Configure mTLS certs when someone uses a serverless domain
Description
We are working towards #30151 (closed) and #26202 (closed).
We decided to split these issues into a few smaller ones.
This issue is about making it possible to use a predefined serverless domain with a Knative cluster.
Proposal
Whenever someone decides to use a predefined serverless domain, we should generate certificates needed to perform the mTLS handshake, deploy them to a Knative cluster and configure ingress gateway to use them to perform mutual TLS authentication.
This should be hidden behind a feature flag until we resolve all the work that needs to be done to support this in GitLab Pages.
Tasks
Frontend
-
UI to select one pre-defined domain from instance, group, or project level for a Knative installation instead of entering a custom Knative domain (needs to be clearly defined which is which, since we will configure mTLS for pre-defined domains, and use passthrough for custom domains)
Backend
-
Determine whether a pre-defined domain has been selected or a custom domain has been entered
If a pre-defined domain from the instance, group, or project level has been selected, we should use a background job to:
-
Generate certificates (find out if OpenSSL is available or needs to be added) -
Determine where to persist certificates so that Pages can access them -
Deploy certificates to Knative cluster -
Configure Istio ingress gateway to use certificates to perform mutual TLS authentication
/cc @nagyv.gitlab @nicholasklick @tauriedavis