use new internal TLS names

pkg/reconciler/autoscaling/config/store_test.go

@@ -66,7 +66,7 @@ func TestStoreImmutableConfig(t *testing.T) {
 	config := store.Load()
 	config.Autoscaler.MaxScaleUpRate = 100.0
 	config.Deployment.ProgressDeadline = 3 * time.Minute
-	config.Network.DataplaneTrust = netcfg.TrustMinimal
+	config.Network.SystemInternalTLS = netcfg.EncryptionEnabled
 	newConfig := store.Load()
 
 	if newConfig.Autoscaler.MaxScaleUpRate == 100.0 {
@@ -76,7 +76,7 @@ func TestStoreImmutableConfig(t *testing.T) {
 		t.Error("Deployment config is not immutable")
 	}
 
-	if newConfig.Network.DataplaneTrust != netcfg.TrustDisabled {
+	if newConfig.Network.SystemInternalTLS != netcfg.EncryptionDisabled {
 		t.Error("Network config is not immutable")
 	}
 }

pkg/reconciler/autoscaling/kpa/kpa.go

@@ -25,7 +25,6 @@ import (
 	"go.uber.org/zap"
 
 	nv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
-	netcfg "knative.dev/networking/pkg/config"
 	"knative.dev/pkg/logging"
 	pkgmetrics "knative.dev/pkg/metrics"
 	"knative.dev/pkg/ptr"
@@ -129,7 +128,7 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, pa *autoscalingv1alpha1.
 	// When activator CA is enabled, force activator always in path.
 	// TODO: This is a temporary state and to be fixed.
 	// See also issues/11906 and issues/12797.
-	case config.FromContext(ctx).Network.DataplaneTrust != netcfg.TrustDisabled:
+	case config.FromContext(ctx).Network.SystemInternalTLSEnabled():
 		mode = nv1alpha1.SKSOperationModeProxy
 
 	// If the want == -1 and PA is inactive that implies the autoscaler

pkg/reconciler/autoscaling/kpa/kpa_test.go

@@ -128,7 +128,7 @@ func initialScaleZeroASConfig() *autoscalerconfig.Config {
 
 func activatorCertsNetConfig() *netcfg.Config {
 	nc, _ := netcfg.NewConfigFromMap(map[string]string{
-		netcfg.DataplaneTrustKey: "minimal",
+		netcfg.SystemInternalTLSKey: "enabled",
 	})
 	return nc
 }
@@ -140,7 +140,7 @@ func defaultConfig() *config.Config {
 		deployment.ProgressDeadlineKey:  progressDeadline.String(),
 	})
 	networkConfig, _ := netcfg.NewConfigFromMap(map[string]string{
-		netcfg.DataplaneTrustKey: "disabled",
+		netcfg.SystemInternalTLSKey: "disabled",
 	})
 
 	return &config.Config{

pkg/reconciler/route/resources/ingress.go

@@ -29,7 +29,6 @@ import (
 
 	"knative.dev/networking/pkg/apis/networking"
 	netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
-	netcfg "knative.dev/networking/pkg/config"
 	netheader "knative.dev/networking/pkg/http/header"
 	ingress "knative.dev/networking/pkg/ingress"
 	"knative.dev/pkg/kmeta"
@@ -150,7 +149,7 @@ func makeIngressSpec(
 				return netv1alpha1.IngressSpec{}, err
 			}
 			rule := makeIngressRule(domains, r.Namespace,
-				visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.DataplaneTrust != netcfg.TrustDisabled)
+				visibility, tc.Targets[name], ro.RolloutsByTag(name), networkConfig.SystemInternalTLSEnabled())
 			if featuresConfig.TagHeaderBasedRouting == apicfg.Enabled {
 				if rule.HTTP.Paths[0].AppendHeaders == nil {
 					rule.HTTP.Paths[0].AppendHeaders = make(map[string]string, 1)
@@ -172,7 +171,7 @@ func makeIngressSpec(
 					// Since names are sorted `DefaultTarget == ""` is the first one,
 					// so just pass the subslice.
 					rule.HTTP.Paths = append(
-						makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.DataplaneTrust != netcfg.TrustDisabled, names[1:]), rule.HTTP.Paths...)
+						makeTagBasedRoutingIngressPaths(r.Namespace, tc, ro, networkConfig.SystemInternalTLSEnabled(), names[1:]), rule.HTTP.Paths...)
 				} else {
 					// If a request is routed by a tag-attached hostname instead of the tag header,
 					// the request may not have the tag header "Knative-Serving-Tag",

pkg/reconciler/route/resources/ingress_test.go

@@ -1427,6 +1427,6 @@ func testContextWithHTTPOption() context.Context {
 
 func testContextWithActivatorCA() context.Context {
 	cfg := testConfig()
-	cfg.Network.DataplaneTrust = netcfg.TrustMinimal
+	cfg.Network.SystemInternalTLS = netcfg.EncryptionEnabled
 	return config.ToContext(context.Background(), cfg)
 }

pkg/reconciler/route/resources/service_test.go

@@ -419,7 +419,7 @@ func testConfig() *config.Config {
 			DefaultIngressClass: "test-ingress-class",
 			DomainTemplate:      netcfg.DefaultDomainTemplate,
 			TagTemplate:         netcfg.DefaultTagTemplate,
-			DataplaneTrust:      netcfg.TrustDisabled,
+			SystemInternalTLS:   netcfg.EncryptionDisabled,
 		},
 		Features: &apiConfig.Features{
 			MultiContainer:               apiConfig.Disabled,

test/e2e-common.sh

@@ -376,7 +376,7 @@ function install() {
 
   if (( ENABLE_TLS )); then
     echo "Patch to config-network to enable internal encryption"
-    toggle_feature dataplane-trust minimal config-network
+    toggle_feature system-internal-tls Enabled config-network
     if [[ "$INGRESS_CLASS" == "kourier.ingress.networking.knative.dev" ]]; then
       echo "Point Kourier local gateway to custom server certificates"
       toggle_feature cluster-cert-secret server-certs config-kourier

test/e2e/autoscale_test.go

@@ -175,8 +175,8 @@ func TestTargetBurstCapacity(t *testing.T) {
 	}
 
 	// TODO: Remove this when "activator always stay in path" is eliminated.
-	dataplaneTrustMode := cm.Data[netcfg.DataplaneTrustKey]
-	if (dataplaneTrustMode != "" && !strings.EqualFold(dataplaneTrustMode, string(netcfg.TrustDisabled))) || strings.EqualFold(cm.Data[netcfg.InternalEncryptionKey], "true") {
+	dataplaneTrustMode := cm.Data[netcfg.SystemInternalTLSKey]
+	if (dataplaneTrustMode != "" && !strings.EqualFold(dataplaneTrustMode, string(netcfg.EncryptionDisabled))) || strings.EqualFold(cm.Data[netcfg.InternalEncryptionKey], "true") {
 		t.Skip("Skipping TestTargetBurstCapacity as activator always stay in path.")
 	}