Update net-istio to use KnativeCertificate instead of control-protocol secret (knative-extensions#1221)

* Update net-istio to use `KnativeCertificate` instead of control-protocol Secret * Delete `KnativeCertificate` in e2e tests

Author: ReToCode

.github/workflows/kind-e2e.yaml

@@ -83,6 +83,9 @@ jobs:
  # Deploy Istio
  ./third_party/istio-${{ matrix.istio-version }}/install-istio.sh istio-kind-${{ matrix.istio-profile }}
 
+ # Remove Knative Certificate as we are running without Serving CRs
+ rm -f config/700-istio-knative-certificate.yaml
+ 
  # Build and Publish our containers to the docker daemon (including test assets)
  ko resolve --platform=linux/amd64 -f test/config/ -f config/ | kubectl apply -f -
 

DEVELOPMENT.md

@@ -98,7 +98,7 @@ ko apply -f config/
 
 If you want to work with `system-internal-tls` enabled you can either:
 
-* Install `Knative Serving` to automatically generate the certificates. The CA will be injected in [700-istio-secret.yaml](./config/700-istio-secret.yaml).
+* Install `Knative Serving`, `cert-manager` and `net-certmanager` to automatically generate the certificates. The CA will be injected for the Knative Certificate in [700-istio-knative-certificate.yaml](./config/700-istio-knative-certificate.yaml).
 * Or use [./test/generate-upstream-cert.sh)](./test/generate-upstream-cert.sh) to manually generate the secrets.
 
 You can then enable `system-internal-tls` in `config-network` like in [our test resources](./test/config/system-internal-tls/config-network.yaml)

config/700-istio-secret.yaml config/700-istio-knative-certificate.yamlconfig/700-istio-secret.yaml renamed to config/700-istio-knative-certificate.yaml

@@ -12,12 +12,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: v1
-kind: Secret
+apiVersion: networking.internal.knative.dev/v1alpha1
+kind: Certificate
 metadata:
+ annotations:
+ networking.knative.dev/certificate.class: cert-manager.certificate.networking.knative.dev
+ labels:
+ networking.knative.dev/certificate-type: system-internal
  name: routing-serving-certs
  namespace: istio-system
- labels:
- serving-certs-ctrl: "data-plane-routing"
- networking.internal.knative.dev/certificate-uid: "serving-certs"
+spec:
+ dnsNames:
+ - kn-routing
+ secretName: routing-serving-certs
 # The data is populated when system-internal-tls is enabled.

test/e2e-common.sh

@@ -69,6 +69,9 @@ function test_setup() {
 
  ${istio_dir}/install-istio.sh ${istio_profile} || return 1
 
+ # Remove Knative Certificate as we are running without Serving CRs
+ rm -f config/700-istio-knative-certificate.yaml
+
  echo ">> Bringing up net-istio Ingress Controller"
  ko apply --platform=linux/amd64 -f config/ || return 1