[release-v1.5] Support config to deploy internal certificates automatically

.github/workflows/kind-e2e.yaml

@@ -307,6 +307,8 @@ jobs:
         echo "SYSTEM_NAMESPACE=$SYSTEM_NAMESPACE" >> $GITHUB_ENV
         echo "GATEWAY_OVERRIDE=$GATEWAY_OVERRIDE" >> $GITHUB_ENV
         echo "GATEWAY_NAMESPACE_OVERRIDE=$GATEWAY_NAMESPACE_OVERRIDE" >> $GITHUB_ENV
+        echo "CA_CERT=$CA_CERT" >> $GITHUB_ENV
+        echo "SERVER_NAME=$SERVER_NAME" >> $GITHUB_ENV
 
     - name: Test ${{ matrix.test-suite }}
       run: |

Makefile

@@ -28,6 +28,10 @@ test-e2e:
 	./openshift/e2e-tests.sh
 .PHONY: test-e2e
 
+test-e2e-tls:
+	ENABLE_INTERNAL_TLS="true" ./openshift/e2e-tests.sh
+.PHONY: test-e2e-tls
+
 test-images:
 	for img in $(TEST_IMAGES); do \
 		KO_DOCKER_REPO=$(DOCKER_REPO_OVERRIDE) ko resolve --tags=latest -RBf $$img ; \

cmd/activator/main.go

@@ -40,6 +40,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 
+	"knative.dev/control-protocol/pkg/certificates"
 	network "knative.dev/networking/pkg"
 	netcfg "knative.dev/networking/pkg/config"
 	netprobe "knative.dev/networking/pkg/http/probe"
@@ -156,14 +157,14 @@ func main() {
 		logger.Fatalw("Failed to construct network config", zap.Error(err))
 	}
 
-	// Enable TLS against queue-proxy when the CA and SA are specified.
-	tlsEnabled := networkConfig.QueueProxyCA != "" && networkConfig.QueueProxySAN != ""
+	// Enable TLS against queue-proxy when internal-encryption is enabled.
+	tlsEnabled := networkConfig.InternalEncryption
 
 	// Enable TLS client when queue-proxy-ca is specified.
 	// At this moment activator with TLS does not disable HTTP.
 	// See also https://github.com/knative/serving/issues/12808.
 	if tlsEnabled {
-		caSecret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, networkConfig.QueueProxyCA, metav1.GetOptions{})
+		caSecret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, netcfg.ServingInternalCertName, metav1.GetOptions{})
 		if err != nil {
 			logger.Fatalw("Failed to get secret", zap.Error(err))
 		}
@@ -173,14 +174,14 @@ func main() {
 			pool = x509.NewCertPool()
 		}
 
-		if ok := pool.AppendCertsFromPEM(caSecret.Data["ca.crt"]); !ok {
+		if ok := pool.AppendCertsFromPEM(caSecret.Data[certificates.SecretCaCertKey]); !ok {
 			logger.Fatalw("Failed to append ca cert to the RootCAs")
 		}
 
 		tlsConf := &tls.Config{
 			RootCAs:            pool,
 			InsecureSkipVerify: false,
-			ServerName:         networkConfig.QueueProxySAN,
+			ServerName:         certificates.FakeDnsName,
 			MinVersion:         tls.VersionTLS12,
 		}
 		transport = pkgnet.NewProxyAutoTLSTransport(env.MaxIdleProxyConns, env.MaxIdleProxyConnsPerHost, tlsConf)
@@ -275,15 +276,15 @@ func main() {
 		}(name, server)
 	}
 
