TLS Gateway config does not persist

[techBeck03]

In what area(s)?

/area networking

What version of Knative?

0.22.1

Expected Behavior

kubectl edit gateway knative-ingress-gateway --namespace knative-serving

Adding TLS host entries per this doc and expect this config to persist.

Actual Behavior

I'm following the documentation to manually configure TLS host entries within the gateway but the gateway config seems to be rewritten (maybe due to reconciliation) after some period of time. I've followed the installation using the knative operator and have not configured features such as autoTLS.

Steps to Reproduce the Problem

Follow the vanilla knative install guide via the operator and istio install via istioctl and yaml below

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  values:
    global:
      proxy:
        autoInject: disabled
      useMCP: false
      # The third-party-jwt is not enabled on all k8s.
      # See: https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
      jwtPolicy: first-party-jwt

  addonComponents:
    pilot:
      enabled: true

  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true

Follow the guide mentioned above to configure a TLS host manually. The TLS config will work for some amount of time but will eventually be removed from the gateway config.

[nak3]

Thank you @techBeck03

I've followed the installation using the knative operator

I am sure that it is a knative operator's limitation (or bug(?)). Knative operator bundles the Gateway so it is reconciled. I think it is similar to knative/operator#505.

/cc @houshengbo

[techBeck03]

Thank you i was able to get this working using the spec.additionalManifests property in my KnativeServing definition pointing to a yaml file defining my knative-ingress-gateway definition which is where i defined my TLS hosts. After that the TLS configuration has persisted. Thank you again!