needs considering if an external route actually exists. The proposal now is to:

Maybe it would be a good idea to introduce another condition to separate cluster-local from external-domain certificates? It's a bit hard to follow that the condition is influenced by two feature flags and if there is actually a route (e.g. external-domain-tls enabled but no external routes and cluster-local-domain-tls disabled). We could even have better messages like

  • external-domain-tls: feature is disabled
  • external-domain-tls: no certificate required, no external domains found

Original discussion see: https://github.com/knative/serving/pull/15234#issuecomment-2126343951

ReToCode avatar May 23 '24 13:05 ReToCode

@dprotaso @ReToCode can i work on this issue ?

0xV0YD avatar Jun 02 '25 04:06 0xV0YD

@V0YD23 sure - can you write something up before you do any implementation

dprotaso avatar Jun 10 '25 15:06 dprotaso

@V0YD23 sure - can you write something up before you do any implementation

sure @dprotaso will share you the approach

0xV0YD avatar Jun 12 '25 06:06 0xV0YD