Knative allows you to use a DomainMapping to configure a certificate to access Services over HTTPS. This topic describes how to configure a certificate to access Services over HTTPS.
Prerequisites
An Application Load Balancer (ALB) Ingress or Microservices Engine (MSE) Ingress is configured in Knative. For more information, see Use ALB Ingresses in Knative and Use MSE Ingresses in Knative to implement auto scali.
After you configure an ALB Ingress or MSE Ingress in Knative, you can create a DomainMapping to configure a certificate to access Services over HTTPS.
Step 1: Create a Knative Service
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Services tab of the Knative page, set Namespace to default and click Create from Template. Create a Knative Service from the sample template provided in the console and click Create. Then, a Service named helloworld-go is created.
Step 2: Create a certificate that is managed as a Secret
In Knative, Secrets are used to store and manage sensitive information, such as keys, passwords, and certificates. In this example, OpenSSL is used to create a self-signed certificate. The certificate and private key files are encoded by using Base64 and stored in a Secret in the cluster. The following example shows how to create a self-signed certificate that is managed as a Secret.
Run the following OpenSSL commands to create a self-signed certificate:
openssl genrsa -out knativetop-key.pem 4096 openssl req -subj "/CN=helloworld.knative.top" -sha256 -new -key knativetop-key.pem -out knativetop.csr echo subjectAltName = DNS:helloworld.knative.top > extfile.cnf openssl x509 -req -days 3650 -sha256 -in knativetop.csr -signkey knativetop-key.pem -out knativetop-cert.pem -extfile extfile.cnf
Expected output:
Signature ok subject=CN = helloworld.knative.top Getting Private key
Use Base64 to encode the
knativetop-key.pem
andknativetop-cert.pem
files in Step 1.Run the following command to use Base64 to encode the
knativetop-key.pem
file:cat knativetop-key.pem | base64
Expected output:
a25hdGl2ZXRvcC1r******
Run the following command to use Base64 to encode the
knativetop-cert.pem
file:cat knativetop-cert.pem | base64
Expected output:
a25hdGl2ZXRvcC1jZ******==
Create a Secret.
The Secret can be used in the TLS configuration of the Knative Service to securely access the domain name
helloworld.knative.top
.Run the following command to create a file named
secret-tls.yaml
:vim secret-tls.yaml
Open the vi editor, add the following YAML content, save the change, and then exit:
apiVersion: v1 kind: Secret metadata: name: secret-tls type: kubernetes.io/tls data: # the data is abbreviated in this example tls.crt: a25hdGl2ZXRvcC1jZ******== # The Base64-encoded knativetop-cert.pem file. tls.key: a25hdGl2ZXRvcC1r****** # The Base64-encoded knativetop-key.pem file.
Run the following command to deploy the resources defined in the
secret-tls.yaml
file to the ACK cluster:kubectl apply -f secret-tls.yaml
Expected output:
secret/secret-tls created
Step 3: Create a DomainMapping
DomainMappings are resource objects in Knative. A DomainMapping maps a domain name to one or more Knative Services. You can create a DomainMapping to map a custom domain name to a Knative Service so that your applications can access the Service through the domain name.
Run the following command to create a file named
helloworld.knative.top.yaml
:vim helloworld.knative.top.yaml
Open the vi editor, add the following YAML content, save the change, and then exit:
apiVersion: serving.knative.dev/v1alpha1 kind: DomainMapping metadata: name: helloworld.knative.top namespace: default spec: ref: name: helloworld-go kind: Service apiVersion: serving.knative.dev/v1 # tls block specifies the secret to be used tls: secretName: secret-tls
Run the following command to deploy the resources defined in the
helloworld.knative.top.yaml
file to the ACK cluster:kubectl apply -f helloworld.knative.top.yaml
Expected output:
domainmapping.serving.knative.dev/helloworld.knative.top created
Run the following command to verify the DomainMapping:
kubectl get domainmapping helloworld.knative.top
Expected output:
NAME URL READY REASON helloworld.knative.top https://helloworld.knative.top True
Step 4: Access the Knative Service over HTTPS
Run the following command to access the Knative Service over HTTPS:
ALB
# alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com is the address of the ALB Ingress.
curl -H "host: helloworld.knative.top" https://alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com -k
MSE
# 8.141.XX.XX is the address of the MSE Ingress.
curl -H "host: helloworld-go.default.example.com" https://8.141.XX.XX -k
Expected output:
Hello Knative!