-	// Enable TLS server when activator-server-cert is specified.
+	// Enable TLS server when internal-encryption is specified.
 	// At this moment activator with TLS does not disable HTTP.
 	// See also https://github.com/knative/serving/issues/12808.
-	if networkConfig.ActivatorCertSecret != "" {
-		secret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, networkConfig.ActivatorCertSecret, metav1.GetOptions{})
+	if networkConfig.InternalEncryption {
+		secret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, netcfg.ServingInternalCertName, metav1.GetOptions{})
 		if err != nil {
 			logger.Fatalw("failed to get secret", zap.Error(err))
 		}
-		cert, err := tls.X509KeyPair(secret.Data["tls.crt"], secret.Data["tls.key"])
+		cert, err := tls.X509KeyPair(secret.Data[certificates.SecretCertKey], secret.Data[certificates.SecretPKKey])
 		if err != nil {
 			logger.Fatalw("failed to load certs", zap.Error(err))
 		}

cmd/controller/main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	// The set of controllers this controller process runs.
+	certificate "knative.dev/control-protocol/pkg/certificates/reconciler"
 	"knative.dev/serving/pkg/reconciler/configuration"
 	"knative.dev/serving/pkg/reconciler/gc"
 	"knative.dev/serving/pkg/reconciler/labeler"
@@ -30,6 +31,7 @@ import (
 	// This defines the shared main for injected controllers.
 	"knative.dev/pkg/injection"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/serving/pkg/networking"
 )
 
 var ctors = []injection.ControllerConstructor{
@@ -41,6 +43,7 @@ var ctors = []injection.ControllerConstructor{
 	service.NewController,
 	gc.NewController,
 	nscert.NewController,
+	certificate.NewControllerFactory(networking.ServingCertName),
 }
 
 func main() {

cmd/queue/main.go

@@ -33,6 +33,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/types"
 
+	"knative.dev/control-protocol/pkg/certificates"
 	netheader "knative.dev/networking/pkg/http/header"
 	netproxy "knative.dev/networking/pkg/http/proxy"
 	netstats "knative.dev/networking/pkg/http/stats"
@@ -66,10 +67,10 @@ const (
 	drainSleepDuration = 30 * time.Second
 
 	// certPath is the path for the server certificate mounted by queue-proxy.
-	certPath = queue.CertDirectory + "/tls.crt"
+	certPath = queue.CertDirectory + "/" + certificates.SecretCertKey
 
 	// keyPath is the path for the server certificate key mounted by queue-proxy.
-	keyPath = queue.CertDirectory + "/tls.key"
+	keyPath = queue.CertDirectory + "/" + certificates.SecretPKKey
 )
 
 type config struct {

test/config/tls/config-network.yaml → config/core/300-secret.yaml

@@ -13,17 +13,19 @@
 # limitations under the License.
 
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
-  name: config-network
+  # Do not drop -ctrl-ca suffix as control-protocol requires it.
+  # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go
+  name: serving-certs-ctrl-ca
+  namespace: knative-serving
+# The data is populated when internal-encryption is enabled.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knative-serving-certs
+  namespace: knative-serving
   labels:
-    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
-data:
-  activator-ca: "serving-ca"
-  activator-san: "knative"
-  activator-cert-secret: "server-certs"
-  queue-proxy-ca: "serving-ca"
-  queue-proxy-san: "knative"
-  queue-proxy-cert-secret: "server-certs"
+    serving-certs-ctrl: "data-plane"
+# The data is populated when internal-encryption is enabled.

