Limit redirect route generation to external traffic

ReToCode · ReToCode · commit 9a9faf882eb0 · 2023-01-19T13:52:23.000+01:00
diff --git a/config/config-gateway.yaml b/config/config-gateway.yaml
@@ -53,4 +53,4 @@ data:
         class: istio
         gateway: istio-system/knative-local-gateway
         service: istio-system/knative-local-gateway
-        httpListenerName: http2
+        httpListenerName: default
diff --git a/pkg/reconciler/ingress/config/gateway.go b/pkg/reconciler/ingress/config/gateway.go
@@ -39,7 +39,7 @@ const (
 	defaultGatewayClass = "istio"
 
 	// defaultClusterLocalHTTPListener is the name of the listener for HTTP traffic
-	defaultClusterLocalHTTPListener = "http2"
+	defaultClusterLocalHTTPListener = "default"
 
 	// defaultExternalIPHTTPListener
 	defaultExternalIPHTTPListener = "default"
diff --git a/pkg/reconciler/ingress/ingress.go b/pkg/reconciler/ingress/ingress.go
@@ -103,8 +103,10 @@ func (c *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress
 			return err
 		}
 
+		// For now, we only generate the redirected HTTPRoute for external visibility,
+		// because there's no way to provide TLS for internal listeners.
 		var redirectHTTPRoute *gatewayapi.HTTPRoute
-		if ing.Spec.HTTPOption == v1alpha1.HTTPOptionRedirected {
+		if ing.Spec.HTTPOption == v1alpha1.HTTPOptionRedirected && rule.Visibility == v1alpha1.IngressVisibilityExternalIP {
 			redirectHTTPRoute, err = c.reconcileRedirectHTTPRoute(ctx, ing, &rule)
 			if err != nil {
 				return err
diff --git a/pkg/reconciler/ingress/reconcile_resources.go b/pkg/reconciler/ingress/reconcile_resources.go
@@ -50,8 +50,10 @@ func (c *Reconciler) reconcileWorkloadRoute(
 		Name:      gatewayapi.ObjectName(gatewayConfig.Gateway.Name),
 	}
 
-	// if http > https redirect is enabled, this route must only be bound to the TLS listener on the gateway
-	if ing.Spec.HTTPOption == netv1alpha1.HTTPOptionRedirected {
+	// If http > https redirect is enabled, this route must only be bound to the TLS listener on the gateway.
+	// For now, we only generate the TLS Listener on the external traffic gateway
+	// because there's no way to provide TLS for internal listeners.
+	if ing.Spec.HTTPOption == netv1alpha1.HTTPOptionRedirected && rule.Visibility == netv1alpha1.IngressVisibilityExternalIP {
 		sectionName := gatewayapi.SectionName(listenerPrefix + ing.GetUID())
 		gatewayRef.SectionName = &sectionName
 	}

Original file line number	Diff line number	Diff line change
`@@ -50,8 +50,10 @@ func (c *Reconciler) reconcileWorkloadRoute(`
`50`	`50`	`Name: gatewayapi.ObjectName(gatewayConfig.Gateway.Name),`
`51`	`51`	`}`
`52`	`52`
`53`		`- // if http > https redirect is enabled, this route must only be bound to the TLS listener on the gateway`
`54`		`- if ing.Spec.HTTPOption == netv1alpha1.HTTPOptionRedirected {`
	`53`	`+ // If http > https redirect is enabled, this route must only be bound to the TLS listener on the gateway.`
	`54`	`+ // For now, we only generate the TLS Listener on the external traffic gateway`
	`55`	`+ // because there's no way to provide TLS for internal listeners.`
	`56`	`+ if ing.Spec.HTTPOption == netv1alpha1.HTTPOptionRedirected && rule.Visibility == netv1alpha1.IngressVisibilityExternalIP {`
`55`	`57`	`sectionName := gatewayapi.SectionName(listenerPrefix + ing.GetUID())`
`56`	`58`	`gatewayRef.SectionName = &sectionName`
`57`	`59`	`}`