Add Serving transport encryption docs

Author: rh-max

_topic_maps/_topic_map.yml

@@ -132,8 +132,6 @@ Topics:
     File: init-containers
   - Name: Resolving image tags to digests
     File: resolving-image-tags-to-digests
-  - Name: Configuring TLS authentication
-    File: serverless-config-tls
   - Name: Configuring Kourier
     File: configuring-kourier
   - Name: Restrictive network policies
@@ -142,6 +140,8 @@ Topics:
   File: debugging-serverless-applications
 - Name: Kourier and Istio ingresses
   File: kourier-and-istio-ingresses
+- Name: Serving transport encryption
+  File: serving-transport-encryption
 - Name: Traffic splitting
   Dir: traffic-splitting
   Topics:

about/serverless-release-notes.adoc

@@ -83,7 +83,7 @@ include::modules/serverless-rn-1-25-0.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources for {ocp-product-title}
-* xref:../knative-serving/config-applications/serverless-config-tls.adoc#serverless-config-tls[Configuring TLS authentication]
+* xref:../knative-serving/serving-transport-encryption.adoc#serving-transport-encryption-setting-up[Serving transport encryption]
 
 include::modules/serverless-rn-1-24-0.adoc[leveloffset=+1]
 include::modules/serverless-rn-1-23-0.adoc[leveloffset=+1]

knative-serving/config-applications/serverless-config-tls.adoc

@@ -0,0 +1,43 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+[id="serving-transport-encryption"]
+= Serving transport encryption
+:context: serving-transport-encryption
+
+toc::[]
+
+You can enable {ServerlessProductName} Serving transport encryption to allow transporting data over secured and encrypted HTTPS connections using TLS.
+
+:FeatureName: {ServerlessProductName} Serving transport encryption
+include::snippets/technology-preview.adoc[leveloffset=+2]
+
+[IMPORTANT]
+====
+Serving Transport Encryption is only available for Kourier as an ingress layer. For {SMProductName}, use the service mesh mTLS capabilities to ensure encrypted traffic.
+====
+
+include::modules/serving-transport-encryption-overview.adoc[leveloffset=+1]
+include::modules/serving-transport-encryption-choice-of-a-certificate-issuer.adoc[leveloffset=+1]
+
+[id="serving-transport-encryption-setting-up_{context}"]
+== Setting up OpenShift Serverless transport encryption
+
+.Prerequisites
+
+* You have access to an {ocp-product-title} account with cluster administrator access.
+* Install the {oc-first}.
+* Install the {cert-manager-operator}.
+* Install the {ServerlessOperatorName}.
+
+[IMPORTANT]
+====
+If you install the {ServerlessOperatorName} before installing the {cert-manager-operator}, you must restart the controller and activator deployments in the `knative-serving` namespace. Failure to restart these deployments prevents Knative from creating the necessary `cert-manager` resources, which results in pending Knative Services and prevents enabling the Knative Serving `cert-manager` integration.
+====
+
+include::modules/serving-transport-encryption-configuring-selfsigned-clusterissuer.adoc[leveloffset=+2]
+include::modules/serving-transport-encryption-creating-a-clusterissuer-to-be-used-by-serving.adoc[leveloffset=+2]
+include::modules/serving-transport-encryption-configuring.adoc[leveloffset=+2]
+
+include::modules/serving-transport-encryption-trust-configuration.adoc[leveloffset=+1]
+include::modules/serving-transport-encryption-ensuring-seamless-ca-rotation.adoc[leveloffset=+1]
+include::modules/serving-transport-encryption-verifying.adoc[leveloffset=+1]

