Revert #1085 (#1344)

.github/workflows/kind-e2e.yaml

@@ -23,10 +23,6 @@ jobs:
         - ./test/conformance
         - ./test/e2e
 
-        encryption:
-        - disabled
-        - system-internal-tls
-
         istio-profile:
         - no-mesh
         - ambient
@@ -71,21 +67,6 @@ jobs:
 
         echo "GATEWAY_NAMESPACE_OVERRIDE=istio-system" >> $GITHUB_ENV
 
-    - name: Generate certificates and enable system-internal-tls
-      if: matrix.encryption == 'system-internal-tls' && matrix.istio-profile == 'no-mesh'
-      run: |
-        set -o pipefail
-
-        echo ">> Deploy certificate for upstream traffic"
-        ./test/generate-upstream-cert.sh
-
-        echo ">> Setting environment variables for upstream tls"
-        echo "UPSTREAM_TLS_CERT=serving-certs" >> $GITHUB_ENV
-        echo "SERVER_NAME=kn-user-serving-tests" >> $GITHUB_ENV
-
-        echo ">> Enabling system-internal-tls in config-network"
-        kubectl apply -f test/config/system-internal-tls
-
     - name: Upload Test Images
       run: |
         # Build and Publish our test images to the docker daemon.

DEVELOPMENT.md

@@ -94,17 +94,3 @@ Run the following command to install net-istio components
 ko apply -f config/
 ```
 
-### System Internal TLS (optional)
-
-If you want to work with `system-internal-tls` enabled you can either:
-
-* Install `Knative Serving`, `cert-manager` and `net-certmanager` to automatically generate the certificates. The CA will be injected for the Knative Certificate in [700-istio-knative-certificate.yaml](./config/700-istio-knative-certificate.yaml).
-* Or use [./test/generate-upstream-cert.sh)](./test/generate-upstream-cert.sh) to manually generate the secrets.
-
-You can then enable `system-internal-tls` in `config-network` like in [our test resources](./test/config/system-internal-tls/config-network.yaml)
-and specify the following environment variables before you run the e2e/conformance tests:
-
-```bash
-export UPSTREAM_TLS_CERT=serving-certs
-export SERVER_NAME=kn-user-serving-tests
-```

cmd/controller/main.go

@@ -32,7 +32,6 @@ func main() {
 	// resilient to clusters containing malformed resources.
 	v1beta1.VirtualServiceUnmarshaler.AllowUnknownFields = true
 	v1beta1.GatewayUnmarshaler.AllowUnknownFields = true
-	v1beta1.DestinationRuleUnmarshaler.AllowUnknownFields = true
 
 	ctx := informerfiltering.GetContextWithFilteringLabelSelector(signals.NewContext())
 	sharedmain.MainWithContext(ctx, "net-istio-controller", ingress.NewController, serverlessservice.NewController)

pkg/reconciler/ingress/controller.go

@@ -22,7 +22,6 @@ import (
 	"go.uber.org/zap"
 	v1 "k8s.io/client-go/informers/core/v1"
 	istioclient "knative.dev/net-istio/pkg/client/istio/injection/client"
-	destinationruleinformer "knative.dev/net-istio/pkg/client/istio/injection/informers/networking/v1beta1/destinationrule"
 	gatewayinformer "knative.dev/net-istio/pkg/client/istio/injection/informers/networking/v1beta1/gateway"
 	virtualserviceinformer "knative.dev/net-istio/pkg/client/istio/injection/informers/networking/v1beta1/virtualservice"
 	"knative.dev/net-istio/pkg/reconciler/ingress/config"
@@ -83,20 +82,18 @@ func newControllerWithOptions(
 	ctx = AnnotateLoggerWithName(ctx, controllerAgentName)
 	logger := logging.FromContext(ctx)
 	virtualServiceInformer := virtualserviceinformer.Get(ctx)
-	destinationRuleInformer := destinationruleinformer.Get(ctx)
 	gatewayInformer := gatewayinformer.Get(ctx)
 	secretInformer := getSecretInformer(ctx)
 	serviceInformer := serviceinformer.Get(ctx)
 	ingressInformer := ingressinformer.Get(ctx)
 
 	c := &Reconciler{
-		kubeclient:            kubeclient.Get(ctx),
-		istioClientSet:        istioclient.Get(ctx),
-		virtualServiceLister:  virtualServiceInformer.Lister(),
-		destinationRuleLister: destinationRuleInformer.Lister(),
-		gatewayLister:         gatewayInformer.Lister(),
-		secretLister:          secretInformer.Lister(),
-		svcLister:             serviceInformer.Lister(),
+		kubeclient:           kubeclient.Get(ctx),
+		istioClientSet:       istioclient.Get(ctx),
+		virtualServiceLister: virtualServiceInformer.Lister(),
+		gatewayLister:        gatewayInformer.Lister(),
+		secretLister:         secretInformer.Lister(),
+		svcLister:            serviceInformer.Lister(),
 	}
 	myFilterFunc := reconciler.AnnotationFilterFunc(networking.IngressClassAnnotationKey, netconfig.IstioIngressClassName, true)
 
@@ -126,11 +123,6 @@ func newControllerWithOptions(
 		Handler:    controller.HandleAll(impl.EnqueueControllerOf),
 	})
 
-	destinationRuleInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
-		FilterFunc: controller.FilterController(&v1alpha1.Ingress{}),