go.mod

@@ -33,10 +33,11 @@ require (
 	k8s.io/client-go v0.23.5
 	k8s.io/code-generator v0.23.5
 	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf
-	knative.dev/caching v0.0.0-20220524205104-c7b5b7d2835e
-	knative.dev/hack v0.0.0-20220524153203-12d3e2a7addc
-	knative.dev/networking v0.0.0-20220524205304-22d1b933cf73
-	knative.dev/pkg v0.0.0-20220524202603-19adf798efb8
+	knative.dev/caching v0.0.0-20220610113725-9c092893371a
+	knative.dev/control-protocol v0.0.0-20220610133426-4a1c8e84039f
+	knative.dev/hack v0.0.0-20220610014127-dc6c287516dc
+	knative.dev/networking v0.0.0-20220614203516-07c9d7614c61
+	knative.dev/pkg v0.0.0-20220610014025-7d607d643ee2
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -296,6 +296,8 @@ github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2u
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudevents/conformance v0.2.0/go.mod h1:rHKDwylBH89Rns6U3wL9ww8bg9/4GbwRCDNuyoC6bcc=
+github.com/cloudevents/sdk-go/v2 v2.4.1/go.mod h1:MZiMwmAh5tGj+fPFvtHv9hKurKqXtdB9haJYMJ/7GJY=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -856,6 +858,7 @@ github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:
 github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
@@ -2242,14 +2245,21 @@ k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-knative.dev/caching v0.0.0-20220524205104-c7b5b7d2835e h1:IiBNMvIAMEVAweBxootmBHystWDT8q+FLT/ng5V6I78=
-knative.dev/caching v0.0.0-20220524205104-c7b5b7d2835e/go.mod h1:yYNZINwZnAthrLT5Cib64oSDqBDya4Cd2q+It9XJOwI=
-knative.dev/hack v0.0.0-20220524153203-12d3e2a7addc h1:gqxyFRgwJDioT4DmRYezz6z2j/wvFZVUbl6c9KeMj6I=
+knative.dev/caching v0.0.0-20220610113725-9c092893371a h1:HMiI0L60m16KhkBLDyb8XV3GSaBM6ZPqRSluAwJ4XKs=
+knative.dev/caching v0.0.0-20220610113725-9c092893371a/go.mod h1:IcfEPqEP6ma4EcRUcPkwVNx5FWHHWu8w4/eqRQguDwc=
+knative.dev/control-protocol v0.0.0-20220610133426-4a1c8e84039f h1:vdhs0WWGojtUldsM/ijbOfYY2LTO3GlulilCgeZX4Js=
+knative.dev/control-protocol v0.0.0-20220610133426-4a1c8e84039f/go.mod h1:MjnhSes1u2GIoqwQia5bSe3Ny8r+d5//UB+Y/en2ZL8=
 knative.dev/hack v0.0.0-20220524153203-12d3e2a7addc/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
-knative.dev/networking v0.0.0-20220524205304-22d1b933cf73 h1:TNa2x1vLb8vGa+i0lrqFAkRwQp8+Bt1iHdKI6ZV4KDY=
-knative.dev/networking v0.0.0-20220524205304-22d1b933cf73/go.mod h1:oIETD09Q4GSOXjdBdiPc0eEQxMwmjH7/gdhfg+sgdW8=
-knative.dev/pkg v0.0.0-20220524202603-19adf798efb8 h1:7vZxPKJsJ4LkJTLiTy48nfykzfDi69OS4GKRs0qeSM4=
+knative.dev/hack v0.0.0-20220609132040-fd240e2cef5c/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
+knative.dev/hack v0.0.0-20220610014127-dc6c287516dc h1:LyqyT+rtgZYfOb3ChGE5jTFApCOcUmAcSV+TzgLxnys=
+knative.dev/hack v0.0.0-20220610014127-dc6c287516dc/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
+knative.dev/networking v0.0.0-20220614203516-07c9d7614c61 h1:IsEfLWjHFt10XEUnAE/W4XcEU2uA+PMd1aZFkz5vrzA=
+knative.dev/networking v0.0.0-20220614203516-07c9d7614c61/go.mod h1:oIETD09Q4GSOXjdBdiPc0eEQxMwmjH7/gdhfg+sgdW8=
 knative.dev/pkg v0.0.0-20220524202603-19adf798efb8/go.mod h1:pApypeWDkGrsMkUDkV6StWXS4CXhwGWuJEID9GGZY0Y=
+knative.dev/pkg v0.0.0-20220609131940-865e331abfa5/go.mod h1:pApypeWDkGrsMkUDkV6StWXS4CXhwGWuJEID9GGZY0Y=
+knative.dev/pkg v0.0.0-20220610014025-7d607d643ee2 h1:MMClRZRz6rzhrpySJ21XCJqVDd4K3rurUEJ1Yrh8DmA=
+knative.dev/pkg v0.0.0-20220610014025-7d607d643ee2/go.mod h1:pApypeWDkGrsMkUDkV6StWXS4CXhwGWuJEID9GGZY0Y=
+knative.dev/reconciler-test v0.0.0-20220610014025-b62b10257cbf/go.mod h1:/ps2aEdmtjId+pUGJuuADQN4IucIp4rI7KnrYEahOgE=
 mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
 mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=

