SSL for Knative services
Make Cert Manager work with Knative services
Problem to solve
It's a tonne of manual difficult steps for Knative users to get SSL certificates for their services even if they have installed Cert Manager (see https://github.com/knative/docs/blob/master/serving/using-cert-manager-on-gcp.md). I think we should be able to make this simpler (perhaps by doing these steps from GitLab itself when you install the 2 apps).
Since Knative project is still working on Domain & Cert automation our MVC can be simply be to allow user to upload the certificate pair (private/public) for their Knative service and follow the steps outlined here Configuring HTTPS with a custom certificate.
When a user has installed both Cert Manager and Knative they will automatically get SSL certs for their deployed (much like we do for Auto DevOps now). The technical challenges we'll need to solve is setting everything up correctly from GitLab's backend.
One risk we run here is that a bunch of the APIs we need to interact with to set this stuff up are all in Alpha stage right now so there is a good chance this could break at some point in the future. We should decouple any failures that occur from Cert Manager installation since we don't want to break Cert Manager for all our users just because Knative or Istio change something underneath us.
This will also be a necessary prerequisite for https://gitlab.com/gitlab-org/gitlab-ce/issues/56438 otherwise we are losing features by switching to Knative.
What does success look like, and how can we measure that?
Links / references
Enabling HTTPS on Knative https://cloud.google.com/run/docs/gke/enabling-cluster-https
Note: We do something similar for GitLab Pages so we should take note of any lessons we've learned from this (particularly regarding possible security problems).