Align the encryption flags

[ReToCode]

Changes

• Align the encryption flags according to Align flag naming according to the discussion serving#14368
• Adds reverse compatibility for existing flags
• Drop dataplane-trust and controlplane-trust

I'd argue that its ok to drop the dataplane-& controlplane-trust flags, as they are clearly marked as ALPHA. IMHO, Introducing backward compatibility for those would make it really unread and unmaintainable. Also we have not implemented this feature and various values of those, so it's basically not possible to be reverse compatible.

/kind cleanup

Partially fixes knative/serving#14368

Release Note

Renames the flags that control encryption
- `auto-tls` is now named `external-domain-tls`
- `internal-encryption` is now named `system-internal-tls`
- `cluster-local-domain-tls` is introduced as a new alpha state flag to control TLS certificates for cluster-local domains

Docs
PRs for docs will follow separately in knative/serving#14368

[ReToCode]

/assign @dprotaso
/assign @KauzClay
/assign @nak3

[codecov]

Codecov Report

Attention: 7 lines in your changes are missing coverage. Please review.

Comparison is base (50368a7) 82.26% compared to head (0ad79f2) 82.30%.
Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #858      +/-   ##
==========================================
+ Coverage   82.26%   82.30%   +0.03%     
==========================================
  Files          45       45              
  Lines        1720     1729       +9     
==========================================
+ Hits         1415     1423       +8     
+ Misses        264      263       -1     
- Partials       41       43       +2     

Files	Coverage Δ
pkg/apis/networking/metadata_validation.go	100.00% <ø> (ø)
pkg/apis/networking/register.go	0.00% <0.00%> (ø)
pkg/config/config.go	83.09% <86.84%> (+3.29%)	⬆️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ReToCode]

About the expected CI errors:

I see the following options

• Keep the dropped flags here (without handling the compatibility stuff), rework all repos, then drop them here in a new PR
• YOLO - ignore it for now, fix it after follup-PRs on Serving + net-contour are through

We'd need to do both approaches our configuration would be broken for a short time period. And we'd need to do the fixes in a short time period and before the release.

Opinions?

[KauzClay]

I think I could go for

ignore it for now, fix it after follup-PRs on Serving + net-contour are through

I can get some quick PRs for serving and net-contour to use your new stuff ready. That way it can get into a passing state. And then we can move on to do the proper support of everything?

• use new encryption flags from https://github.com/knative/networking/pull/858 serving#14379
• use new encryption flags from https://github.com/knative/networking/pull/858 knative-extensions/net-contour#958

[nak3]

I'd argue that its ok to drop the dataplane-& controlplane-trust flags, as they are clearly marked as ALPHA. IMHO, Introducing backward compatibility for those would make it really unread and unmaintainable. Also we have not implemented this feature and various values of those, so it's basically not possible to be reverse compatible.

I would like to get approval from TOC just in case. Otherwise LGTM.

[ReToCode]

@knative/technical-oversight-committee @dprotaso Could you please take a look: #858 (comment)

[dprotaso]

I would like to get approval from TOC just in case.

TOC wouldn't make this call - just leads/approvers of the WG. It's an alpha feature so I don't think we should worry about the renaming.

[dprotaso]

Circling back on this name I wonder if we should call this

Suggested change

	KnativeInternalTLSKey = "knative-internal-tls"
	InternalComponentTLSKey = "internal-component-tls"

Otherwise having knative in the key name seems unnecessary since the operator knows we're configuring something about knative and internal alone isn't specific enough

[ReToCode]

Hm I get the knative part, but I'm not super convinced with the component part (it seems a bit generic, which components?). Maybe something like this?

• internal-communication-tls
• system-internal-tls

[KauzClay]

I think I like system-internal-tls

internal-communication-tls still feels like it bleeds into cluster-local-domain-tls or whatever we're calling that one.

[dprotaso]

Cool let's use system-internal-tls

[ReToCode]

Great, updated it to system-internal-tls.
@KauzClay mind updating your two WIP PRs before we merge this here?

[dprotaso]

/lgtm
/approve
/hold

@ReToCode will let you unhold

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, ReToCode

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ReToCode]

/unhold

@dprotaso can you override the failed checks?

[dprotaso]

/override "Unit Test (knative/serving)"
/override "Unit Test (knative-extensions/net-contour)"

[knative-prow]

@dprotaso: Overrode contexts on behalf of dprotaso: Unit Test (knative-extensions/net-contour), Unit Test (knative/serving)

In response to this:

/override "Unit Test (knative/serving)"
/override "Unit Test (knative-extensions/net-contour)"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dprotaso]

/override "style / Golang / Lint"

[knative-prow]

@dprotaso: Overrode contexts on behalf of dprotaso: style / Golang / Lint

In response to this:

/override "style / Golang / Lint"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.