Feature flag to enable/disable secure https access to Services

[zhanggbj]

Serving: https access to Services

/area API
/area networking

Describe the feature

By default, Knative Service will be deployed and accessed by http. However, in production, users usually need to access them by secure https. Fow now, Knative support to enable https connection but with some manual steps (https://knative.dev/development/serving/using-a-tls-cert). I'm thinking if we can add API about a feature flag to enable/disable secure https access to Services. Thanks!

The feature flag API is not only for this feature, it can manage all of features, for example we can list all features and their status, also enable/disable a feature. So that developer can easily manage the features

BTW, for cloud foundry developer experience, they provide such feature flags, take CLI just as an example! Thanks!

$ cf feature-flags

Features                                      State
user_org_creation                             disabled
private_domain_creation                       enabled
app_bits_upload                               enabled
app_scaling                                   enabled
route_creation                                enabled
service_instance_creation                     enabled
diego_docker                                  disabled
set_roles_by_username                         enabled
unset_roles_by_username                       enabled
task_creation                                 enabled
env_var_visibility                            enabled
space_scoped_private_broker_creation          enabled
space_developer_env_var_visibility            enabled
service_instance_sharing                      disabled
hide_marketplace_from_unauthenticated_users   disabled

[markusthoemmes]

Have you seen AutoTLS support in https://knative.dev/development/serving/using-auto-tls/? Is something missing from that experience to solve your use-case?

[zhanggbj]

Hi @markusthoemmes ,

Yes, I have read that and I can config it manually, I'm thinking if it is possible to config it with one step or one cli, and I think it needs more support from Server API side, e.g., I have got my certs and I just want to enable the secure https with a CLI like below, instead of updating the yaml files in the doc. What do you think? Thanks!

kn service enable-feature-flag https-connection --key cert.pk --cert cert.pem

[vagababov]

1. It seems what you want is covered with configmaps
2. It also seems that what you propose lies in the cli/operator domain than the core serving. Considering that 0-touch implementations of autotls are platform specific, most likely - it even more hints that it should be outside of core serving m

[knative-housekeeping-robot]

Issues go stale after 90 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle stale.
Stale issues rot after an additional 30 days of inactivity and eventually close.
If this issue is safe to close now please do so by adding the comment /close.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/lifecycle stale

[knative-housekeeping-robot]

Stale issues rot after 30 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.
Rotten issues close after an additional 30 days of inactivity.
If this issue is safe to close now please do so by adding the comment /close.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/lifecycle rotten

[knative-housekeeping-robot]

Rotten issues close after 30 days of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/close

[knative-prow-robot]

@knative-housekeeping-robot: Closing this issue.

In response to this:

Rotten issues close after 30 days of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[zhanggbj]

@markusthoemmes @vagababov
Thank you for the great suggestions. I just came back to update that I've contributed kn admin as a pure CLI implementation to manage Serving related configuration and features etc.
If there's any more use case, welcome to add it in the Proposal doc. Thanks!

• Repo https://github.com/knative/client-contrib/tree/master/plugins/admin
• Proposal (Collecting more feedbacks) https://docs.google.com/document/d/1oD5P4WQZs39GIr_4ezcURgRCuUx8dXrcCi3N7GKmp5c/edit#
• Use Case collecting: "kn-admin" use case collection [discussion] client-contrib#18