Problem
Currently, @kimwnasptd and I are trying to setup Knative Eventing with strict mTLS, as part of Kubeflow. The main issue we bumped into is the fact that someone needs to manually create DestinationRules/VirtualServices #6283 istio/istio#13193 (comment) istio/istio#24886 (comment).

It could help adopters of Knative Eventing, that have a requirement for strict mTLS, if there would be an option in the Eventing Controller to create the required Istio resources.

Persona:
Event Producers

Without strict mTLS we can't have any AuthorizationPolicies to control who can talk to the broker-ingress and filter #6175.

Thus in a multi-user environment, like Kubeflow, everyone would be able to create events for all user namespaces.

Additional context (optional)
We understand that Knative Eventing no-longer has a dependency on Istio (#294).

But, this means that the logic of creating the necessary resources for Knative Eventing to work with mTLS falls down to end users. We believe the Eventing Controller should:

1. Have an option for toggling Istio support, which will be off by default
2. If the option is on then
   • It's the Eventing Controller's job to ensure the resources created for a Broker CR can work with mTLS
   • The reconciliation loop will create the required DestinationRule or VirtualService

This way we'll avoid duplication of effort for adopters of Knative Eventing, where every one of us will need to rewrite this logic.

We would like to help in this effort, if you agree with our proposal.