Do not require mTLS for serverless proxy
Description
We are currently configuring mTLS connection for Istio ingress for Knative apps deployed as GitLab managed apps from gitlab-rails.
We initially decided to choose mTLS because of a few reasons:
- It can be used with self-signed certificates
- I verifies the identity not only of a server but also a client
Problem
It appears that given all the kubernetes ingresses available in the wild, only Istio supports mTLS authentication. This is not optimal because people can deploy their Knative installations using Gloo, or other ingresses that do not support mTLS
Proposal
Investigate a possibility of using regular TLS to encrypt connection between GitLab Pages and Knative cluster.
We should be able to support self-signed certificate by adding a server certificate to CA certs pool on the client side.
This should make this feature useful for every ingress, not only for Istio, what might be interesting for @danielgruesso too.