Propagate status from KCert to Route

[nak3]

Proposed Changes

When autoTLS is enabled, KCert is one of the critical resources so
Route and KSvc should not be Ready status until Cert is deployed
correctly.

This patch changes to propagate status from KCert to Route.

/lint

Fixes #7162

Release Note

Route does not become Ready if KCert is not Ready on autoTLS enabled env

[knative-prow-robot]

@nak3: 2 warnings.

In response to this:

Proposed Changes

When autoTLS is enabled, KCert is one of the critical resources. This
patch changes changes to propagate status status from KCert to Route.

/lint

Fixes #7162

Release Note

Route does not become Ready if KCert is not Ready on autoTLS enabled env

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vagababov]

/retry

[nak3]

/hold

I have modified files under vendor directory until knative/pkg#1148 is accepted.

[markusthoemmes]

@nak3 seems like the hold can be removed?

[nak3]

/unhold

Yes, it is ready for review now. Thank you.

[markusthoemmes]

/assign @ZhiminXiang

[ZhiminXiang]

If we don't plan to do this in this release (I assume 0.14), could you remove the "Release Note" from the description of this PR?

[nak3]

Sure, done.

[mattmoor]

Why in the next release?

[nak3]

The downgrade test TestServicePostDowngrade failed if we added the new condition in routeCondSet. The Route became Unknown status. (I have confirmed that it does not happen if previous version already has the condition.)
Here is the failure log

[ZhiminXiang]

/lgtm

[nak3]

/assign @tcnghia

[tcnghia]

File an issue to track?

[nak3]

Yes, I do. Thank you!

[tcnghia]

/approve

[ZhiminXiang]

/assgin @mattmoor

[mattmoor]

I'm cool with this change, I would just like to understand the rationale behind the release staging.

thanks!

[nak3]

I think both are good. Making minimal impact to UX is better so we should change it to "only when plain HTTP has been disabled"?

I have added MarkHTTPDownward and set CertificateProvisioned to Ready with MarkHTTPDownward when HTTP is enabled. Otherwise, it is same with original change.

Here is the example output:

$ kubectl get rt -n foo hello-example  -o yaml
apiVersion: serving.knative.dev/v1
kind: Route
  ...
status:
  address:
    url: http://hello-example.foo.svc.cluster.local
  conditions:
  - lastTransitionTime: "2020-04-21T01:48:00Z"
    status: "True"
    type: AllTrafficAssigned
  - lastTransitionTime: "2020-04-21T01:48:02Z"
    message: Certificate foo.example.com is not ready downard HTTP.
    reason: HTTPDownward
    status: "True"
    type: CertificateProvisioned
  - lastTransitionTime: "2020-04-21T01:48:02Z"
    status: "True"
    type: IngressReady
  - lastTransitionTime: "2020-04-21T01:48:02Z"
    status: "True"
    type: Ready
  observedGeneration: 1
  traffic:
  - latestRevision: true
    percent: 100
    revisionName: hello-example-phkdh-1
  url: http://hello-example.foo.example.com

[knative-metrics-robot]

The following is the coverage report on the affected files.
Say /test pull-knative-serving-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/reconciler/route/route.go	84.6%	84.8%	0.2

[nak3]

/retest

[nak3]

/retest

@knative-test-reporter-robot is not correct.. The test failed only TestUpdate and it seems flakiness.

[ZhiminXiang]

/lgtm
/approve

[ZhiminXiang]

When autoTLS is enabled, KCert is one of the critical resources so
Route and KSvc should not be Ready status until Cert is deployed
correctly.

I have been wondering whether we want this behavior in general, or only when plain HTTP has been disabled. What do folks think? 🤔

cc @ZhiminXiang @tcnghia

I think we only want this behavior when plain HTTP has been disabled.

[ZhiminXiang]

@mattmoor could you take another look? It needs your approval :)

[mattmoor]

/lgtm
/approve

Sorry for the delay, feel free to ping me more aggressively when things are blocked on me because I get a TON of notifications, and I'd love to have had this bake more.

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mattmoor, nak3, tcnghia, ZhiminXiang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/apis/OWNERS [mattmoor]
• pkg/reconciler/route/OWNERS [ZhiminXiang,mattmoor,nak3,tcnghia]
• pkg/testing/OWNERS [ZhiminXiang,mattmoor,nak3,tcnghia]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nak3]

Thank you! 😄

[nak3]

/retest

[knative-test-reporter-robot]

The following jobs failed:

Test name	Triggers	Retries
pull-knative-serving-integration-tests	pull-knative-serving-integration-tests pull-knative-serving-integration-tests	2/3

Automatically retrying due to test flakiness...
/test pull-knative-serving-integration-tests