Force activator always in path when activator CA is specified

[nak3]

As described in the feature doc of #11906,
activator needs to serve TLS traffic for the traffic from ingress.

So, this patch force SKS proxy mode when activator-ca in
config-network is specified.

Part of #11906

[codecov]

Codecov Report

Merging #12790 (be76f3b) into main (ad64980) will increase coverage by 0.02%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main   #12790      +/-   ##
==========================================
+ Coverage   87.51%   87.54%   +0.02%     
==========================================
  Files         196      196              
  Lines        9782     9787       +5     
==========================================
+ Hits         8561     8568       +7     
+ Misses        934      932       -2     
  Partials      287      287              

Impacted Files	Coverage Δ
pkg/reconciler/autoscaling/config/store.go	100.00% <100.00%> (ø)
pkg/reconciler/autoscaling/kpa/kpa.go	95.23% <100.00%> (+0.11%)	⬆️
pkg/reconciler/configuration/configuration.go	84.61% <0.00%> (-1.54%)	⬇️
pkg/reconciler/revision/background.go	91.81% <0.00%> (+1.81%)	⬆️
pkg/autoscaler/statserver/server.go	79.61% <0.00%> (+1.94%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ad64980...be76f3b. Read the comment docs.

[nak3]

/cc @evankanderson @skonto @rhuss

[dprotaso]

Do we need to force the activator to always be in the path?

I thought the ingress => queue proxy would also be encrypted too

[nak3]

Yes, it should be in the future. But for the initial Alpha release, we will force the activator to always be in the path.
We can refer to the feature docs:

the HTTP Proxy (KIngress) needs to be able to accept certificates for both the activator (in the knative-serving namespace) and the Revision pods (in the user namespace). There are three ways to manage this:
... snip ...
For the initial Alpha release, we will implement approach 2 and reduce scope by keeping the activator always (and only) in the set of Knative Revision endpoints exposed to the KIngress.

[evankanderson]

I'm not sure if Dave is suggesting that we might want to extend the comment around line 135 in kpa.go. I think the link to the GitHub issue may be sufficient, though we should be clear somewhere that this is a temporary state, rather than the long-term goal.

[evankanderson]

/lgtm

/hold

(for the typo and possibly other comment changes)

[nak3]

Thank you! I opened #12797 and extended the comment with the link.

[psschwei]

Just thinking out loud here, but do we want to potentially include some kind of validation check for both this setting and a custom TBC value (since by keeping the activator in the path, we're more or less setting TBC = -1 and any other value would essentially get overridden)? It could be overkill, but might also be nice to catch any conflicts at the validation stage.

[nak3]

I'm sure the validation would be useful, but the "activator always in the path" solution is temporary state. So I am inclined to consider about the validation later if "activator always in the path" solution cannot be dropped soon.

In addition, I am lack of knowledge about the auto scale... So I'm worried that I can include the validation without any side effect.

[nak3]

@evankanderson @skonto @rhuss bump

[evankanderson]

This seems safe on its own; the worst case is that you have less-good scaling behavior by setting a key in config-network, but you don't end up being broken altogether by it.

One concern about the structure of the code in kpa.go, but otherwise LGTM.

/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson, nak3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/reconciler/autoscaling/OWNERS [evankanderson,nak3]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[skonto]

/lgtm