Bug 1941877

Summary: [DOCS] Clearly mention OpenShift route and Knative route, add a section for disabling external access to a Knative service
Product: OpenShift Container Platform Reporter: aygarg
Component: DocumentationAssignee: Ashleigh <abrennan>
Status: CLOSED WORKSFORME QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact: Ashleigh <abrennan>
Priority: unspecified    
Version: 4.7CC: abrennan, afield, aos-bugs, jokerman, jreimann
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-02 20:19:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description aygarg 2021-03-23 02:00:41 UTC 
Document URL:
https://docs.openshift.com/container-platform/4.7/serverless/networking/serverless-configuring-routes.html 

Describe the issue: 
In the documentation the below statement is present.

~~~
If you want to configure a Knative service to use your TLS certificate on OpenShift Container Platform, you must disable the automatic creation of a route for the service by the OpenShift Serverless Operator, and instead manually create a Route resource for the service.
~~~
--> In Serverless, the knative route gets created as well as the normal OpenShift route for application. It would be great to clearly mention that the normal OpenShift route doesn't get created when the above documentation is followed inside the "knative-serving-ingress" namespace while the knative route still remains there in the acutal application project

Add a section in the documentation about "Disabling external access to a Knative service", explaining the use of "networking.knative.dev/visibility: cluster-local" annotation. When this annotation is used while creating the knative service, it will be accessible from the cluster network only as it gets created with format of "<app-name>.<project>.svc.cluster.local"


Suggestions for improvement: 
--> Making clear about Knative route and OpenShift route.
--> Add a section for disabling external access to a Knative service using networking.knative.dev/visibility: cluster-local" annotation.
Comment 1 aygarg 2021-05-10 01:16:55 UTC 
Hello Team,

Any update on this?
Comment 2 Ashleigh 2021-05-14 13:53:04 UTC 
We are working on this for our 1.16.0 release (Jira tracking: https://issues.redhat.com/browse/SRVKS-711)
You may find the upstream Knative documentation on configuring private services useful in the meantime: https://knative.dev/development/serving/services/private-services/
Comment 3 Ashleigh 2021-08-02 20:19:33 UTC 
Documentation has been updated: https://docs.openshift.com/container-platform/4.7/serverless/knative_serving/serverless-configuring-routes.html