Provide HTTPS for cluster.local domains

[doddatpivotal]

/area networking
/kind feature

Expected Behavior

I would like to have an https based internal service? I'm currently configured for HTTPS for standard external service, but as soon as I put the internal service annotation on my kservice, the exposed service turns to HTTP.

Additional Info

In my particular use case, I have a 3rd party controller on my cluster that can be configured to call specific endpoints for processing. This controller exclusively uses an HTTPS client. I built a Kservice for this controller to call. However, even though I have no use for my service to be exposed outside the cluster, I had to configure it that way in order to have the KService be exposed as HTTPS.

My current cluster issuer configured with Knative serving and auto-tls would not work with the FQDN's for the custom service. I would expect the need to configure an alternative clusterissuer for internal service use.

[evankanderson]

Related to the Knative Eventing TLS proposal -- ideally, the same mechanism could be used for both this feature and for Eventing to reach the endpoint via TLS.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

[ReToCode]

Might be handled in #11906.

/remove-lifecycle stale

[amarflybot]

Will this also allow TLS on cluster-local to communicate between two knative service pods?
Currently certificates are not provided when we use cluster-local, because of https://github.com/knative/serving/blob/main/pkg/reconciler/route/route.go#L195-L200

[ReToCode]

Yes, this would be the intention.

[ReToCode]

1.14 will contain an experimental version of this feature. Docs PR here: knative/docs#5804