-		Handler:    controller.HandleAll(impl.EnqueueControllerOf),
-	})
-
 	endpointsInformer := endpointsinformer.Get(ctx)
 	podInformer := podinformer.Get(ctx)
 	resyncOnIngressReady := func(ing *v1alpha1.Ingress) {

pkg/reconciler/ingress/ingress.go

@@ -24,8 +24,6 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"go.uber.org/zap"
 	"google.golang.org/protobuf/testing/protocmp"
-	pkgnetwork "knative.dev/pkg/network"
-
 	istiov1beta1 "istio.io/api/networking/v1beta1"
 	"istio.io/client-go/pkg/apis/networking/v1beta1"
 	istiolisters "knative.dev/net-istio/pkg/client/istio/listers/networking/v1beta1"
@@ -66,24 +64,22 @@ const (
 type Reconciler struct {
 	kubeclient kubernetes.Interface
 
-	istioClientSet        istioclientset.Interface
-	virtualServiceLister  istiolisters.VirtualServiceLister
-	destinationRuleLister istiolisters.DestinationRuleLister
-	gatewayLister         istiolisters.GatewayLister
-	secretLister          corev1listers.SecretLister
-	svcLister             corev1listers.ServiceLister
+	istioClientSet       istioclientset.Interface
+	virtualServiceLister istiolisters.VirtualServiceLister
+	gatewayLister        istiolisters.GatewayLister
+	secretLister         corev1listers.SecretLister
+	svcLister            corev1listers.ServiceLister
 
 	tracker tracker.Interface
 
 	statusManager status.Manager
 }
 
 var (
-	_ ingressreconciler.Interface           = (*Reconciler)(nil)
-	_ ingressreconciler.Finalizer           = (*Reconciler)(nil)
-	_ coreaccessor.SecretAccessor           = (*Reconciler)(nil)
-	_ istioaccessor.VirtualServiceAccessor  = (*Reconciler)(nil)
-	_ istioaccessor.DestinationRuleAccessor = (*Reconciler)(nil)
+	_ ingressreconciler.Interface          = (*Reconciler)(nil)
+	_ ingressreconciler.Finalizer          = (*Reconciler)(nil)
+	_ coreaccessor.SecretAccessor          = (*Reconciler)(nil)
+	_ istioaccessor.VirtualServiceAccessor = (*Reconciler)(nil)
 )
 
 // ReconcileKind compares the actual state with the desired, and attempts to
@@ -228,13 +224,6 @@ func (r *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress
 	}
 	gatewayNames[v1alpha1.IngressVisibilityClusterLocal].Insert(resources.GetQualifiedGatewayNames(clusterLocalIngressGateways)...)
 
-	if config.FromContext(ctx).Network.SystemInternalTLSEnabled() {
-		logger.Info("reconciling DestinationRules for system-internal-tls")
-		if err := r.reconcileDestinationRules(ctx, ing); err != nil {
-			return err
-		}
-	}
-
 	vses, err := resources.MakeVirtualServices(ing, gatewayNames)
 	if err != nil {
 		return err
@@ -400,47 +389,6 @@ func (r *Reconciler) reconcileVirtualServices(ctx context.Context, ing *v1alpha1
 	return nil
 }
 
-func (r *Reconciler) reconcileDestinationRules(ctx context.Context, ing *v1alpha1.Ingress) error {
-	var drs = sets.New[string]()
-	for _, rule := range ing.Spec.Rules {
-		for _, path := range rule.HTTP.Paths {
-			// Currently DomainMappings point to the cluster local domain on the local gateway.
-			// As there is no encryption there yet (https://github.com/knative/serving/issues/13472),
-			// we cannot use upstream TLS here, so we need to skip it for DomainMappings
-			if path.RewriteHost != "" {
-				continue
-			}
-
-			for _, split := range path.Splits {
-				svc, err := r.svcLister.Services(split.ServiceNamespace).Get(split.ServiceName)
-				if err != nil {
-					return fmt.Errorf("failed to get service: %w", err)
-				}
-
-				http2 := false
-				for _, port := range svc.Spec.Ports {
-					if port.Name == "http2" || port.Name == "h2c" {
-						http2 = true
-					}
-				}
-
-				hostname := pkgnetwork.GetServiceHostname(split.ServiceName, split.ServiceNamespace)
-
-				// skip duplicate entries, as we only need one DR per unique upstream k8s service
-				if !drs.Has(hostname) {
-					dr := resources.MakeInternalEncryptionDestinationRule(hostname, ing, http2)
-					if _, err := istioaccessor.ReconcileDestinationRule(ctx, ing, dr, r); err != nil {
-						return fmt.Errorf("failed to reconcile DestinationRule: %w", err)
-					}
-					drs.Insert(hostname)
-				}
-			}
-		}
-	}
-
-	return nil
-}
-
 func (r *Reconciler) FinalizeKind(ctx context.Context, ing *v1alpha1.Ingress) pkgreconciler.Event {
 	logger := logging.FromContext(ctx)
 	istiocfg := config.FromContext(ctx).Istio
@@ -531,10 +479,6 @@ func (r *Reconciler) GetVirtualServiceLister() istiolisters.VirtualServiceLister
 	return r.virtualServiceLister
 }
 
-func (r *Reconciler) GetDestinationRuleLister() istiolisters.DestinationRuleLister {
-	return r.destinationRuleLister
-}
-
 func gatewayServiceURL(gateways []config.Gateway) string {
 	if len(gateways) == 0 {
 		return ""