我的书签
添加书签
移除书签Configuring HTTPS with TLS certificates
You can use either Certbot or to obtain certificates. Both tools support TLS certificates but if you want to enable Knative for automatic TLS certificate provisioning, you must install and configure the cert-manager tool:
Manually obtain and renew certificates: Both the Certbot and cert-manager tools can be used to manually obtain TLS certificates. In general, after you obtain a certificate, you must create a Kubernetes secret to use that certificate in your cluster. See the complete set of steps below for details about manually obtaining and configuring certificates.
Enable Knative to automatically obtain and renew TLS certificates: You can also use cert-manager to configure Knative to automatically obtain new TLS certificates and renew existing ones. If you want to enable Knative to automatically provision TLS certificates, instead see the Enabling automatic TLS certificate provisioning topic.
By default, the is used to demonstrate how to enable HTTPS connections, but you can configure Knative to use any certificate from a CA that supports the ACME protocol. However, you must use and configure your certificate issuer to use the challenge type.
You must meet the following requirements to enable secure HTTPS connections:
- Knative Serving must be installed. For details about installing the Serving component, see the .
- You must configure your Knative cluster to use a custom domain.
Important: Istio only supports a single certificate per Kubernetes cluster. To serve multiple domains using your Knative cluster, you must ensure that your new or existing certificate is signed for each of the domains that you want to serve.
If you already have a signed certificate for your domain, see for details about configuring your Knative cluster.
If you need a new TLS certificate, you can choose to use one of the following tools to obtain a certificate from Let’s Encrypt:
- Setup Certbot to manually obtain Let’s Encrypt certificates
- Setup cert-manager to either manually obtain a certificate, or to automatically provision certificates
This page covers details for both of the above options.
For details about using other CA’s, see the tool’s reference documentation:
Use the following steps to install Certbot and the use the tool to manually obtain a TLS certificate from Let’s Encrypt.
Run the following command to use Certbot to request a certificate using DNS challenge during authorization:
where
-dspecifies your domain. If you want to validate multiple domain’s, you can include multiple flags:-d MY.EXAMPLEDOMAIN.1 -d MY.EXAMPLEDOMAIN.2. For more information, see the reference.The Certbot tool walks you through the steps of validating that you own each domain that you specify by creating TXT records in those domains.
Result: CertBot creates two files:
- Certificate:
fullchain.pem - Private key:
privkey.pem
- Certificate:
What’s next:
Add the certificate and private key to your Knative cluster by creating a Kubernetes secret.
Using cert-manager to obtain Let’s Encrypt certificates
You can install and use cert-manager to either manually obtain a certificate or to configure your Knative cluster for automatic certificate provisioning:
Manual certificates: Install cert-manager and then use the tool to manually obtain a certificate.
To use cert-manager to manually obtain certificates:
.
Automatic certificates: Configure Knative to use cert-manager for automatically obtaining and renewing TLS certificate. The steps for installing and configuring cert-manager for this method are covered in full in the Enabling automatic TLS cert provisioning topic.
For instructions about enabling Knative for automatic certificate provisioning, see . Otherwise, continue below for instructions about manually adding a certificate.
To manually add a TLS certificate to your Knative cluster, you must create a Kubernetes secret and then configure the Knative Contour plugin
Create a Kubernetes secret to hold your TLS certificate,
cert.pem, and the private key,key.pem, by entering the following command:kubectl create --namespace contour-external tls default-cert \--key key.pem \--cert cert.pem
IMPORTANT Take note of the namespace and secret name. You will need these in future steps.
Contour requires you to create a delegation to use this certificate and private key in different namespaces. This can be done by creating the following resource:
Update the Knative Contour plugin to start using the certificate as a fallback when auto-TLS is disabled. This can be done with the following patch:
kubectl patch cm config-contour -n knative-serving \-p '{"data":{"default-tls-secret":"contour-external/default-cert"}}'
To manually add a TLS certificate to your Knative cluster, you create a Kubernetes secret and then configure the knative-ingress-gateway:
Create a Kubernetes secret to hold your TLS certificate,
cert.pem, and the private key,key.pem, by entering the following command:Note that the secret name is required.
Configure Knative to use the new secret that you created for HTTPS connections:
Run the following command to open the Knative shared
gatewayin edit mode:kubectl edit gateway knative-ingress-gateway --namespace knative-serving
Update the
gatewayto include the followingtls:section and configuration:# Please edit the object below. Lines beginning with a '#' will be ignored.# and an empty file will abort the edit. If an error occurs while saving this# file will be reopened with the relevant failures.apiVersion: networking.istio.io/v1alpha3metadata:# ... skipped ...spec:selector:istio: ingressgatewayservers:- "*"port:name: httpnumber: 80protocol: HTTP- hosts:- "*"port:name: httpsnumber: 443protocol: HTTPStls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crt
After your changes are running on your Knative cluster, you can begin using the HTTPS protocol for secure access your deployed Knative services.