openshift/ci-operator/generate-ci-config.sh

@@ -4,6 +4,7 @@ branch=${1-'knative-v0.6.0'}
 openshift=${2-'4.3'}
 promotion_disabled=${3-false}
 generate_continuous=${4-false}
+internal_tls_enabled=${5-false}
 
 if [[ "$branch" == "knative-next" ]]; then
   promotion_name="knative-nightly"
@@ -150,7 +151,9 @@ EOF
 
   print_single_test    "e2e-aws-ocp-${openshift//./}"             "make test-e2e"         "" "true" "generic-claim" ""
 
-  if [[ "$generate_continuous" == true ]]; then
+  if [[ "$internal_tls_enabled" == true ]]; then
+    print_single_test "e2e-aws-ocp-${openshift//./}-continuous"  "make test-e2e-tls"          "" "true" "generic-claim" "${cron}"
+  elif [[ "$generate_continuous" == true ]]; then
     print_single_test "e2e-aws-ocp-${openshift//./}-continuous"  "make test-e2e"          "" "true" "generic-claim" "${cron}"
   fi
 

openshift/ci-operator/update-ci.sh

@@ -39,7 +39,7 @@ CONFIG=$CONFIGDIR/openshift-knative-serving-release-$VERSION
 PERIODIC_CONFIG=$PERIODIC_CONFIGDIR/openshift-knative-serving-release-$VERSION-periodics.yaml
 CURDIR=$(dirname $0)
 
-# $1=branch $2=openshift $3=promotion_disabled $4=generate_continuous
+# $1=branch $2=openshift $3=promotion_disabled $4=generate_continuous $5=internal_tls_enabled(optional)
 $CURDIR/generate-ci-config.sh knative-$VERSION 4.6 true false > ${CONFIG}__46.yaml
 $CURDIR/generate-ci-config.sh knative-$VERSION 4.7 true false > ${CONFIG}__47.yaml
 $CURDIR/generate-ci-config.sh knative-$VERSION 4.8 true false > ${CONFIG}__48.yaml

