From c8c9ec897590461fc6626cf65a520bfaf467c018 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Tue, 31 Jan 2023 15:12:38 +0100
Subject: [PATCH] Add serving-internal docs about Knative encryption support

---
 .../encryption/encryption-overview.drawio.svg |  4 ++++
 docs/encryption/encryption-overview.md        | 21 +++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 docs/encryption/encryption-overview.drawio.svg
 create mode 100644 docs/encryption/encryption-overview.md

diff --git a/docs/encryption/encryption-overview.drawio.svg b/docs/encryption/encryption-overview.drawio.svg
new file mode 100644
index 000000000000..e2f79e3b066e
--- /dev/null
+++ b/docs/encryption/encryption-overview.drawio.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than diagrams.net -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="591px" height="681px" viewBox="-0.5 -0.5 591 681" content="&lt;mxfile host=&quot;drawio-plugin&quot; modified=&quot;2023-01-23T11:56:32.659Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36&quot; etag=&quot;d2i3arcqtnRLSImtZSMY&quot; version=&quot;20.5.3&quot; type=&quot;embed&quot;&gt;&lt;diagram id=&quot;CuUWBOHv050rsL-bOBN4&quot; name=&quot;Page-1&quot;&gt;7Vtbd9o4EP41nNM+OMcXcOCRkGS7p92etHnY3UdhC9BGWKwsc9lfvyNb8k2GkOIY0iYvWKORZM/lmxlJ6XmT5fY3jlaLP1iIac+1w23Pu+25ruP41/AjKbuM4mvCnJNQMRWER/IfVkRbURMS4rjCKBijgqyqxIBFEQ5EhYY4Z5sq24zR6qorNMcG4TFA1KT+SUKxyKjDgV3QP2EyX+iVHVv1LJFmVoR4gUK2KZG8u5434YyJ7Gm5nWAqhaflko2739ObvxjHkThqQD8bsUY0UR/Xc30KY2+mHJ7m8umdcoEUTfiKljheoQC0N5YuhZfMcjQXKH5ajEwNTuy0FXOWRCGWhmBD92ZBBH7MJrrdgN8CbSGWFFoOPM4IpRNGGYd2xCJguglRvEiHO/nsa8wF3u61RSe3cIAGzJZY8B2wqAH9vnIKhQqe9qdN4WOOr2iLkn9514qIlF/P87kL04cHZf17PMF794S3SdnjCU8REmSNrRjzNYnmb9IlnOc9Ijf+1j3CDA2xQFzEhtRwCNFRNRkXCzZnEaJ3BfWmKteC5wtjKyWtf7AQOxXqUSJYVdYgL777S46/Gujm32q6tHG7rbR2qhULzp6w1lLP9UbpX64d+eqHdQNfyhIeKC5XZRuIz7GWdbMGOaap/VWTjxPU4RrqeNSWbU8YfDWjFPP2TBqEFQ7wMOw3iXHoTj3fz8XYIDXD7vcaeZ4M7WpxoIz7boOV+y0Y+fAc1ty2VXqmVfodWeW1YZUrtkpgEcjPDcgOwCbIjATQ+5OKfXDQ0i37yvOHClePVoWa7oEReJeChc1mMSxb11W+6nFZj4kqv7T+HPs5BboXpD0zZZ2UNVQJC3VdflCd1gNnggWMfjxP6DgpP6qHjkGXoWNgSN9ISR9xwKWWm1LPukJUnmpJJ4utQHBqBahVncxm2A+CJp2E16OpbbdUxtVUYg+6U4njGzrhGIWx3AuqeEbPvZElAt6dA8eKZLaSyhaZbUfJrN+Af4cDmH3l+zrkvwwBx5yjXYlhJfEwbgBItZJXtSJfWdH9cezeyK6ZTbb+a4KxaXonwUGtfM1g4SeAg+su4cAxdAIKyHKby6lhnY7dfvQjaY/vjC4o8RkZev2O1yQmLALqdxywKCBnK4ZbzWh8t8OMxjHlmsTncZa2jV7vpFWs/rpZFa0XyXrx99hQiw2DQTU4dJm+u6ZScBTw3UqAzOQrwBsYkv/2UE8lJyYTzEjCLMrYj+Ov5401J6aY9/ce/P242w3O6XZmhTYOYAUkWMuhAeHhrNFb/GCIpzM5AqptrfN9O6SnxAnP7zJOmLt+Bp59TsEJ5Lf34KaMcZm32d8SnGC5I7E1C7NXVtArwFmnOnHNXNfQyYUc2B1BecundE6D2gejBrU7bZzS6ROMPWEsibMTIlQAXzl+XZkqAH6O43TLpLR9aF9UUDvxEPDEoCYJL9w4gQrKyW85XUQJpT/iEF78npuCuZN8OEP9gK/mYFv2ZxAbwbzlveVO0LweYZ1hl2je/6UdrOFkJrPXLs7ZzayxDKhrgiRz7hkxo4lINx4uoEh+03JvuoBVk2m8QCv5mCwpZPLyq2+kj0Moo1/QFNMHFpNUGd7tlAnBliWGMSVz2SFYDV1YIiiJQIz6sqhdg5wQz1BCRUuw4leTxIaS13stUNl/OjIZnxdvTqxS2z8I2Wf2+UHI0B+duCOqphrUNvx01apnyF5UDSqUbcxTPwPp2zWTyT7PmOilJzP1DcpnTmZq7DpZ7vJkpuGSis5YYBYJ58EC8Vip3v83kbevbxIxs4ZFs+HaYclbNFeQ2aS8f8jn0w92uj9k65+P6Xhb7gVYM7QkdJexfsJ0jSVIlfrj1Glkr+OutuWObFHZEzG+RLTUt0acIPgFqEMi4fKO/EG+AK0aWCg4LeaWvEspiwejn/HVAkVqoJvRABCFhTKIHac1RgRzlPoIQIV0Qdlp6w9KewSHyWYwv14pLdIySEyv6peW2TAeVl8sn8va4OkTgenknBlCWApUK3xTFDzNU+iyatpy+8NMUW5/pB4GWmfprCEOGEcywFhiQYKnSKYA6XASQdzR8qnzljR2kK/0OmW+ugXW7rmqVMQKDlz2OKqslq/zfC7eQgg8ol7OecoxsP/yGAjN4p8pMugo/iXFu/sf&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="430" y="310" width="160" height="370" fill="none" stroke="rgb(0, 0, 0)" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 495px; margin-left: 431px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><b>Namespace: demo-1</b></div></div></div></foreignObject><text x="510" y="499" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Namespace: demo-1...</text></switch></g><rect x="0" y="310" width="370" height="370" fill="none" stroke="rgb(0, 0, 0)" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 368px; height: 1px; padding-top: 495px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><b>Namespace: knative-serving</b></div></div></div></foreignObject><text x="185" y="499" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Namespace: knative-serving...</text></switch></g><path d="M 270 460 L 270 493.63" fill="none" stroke="#999999" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 270 498.88 L 266.5 491.88 L 270 493.63 L 273.5 491.88 Z" fill="#999999" stroke="#999999" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 480px; margin-left: 270px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">starts</div></div></div></foreignObject><text x="270" y="483" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">starts</text></switch></g><rect x="210" y="400" width="120" height="60" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 430px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Serving Controller</div></div></div></foreignObject><text x="270" y="434" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Serving Controller</text></switch></g><path d="M 210 530 L 180 530 L 180 565 L 156.37 565" fill="none" stroke="#999999" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 151.12 565 L 158.12 561.5 L 156.37 565 L 158.12 568.5 Z" fill="#999999" stroke="#999999" stroke-miterlimit="10" pointer-events="all"/><path d="M 210 530 L 180 530 L 180 495 L 156.37 495" fill="none" stroke="#999999" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 151.12 495 L 158.12 491.5 L 156.37 495 L 158.12 498.5 Z" fill="#999999" stroke="#999999" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 530px; margin-left: 180px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">populates<br />certificate</div></div></div></foreignObject><text x="180" y="533" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">populates...