Configure mTLS certs when someone uses a serverless domain
We decided to split these issues into a few smaller ones.
This issue is about making it possible to use a predefined serverless domain with a Knative cluster.
Whenever someone decides to use a predefined serverless domain, we should generate certificates needed to perform the mTLS handshake, deploy them to a Knative cluster and configure ingress gateway to use them to perform mutual TLS authentication.
This should be hidden behind a feature flag until we resolve all the work that needs to be done to support this in GitLab Pages.
- UI to select one pre-defined domain from instance, group, or project level for a Knative installation instead of entering a custom Knative domain (needs to be clearly defined which is which, since we will configure mTLS for pre-defined domains, and use passthrough for custom domains)
- Determine whether a pre-defined domain has been selected or a custom domain has been entered
If a pre-defined domain from the instance, group, or project level has been selected, we should use a background job to:
- Generate certificates (find out if OpenSSL is available or needs to be added)
- Determine where to persist certificates so that Pages can access them
- Deploy certificates to Knative cluster
- Configure Istio ingress gateway to use certificates to perform mutual TLS authentication