knative-serving/serving-transport-encryption.adoc

@@ -35,7 +35,7 @@ $ oc create secret tls <tls_secret_name> --cert=<path_to_certificate_file> --key
 $ oc label secret <tls_secret_name> networking.internal.knative.dev/certificate-uid="<id>"
 ----
 +
-If you are using a third-party secret provider such as cert-manager, you can configure your secret manager to label the Kubernetes TLS secret automatically. Cert-manager users can use the secret template offered to automatically generate secrets with the correct label. In this case, secret filtering is done based on the key only, but this value can carry useful information such as the certificate ID that the secret contains.
+If you are using a third-party secret provider such as `cert-manager`, you can configure your secret manager to label the Kubernetes TLS secret automatically. `cert-manager` users can use the secret template offered to automatically generate secrets with the correct label. In this case, secret filtering is done based on the key only, but this value can carry useful information such as the certificate ID that the secret contains.
 +
 [NOTE]
 ====

modules/serverless-domain-mapping-custom-tls-cert.adoc

@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * knative-serving/serving-transport-encryption.adoc
+:_mod-docs-content-type: CONCEPT
+[id="serving-transport-encryption-choice-of-a-certificate-issuer_{context}"]
+= Choice of a certificate issuer
+
+Issuers refer to `cert-manager` issuers and cluster issuers. They represent certificate authorities (CAs) that can generate signed certificates by honoring certificate signing requests. For more information, see link:https://cert-manager.io/docs/concepts/issuer/[cert-manager documentation on issuers].
+
+Depending on the encryption features that you use, {ServerlessProductName} requires your certificate issuer to be able to sign certain certificates. To identify your certificate issuer, refer to the link:https://cert-manager.io/docs/configuration/issuers/[list of cert-manager integrations], which contains examples for the following:
+
+* A custom CA stored in a Kubernetes secret
+* HTTP-01 challenges
+* DNS-01 challenges
+* Self-signed issuers
+
+[id="serving-transport-encryption-compatible-certificate-issuers_{context}"]
+== Compatible certificate issuers
+
+Not all issuer types work for each Knative Serving encryption feature.
+
+* For cluster-local encryption, the issuer must be able to sign certificates for the following cluster-local domain types:
++
+--
+** `myapp.<namespace>`
+** `myapp.<namespace>.svc`
+** `myapp.<namespace>.svc.cluster.local`
+--
++
+As the CA usually is not within the cluster, verification using the Automated Certificate Management Environment (ACME) protocol (DNS01/HTTP01) is not possible. You can use an issuer that allows creating these certificates, such as the `cert-manager` CA issuer.
+
+* For system-internal encryption, the issuer must be able to sign certificates with the following Subject Alternative Names (SANs):
++
+--
+** `kn-routing`
+** names of format `kn-user-<namespace>`, where `<namespace>` is a namespace where Knative Services are created
+** `data-plane.knative.dev`
+--
++
+Knative requires these SANs to verify connections between the internal components. Because this is not possible using the ACME protocol (DNS01/HTTP01), you must configure an issuer that allows creating these certificates, for example, `cert-manager` CA issuer.

modules/serverless-enabling-tls-internal-traffic.adoc

@@ -0,0 +1,67 @@
+// Module included in the following assemblies:
+//
+// * knative-serving/serving-transport-encryption.adoc
+:_content-type: PROCEDURE
+[id="serving-transport-encryption-configuring-selfsigned-clusterissuer_{context}"]
+= Configuring a SelfSigned cluster issuer
+
+The following procedure uses a `SelfSigned` issuer as the root certificate. For information about the implications and limitations of this method, see the link:https://cert-manager.io/docs/configuration/selfsigned/[SelfSigned cert-manager documentation].
+
+If you manage your own company-specific Private Key Infrastructure (PKI), use the CA issuer. For more information, see link:https://cert-manager.io/docs/configuration/ca/[cert-manager documentation on CA issuers].
+
+.Procedure
+
+. Create a `SelfSigned` `ClusterIssuer` custom resource (CR):
++
+.Example ClusterIssuer CR
+[source,yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: knative-serving-selfsigned-issuer
+spec:
+  selfSigned: {}
+----
+
+. Apply the `ClusterIssuer` CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <filename>
+----
+
+. Create a root certificate that refers to the `ClusterIssuer` CR:
++
+.Example root certificate
+[source,yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: knative-serving-selfsigned-ca
+  namespace: cert-manager <1>
+spec:
+  secretName: knative-serving-ca <2>
+
+  isCA: true
+  commonName: selfsigned-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+
+  issuerRef:
+    name: knative-serving-selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+----
+<1> The {cert-manager-operator} namespace, `cert-manager` by default.
+<2> Secret name later used for the `ClusterIssuer` CR for Knative Serving.
+
+. Apply the `Certificate` CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <filename>
+----
+