</text></switch></g><path d="M 330 530 L 438.63 530" fill="none" stroke="#999999" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 443.88 530 L 436.88 533.5 L 438.63 530 L 436.88 526.5 Z" fill="#999999" stroke="#999999" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 530px; margin-left: 376px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">populates<br />certificate</div></div></div></foreignObject><text x="376" y="533" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">populates...</text></switch></g><rect x="210" y="500" width="120" height="60" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 530px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Certificate Controller<br />(Control-Protocol)</div></div></div></foreignObject><text x="270" y="534" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Certificate Controll...</text></switch></g><rect x="30" y="465" width="120" height="60" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 495px; margin-left: 31px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Secret</b><br />serving-certs-ctrl-ca</div></div></div></foreignObject><text x="90" y="499" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Secret...</text></switch></g><path d="M 30 565 L 20 565 L 20 350 L 203.63 350" fill="none" stroke="#999999" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 350 L 201.88 353.5 L 203.63 350 L 201.88 346.5 Z" fill="#999999" stroke="#999999" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 350px; margin-left: 140px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">reads certificate + key</div></div></div></foreignObject><text x="140" y="353" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">reads certificate + key</text></switch></g><rect x="30" y="535" width="120" height="60" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 565px; margin-left: 31px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Secret</b><br />knative-serving-certs</div></div></div></foreignObject><text x="90" y="569" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Secret...</text></switch></g><path d="M 330 610 L 505 610 L 505 566.37" fill="none" stroke="#999999" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 505 561.12 L 508.5 568.12 L 505 566.37 L 501.5 568.12 Z" fill="#999999" stroke="#999999" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 610px; margin-left: 373px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">creates</div></div></div></foreignObject><text x="373" y="613" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">creates</text></switch></g><rect x="210" y="580" width="120" height="60" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 610px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Revision Reconciler</div></div></div></foreignObject><text x="270" y="614" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Revision Reconciler</text></switch></g><path d="M 505 500 L 505 386.37" fill="none" stroke="#999999" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 505 381.12 L 508.5 388.12 L 505 386.37 L 501.5 388.12 Z" fill="#999999" stroke="#999999" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 440px; margin-left: 505px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">uses</div></div></div></foreignObject><text x="505" y="443" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">uses</text></switch></g><rect x="445" y="500" width="120" height="60" fill="#ffe6cc" stroke="#d79b00" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 530px; margin-left: 446px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Secret</b><br />knative-serving-certs</div></div></div></foreignObject><text x="505" y="534" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Secret...</text></switch></g><path d="M 330 350 L 438.63 350" fill="none" stroke="#ff3333" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 443.88 350 L 436.88 353.5 L 438.63 350 L 436.88 346.5 Z" fill="#ff3333" stroke="#ff3333" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 350px; margin-left: 388px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">encrypted with<br />QP certificate,<br />validates SAN</div></div></div></foreignObject><text x="388" y="353" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">encrypted with...