local knative serving and ambassador wihtout TLS

Question

I am trying to use knative for some long running processes, triggered only locally from within the cluster.

As networking layer we already use ambassador, and it is configured with TLS, and to redirect HTTP requests to HTTPS:

apiVersion: v1
kind: Service
metadata:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind:  Module
      name:  tls
      config:
        server:
          enabled: True
          redirect_cleartext_from: 8080
          alpn_protocols: h2,http/1.1
...

i created the service with the "cluster-local" flag:

kn service create helloworld-go --image gcr.io/knative-samples/helloworld-go --env TARGET="Go Sample v1" --cluster-local
Creating service 'helloworld-go' in namespace 'default':

  0.010s The Configuration is still working to reflect the latest desired specification.
  0.062s The Route is still working to reflect the latest desired specification.
  0.092s Configuration "helloworld-go" is waiting for a Revision to become ready.
  8.621s ...
  9.035s Ingress has not yet been reconciled.
 12.279s Ready to serve.

Service 'helloworld-go' created to latest revision 'helloworld-go-tcsyf-1' is available at URL:
http://helloworld-go.default.svc.cluster.local

and if i try to access it from within the cluster, I get redirected to the https version:

curl -v http://helloworld-go.default.svc.cluster.local
*   Trying 10.11.253.45:80...
* Connected to helloworld-go.default.svc.cluster.local (10.11.253.45) port 80 (#0)
> GET / HTTP/1.1
> Host: helloworld-go.default.svc.cluster.local
> User-Agent: curl/7.69.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< location: https://helloworld-go.default.svc.cluster.local/
< date: Thu, 17 Dec 2020 11:35:39 GMT
< server: envoy
< content-length: 0

With curl -k -v https://helloworld-go.default.svc.cluster.local it works, but obviously the hostname of the cert doesn't match with cluster.local

If I remove the redirect_cleartext_from: 8080, port 80 seems to be no longer available:

bash-5.0$ curl -v http://helloworld-go.default.svc.cluster.local
*   Trying 10.11.253.45:80...
* connect to 10.11.253.45 port 80 failed: Connection refused
* Failed to connect to helloworld-go.default.svc.cluster.local port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to helloworld-go.default.svc.cluster.local port 80: Connection refused

Is there a way to disable the http => https redirect only for svc.cluster.local? For other workloads - not served via knative - I can request them with http and http://deployment-name.namespace/

Answer 1

I fixed it by upgrading ambassador to the latest version, using Host and TLSContext to configure TLS, and adding a Host config to serve cleartext for this host:

apiVersion: getambassador.io/v2
kind: Host
metadata:
  name: knative-cluster-local
  namespace: default
spec:
  acmeProvider:
    authority: none
  hostname: '*.namespace.svc.cluster.local'
  requestPolicy:
    insecure:
      action: Route
  selector:
    matchLabels:
      hostname: knative-cluster-local
  tlsSecret:
    name: ambassador-certs