-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
-
Currently we have a warning about secret informer filtering in:
- https://docs.openshift.com/serverless/1.31/knative-serving/config-custom-domains/domain-mapping-custom-tls-cert.html#serverless-ossm-secret-filtering-net-kourier_domain-mapping-custom-tls-cert
- https://docs.openshift.com/serverless/1.31/integrations/serverless-ossm-setup.html#serverless-ossm-secret-filtering-net-istio_serverless-ossm-setup
The warning itself should be improved, as we had questions about it from RHAI and customers:
Current version
If you enable secret filtering, all of your secrets need to be labeled with networking.internal.knative.dev/certificate-uid: "<id>". Otherwise, Knative Serving does not detect them, which leads to failures. You must label both new and existing secrets.
Proposed version
If you enable secret filtering, Knative controllers will now only read secrets which are labeled with networking.internal.knative.dev/certificate-uid: "<id>". Knative will automatically add this label to all Secret that it owns. If you are using DomainMapping with custom TLS certificates, make sure to also add this label to your Secrets. Otherwise, Knative Serving does not detect them, which leads to failures. You must label both new and existing secrets.