SSL for Knative services

Make Cert Manager work with Knative services

Problem to solve

It's a tonne of manual difficult steps for Knative users to get SSL certificates for their services even if they have installed Cert Manager (see https://github.com/knative/docs/blob/master/serving/using-cert-manager-on-gcp.md). I think we should be able to make this simpler (perhaps by doing these steps from GitLab itself when you install the 2 apps).

Target audience

Operators, Developers

Further details

Configuring HTTPS with a custom certificate

Proposal

Since Knative project is still working on Domain & Cert automation our MVC can be simply be to allow user to upload the certificate pair (private/public) for their Knative service and follow the steps outlined here Configuring HTTPS with a custom certificate.

Original proposal

When a user has installed both Cert Manager and Knative they will automatically get SSL certs for their deployed (much like we do for Auto DevOps now). The technical challenges we'll need to solve is setting everything up correctly from GitLab's backend.

One risk we run here is that a bunch of the APIs we need to interact with to set this stuff up are all in Alpha stage right now so there is a good chance this could break at some point in the future. We should decouple any failures that occur from Cert Manager installation since we don't want to break Cert Manager for all our users just because Knative or Istio change something underneath us.

This will also be a necessary prerequisite for https://gitlab.com/gitlab-org/gitlab-ce/issues/56438 otherwise we are losing features by switching to Knative.

What does success look like, and how can we measure that?

Links / references

Enabling HTTPS on Knative https://cloud.google.com/run/docs/gke/enabling-cluster-https

Note: We do something similar for GitLab Pages so we should take note of any lessons we've learned from this (particularly regarding possible security problems).