</text></switch></g><rect x="210" y="320" width="120" height="60" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 350px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">Activator</div></div></div></foreignObject><text x="270" y="354" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Activator</text></switch></g><rect x="445" y="320" width="120" height="60" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 350px; margin-left: 446px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Kservice<br /></b>with Queue-Proxy</div></div></div></foreignObject><text x="505" y="354" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Kservice...</text></switch></g><rect x="0" y="120" width="590" height="170" fill="none" stroke="rgb(0, 0, 0)" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 588px; height: 1px; padding-top: 205px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b><br /><br /><br /><br /><br /><br /><br /><br /><br /></b></div></div></div></foreignObject><text x="295" y="209" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">...</text></switch></g><path d="M 270 200 L 270 313.63" fill="none" stroke="#ff3333" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 270 318.88 L 266.5 311.88 L 270 313.63 L 273.5 311.88 Z" fill="#ff3333" stroke="#ff3333" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 250px; margin-left: 270px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">encrypted using activator certificate.<br />ingress controller validates SAN</div></div></div></foreignObject><text x="270" y="253" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">encrypted using activator certificate....</text></switch></g><rect x="210" y="140" width="120" height="60" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 170px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Ingress Controller</b><br />(e.g. Kourier)</div></div></div></foreignObject><text x="270" y="174" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Ingress Controller...</text></switch></g><path d="M 270 60 L 270 133.63" fill="none" stroke="#ff3333" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 270 138.88 L 266.5 131.88 L 270 133.63 L 273.5 131.88 Z" fill="#ff3333" stroke="#ff3333" stroke-miterlimit="10" pointer-events="all"/><path d="M 270 60 L 270 133.63" fill="none" stroke="#ff3333" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 270 138.88 L 266.5 131.88 L 270 133.63 L 273.5 131.88 Z" fill="#ff3333" stroke="#ff3333" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 100px; margin-left: 270px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">encrypted via ingress solution</div></div></div></foreignObject><text x="270" y="103" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">encrypted via ingress solution</text></switch></g><ellipse cx="270" cy="7.5" rx="7.5" ry="7.5" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all"/><path d="M 270 15 L 270 40 M 270 20 L 255 20 M 270 20 L 285 20 M 270 40 L 255 60 M 270 40 L 285 60" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><path d="M 30 565 L 10 565 L 10 170 L 203.63 170" fill="none" stroke="#999999" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 170 L 201.88 173.5 L 203.63 170 L 201.88 166.5 Z" fill="#999999" stroke="#999999" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 170px; margin-left: 170px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">reads CA</div></div></div></foreignObject><text x="170" y="173" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">reads CA</text></switch></g><rect x="0" y="120" width="210" height="40" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe flex-start; width: 208px; height: 1px; padding-top: 127px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(248, 249, 250); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Namespace: ingress-controller<br /></b></div></div></div></foreignObject><text x="2" y="139" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px">Namespace: ingress-controller&#xa;</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
diff --git a/docs/encryption/encryption-overview.md b/docs/encryption/encryption-overview.md
new file mode 100644
index 000000000000..a8557aba841f
--- /dev/null
+++ b/docs/encryption/encryption-overview.md
@@ -0,0 +1,21 @@
+# Knative Serving Encryption
+There are two layers where Knative Serving can provide encryption
+* HTTPS on the ingress layer to the cluster
+* HTTPS on the cluster internal components
+
+## Visualization
+![Visualization of Knative encryption](./encryption-overview.drawio.svg)
+
+## HTTPS on the ingress layer
+On this layer Knative Serving provides two modes:
+* Provide certificates manually, refer to the [existing docs](https://knative.dev/docs/serving/using-a-tls-cert/).
+* Provide certificates automatically using `cert-manager`, refer to the [existing docs](https://knative.dev/docs/serving/using-auto-tls/).
+
+
+## HTTPS on the cluster internal components
+**Warning: Alpha feature**
+
+This is currently `work-in-progress` and tracked in https://github.com/knative/serving/issues/11906. You can experiment with this feature using:
+* an ingress layer that already supports the feature (e.g. Kourier or Contour)
+* Set `internal-encryption: "true"` in the `config-network` configmap
+