Skip to content

Add system-internal-tls-allow-serve-mode configuration option #1093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add system-internal-tls-allow-serve-mode configuration option #1093

wants to merge 1 commit into from

Conversation

@linkvt
Copy link

@linkvt linkvt commented Oct 21, 2025
edited
Loading

Hi,

related serving PR: knative/serving#16183

this PR adds a new configuration field to allow Serve mode when system-internal-tls is enabled. By default, enabling system-internal-tls forces all traffic to use Proxy mode because not all Knative ingress implementations support Serve mode with TLS enabled.

The new system-internal-tls-allow-serve-mode option allows users to enable Serve mode when their ingress implementation supports direct TLS connections to application containers.

Configuration:

  • Default: Disabled (forces Proxy mode for compatibility, current behavior)
  • Enabled: Allows Serve mode even with TLS enabled

I added the option to the network config as it makes IMO sense to put it close to the relevant system-internal-tls option, even if the effect is not really related to it.

Changes

  • 🎁 Allow enabling Serve mode when using system-internal-tls (alpha)

/kind enhancement

Release Note

Allow enabling Serve mode when using system-internal-tls (alpha)
- Adds a new configuration option `system-internal-tls-allow-serve-mode` to allow 
Serve mode when system-internal-tls is enabled. This is useful for ingress 
implementations that support direct TLS connections to application containers (e.g. kourier or istio).
- This is an alpha feature. Only enable if your ingress implementation 
supports Serve mode with TLS.

Questions:

  1. Do we want/need to stage this flag starting as alpha right now?
  2. Is a release note in this PR something we want do for a) config options and b) alpha options?
  3. Config option name is maybe a bit lengthy, let me know if I should improve this (possibly with suggestions).

Docs

Thanks for the feedback!

/cc @Fedosin

@knative-prow
Copy link

knative-prow bot commented Oct 21, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@knative-prow knative-prow bot requested a review from Fedosin October 21, 2025 13:41
@knative-prow knative-prow bot added kind/enhancement do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 21, 2025
@linkvt linkvt mentioned this pull request Oct 21, 2025
Open
@codecov
Copy link

codecov bot commented Oct 21, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.16%. Comparing base (0bde191) to head (94883fd).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1093      +/-   ##
==========================================
+ Coverage   93.14%   93.16%   +0.02%     
==========================================
  Files          36       36              
  Lines        1255     1259       +4     
==========================================
+ Hits         1169     1173       +4     
  Misses         72       72              
  Partials       14       14

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@linkvt
Add system-internal-tls-allow-serve-mode configuration option
94883fd 
This adds a new configuration field to allow Serve mode when
system-internal-tls is enabled. By default, enabling system-internal-tls
forces all traffic to use Proxy mode because not all Knative ingress
implementations support Serve mode with TLS enabled.

The new system-internal-tls-allow-serve-mode option allows users to
enable Serve mode when their ingress implementation supports direct TLS
connections to application containers.

Configuration:
- Default: Disabled (forces Proxy mode for compatibility)
- Enabled: Allows Serve mode even with TLS enabled
@linkvt linkvt force-pushed the allow-serve-mode-with-internal-tls branch from 71ee816 to 94883fd Compare October 21, 2025 13:45
@Fedosin
Copy link

Fedosin commented Oct 28, 2025

Hey! Thanks for the work you've done. The code is good, so I'm happy to put LGTM when you are ready.

Wrt your questions:

Do we want/need to stage this flag starting as alpha right now?

I think so, yes. The feature enables a potentially breaking behavior change for users whose ingress implementations don't support Serve mode with TLS, so this should be marked as alpha.

Is a release note in this PR something we want do for a) config options and b) alpha options?

For config options - yes, as release notes are valuable as they help users discover new configuration capabilities.
For alpha options - also yes, but clearly mark as alpha/experimental.

AI suggested this release note:

Allow enabling Serve mode when using system-internal-tls (alpha)

Adds a new configuration option `system-internal-tls-allow-serve-mode` to allow 
Serve mode when system-internal-tls is enabled. This is useful for ingress 
implementations that support direct TLS connections to application containers.

Note: This is an alpha feature. Only enable if your ingress implementation 
supports Serve mode with TLS.

Config option name is maybe a bit lengthy, let me know if I should improve this (possibly with suggestions).

Imo, it's okay. If we really need something shorter, it can be allow-serve-mode-with-tls

@linkvt linkvt marked this pull request as ready for review October 31, 2025 10:50
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 31, 2025
@linkvt
Copy link
Author

linkvt commented Oct 31, 2025

Thanks for the review, I updated the PR description and the other related PR.

/remove-approve - was added automatically as I'm co-release lead.

@knative-prow
Copy link

knative-prow bot commented Oct 31, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dprotaso for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 31, 2025
@linkvt
Copy link
Author

linkvt commented Nov 3, 2025

/check-cla

@linkvt
Copy link
Author

linkvt commented Nov 5, 2025

Could you please take a look @dprotaso ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fedosin Fedosin Awaiting requested review from Fedosin

Assignees

No one assigned

Labels

kind/enhancement size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@linkvt @Fedosin