openshift/e2e-common.sh

@@ -229,6 +229,23 @@ spec:
       logging.enable-request-log: "true"
 EOF
 
+  # TODO: Only one cluster enables internal-tls but it should be enabled by default when the feature is stable.
+  if [[ ${ENABLE_INTERNAL_TLS} == "true" ]]; then
+    oc patch knativeserving knative-serving \
+        -n "${SERVING_NAMESPACE}" \
+        --type merge --patch '{"spec": {"config": {"network": {"internal-encryption": "true"}}}}'
+    oc patch knativeserving knative-serving \
+        -n "${SERVING_NAMESPACE}" \
+        --type merge --patch '{"spec": {"config": {"kourier": {"cluster-cert-secret": "server-certs"}}}}'
+    # Deploy certificates for testing TLS with cluster-local gateway
+    timeout 600 '[[ $(oc get ns $SERVING_INGRESS_NAMESPACE -oname | wc -l) == 0 ]]' || return 1
+    yq read --doc 1 ./test/config/tls/cert-secret.yaml | sed "s/knative-serving/${SERVING_INGRESS_NAMESPACE}/" | oc apply -f -
+    echo "Restart activator to mount the certificates"
+    oc delete pod -n ${SERVING_NAMESPACE} -l app=activator
+    oc wait --timeout=60s --for=condition=Available deployment  -n ${SERVING_NAMESPACE} activator
+    echo "internal-encryption is enabled"
+  fi
+
   # Wait for 4 pods to appear first
   timeout 600 '[[ $(oc get pods -n $SERVING_NAMESPACE --no-headers | wc -l) -lt 4 ]]' || return 1
   wait_until_pods_running $SERVING_NAMESPACE || return 1
@@ -269,6 +286,15 @@ function prepare_knative_serving_tests_nightly {
   export GATEWAY_OVERRIDE=kourier
   export GATEWAY_NAMESPACE_OVERRIDE="$SERVING_INGRESS_NAMESPACE"
   export INGRESS_CLASS=kourier.ingress.networking.knative.dev
+
+  if [[ ${ENABLE_INTERNAL_TLS} == "true" ]]; then
+    # Deploy CA cert for testing TLS with cluster-local gateway
+    yq read --doc 0 ./test/config/tls/cert-secret.yaml | oc apply -f -
+    # This needs to match the name of Secret in test/config/tls/cert-secret.yaml
+    export CA_CERT=ca-cert
+    # This needs to match $san from test/config/tls/generate.sh
+    export SERVER_NAME=knative.dev
+  fi
 }
 
 function run_e2e_tests(){

openshift/e2e-tests.sh

@@ -9,6 +9,8 @@ env
 
 failed=0
 
+export ENABLE_INTERNAL_TLS="${ENABLE_INTERNAL_TLS:-false}"
+
 (( !failed )) && install_knative || failed=1
 (( !failed )) && prepare_knative_serving_tests_nightly || failed=2
 (( !failed )) && run_e2e_tests || failed=3

openshift/release/artifacts/2-serving-core.yaml

@@ -4451,6 +4451,39 @@ data:
     loglevel.net-istio-controller: "info"
     loglevel.net-contour-controller: "info"
 
+---
+# Copyright 2022 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  # Do not drop -ctrl-ca suffix as control-protocol requires it.
+  # https://github.com/knative-sandbox/control-protocol/blob/main/pkg/certificates/reconciler/controller.go
+  name: serving-certs-ctrl-ca
+  namespace: knative-serving
+# The data is populated when internal-encryption is enabled.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knative-serving-certs
+  namespace: knative-serving
+  labels:
+    serving-certs-ctrl: "data-plane"
+# The data is populated when internal-encryption is enabled.
+
 ---
 # Copyright 2018 The Knative Authors
 #
@@ -4627,53 +4660,15 @@ data:
     # Knative doesn't know about that otherwise.
     default-external-scheme: "http"
 
-    # The CA public certificate used to sign the activator TLS certificate.
-    # It is specified by the secret name, which has the "ca.crt" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-ca: ""
-
-    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
-    # It must be set when "activator-ca" is specified.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-san: ""
-
-    # The server certificates to serve the TLS traffic from ingress to activator.
-    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    activator-cert-secret: ""
-
-    # The CA public certificate used to sign the queue-proxy TLS certificate.
-    # It is specified by the secret name, which has the "ca.crt" data field.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    queue-proxy-ca: ""
-
-    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
-    # It must be set when "queue-proxy-ca" is specified.
-    # Use an empty value to disable the feature (default).
-    #
-    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
-    #       for now. Use with caution.
-    queue-proxy-san: ""
-
-    # The server certificates to serve the TLS traffic from activator to queue-proxy.
-    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
-    # Use an empty value to disable the feature (default).
+    # internal-encryption indicates whether internal traffic is encrypted or not.
+    # If this is "true", the following traffic are encrypted:
+    #  - ingress to activator
+    #  - ingress to queue-proxy
+    #  - activator to queue-proxy
     #
     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
     #       for now. Use with caution.
-    queue-proxy-cert-secret: ""
+    internal-encryption: "false"
 
 ---
 # Copyright 2018 The Knative Authors