modules/serving-transport-encryption-choice-of-a-certificate-issuer.adoc

@@ -0,0 +1,108 @@
+// Module included in the following assemblies:
+//
+// * knative-serving/serving-transport-encryption.adoc
+:_content-type: PROCEDURE
+[id="serving-transport-encryption-configuring_{context}"]
+= Configuring transport encryption
+
+Configuring transport encryption consists of two parts:
+
+. Specifying the `ClusterIssuer` issuer to use:
+
+** `clusterLocalIssuerRef`: issuer for cluster-local-domain certificates used for ingress.
+
+** `systemInternalIssuerRef`: issuer for certificates for system-internal-tls certificates used by Knative internal components.
+
+. Specifying transport encryption features to use:
+
+** `cluster-local-domain-tls`: Enables the transport encryption feature for cluster-local domains
+
+** `system-internal-tls`: Enables the transport encryption feature for OpenShift Serverless Serving internal components.
+
+.Procedure
+
+. Enable transport encryption in the `KnativeServing` resource:
++
+[source,yaml]
+----
+apiVersion: operator.knative.dev/v1beta1
+kind: KnativeServing
+metadata:
+  name: knative-serving
+  namespace: knative-serving
+spec:
+  ...
+  config:
+    certmanager:
+      clusterLocalIssuerRef: |
+        kind: ClusterIssuer
+        name: knative-serving-ca-issuer <1>
+      systemInternalIssuerRef: |
+        kind: ClusterIssuer
+        name: knative-serving-ca-issuer <2>
+    network:
+      cluster-local-domain-tls: Enabled <3>
+      system-internal-tls: Enabled <4>
+----
+<1> Define the cluster issuer for each feature. The same or individual cluster issuers can be used.
+<2> Define the cluster issuer.
+<3> Enable the `cluster-local-domain-tls` feature. This and other features can be enabled or disabled individually.
+<4> Enable the `system-internal-tls` feature.
+
+. Apply the `KnativeServing` resource by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <filename>
+----
+
+. Optionally, change the `defaultCertificate` value in the Ingress Controller:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+ ...
+spec:
+  defaultCertificate:
+    name: ca-ingress-cert
+----
+
+. If you changed the `defaultCertificate` value, you must specify the custom certificate name in the `openshift-ingress-default-certificate` field in the `KnativeServing` custom resource. 
++
+For example, if the custom certificate name is `ca-ingress-cert`, add the following configuration:
++
+[source,yaml]
+----
+...
+spec:
+  config:
+    network:
+      system-internal-tls: Enabled
+      openshift-ingress-default-certificate: "ca-ingress-cert"
+...
+----
+
+. If you enabled `cluster-local-domain-tls` or `system-internal-tls`, restart the Controller component by running the following command.
++
+[IMPORTANT]
+====
+When either the `cluster-local-domain-tls` or the `system-internal-tls` feature is enabled, you must restart the Controller component to enable the Knative Serving `cert-manager` integration.
+====
++
+[source,terminal]
+----
+$ oc rollout restart deploy/controller -n knative-serving
+----
+
+. If you enabled `system-internal-tls`, restart the Activator component by running the following command.
++
+[IMPORTANT]
+====
+When the `system-internal-tls` feature is activated, you must restart the Activator component to reconfigure its internal web server, as this is not possible during runtime.
+====
++
+[source,terminal]
+----
+$ oc rollout restart deploy/activator -n knative-serving
+----