All Products
Search
Document Center

Container Service for Kubernetes:Configure a certificate to access Services over HTTPS

Last Updated:Nov 03, 2023

Knative allows you to use a DomainMapping to configure a certificate to access Services over HTTPS. This topic describes how to configure a certificate to access Services over HTTPS.

Prerequisites

An Application Load Balancer (ALB) Ingress or Microservices Engine (MSE) Ingress is configured in Knative. For more information, see Use ALB Ingresses in Knative and Use MSE Ingresses in Knative to implement auto scali.

Note

After you configure an ALB Ingress or MSE Ingress in Knative, you can create a DomainMapping to configure a certificate to access Services over HTTPS.

Step 1: Create a Knative Service

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Applications > Knative in the left-side navigation pane.

  3. On the Services tab of the Knative page, set Namespace to default and click Create from Template. Create a Knative Service from the sample template provided in the console and click Create. Then, a Service named helloworld-go is created.

    image.png

Step 2: Create a certificate that is managed as a Secret

In Knative, Secrets are used to store and manage sensitive information, such as keys, passwords, and certificates. In this example, OpenSSL is used to create a self-signed certificate. The certificate and private key files are encoded by using Base64 and stored in a Secret in the cluster. The following example shows how to create a self-signed certificate that is managed as a Secret.

  1. Run the following OpenSSL commands to create a self-signed certificate:

    openssl genrsa -out knativetop-key.pem 4096
    openssl req -subj "/CN=helloworld.knative.top" -sha256  -new -key knativetop-key.pem -out knativetop.csr
    echo subjectAltName = DNS:helloworld.knative.top > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in knativetop.csr -signkey knativetop-key.pem -out knativetop-cert.pem -extfile extfile.cnf

    Expected output:

    Signature ok
    subject=CN = helloworld.knative.top
    Getting Private key
  2. Use Base64 to encode the knativetop-key.pem and knativetop-cert.pem files in Step 1.

    • Run the following command to use Base64 to encode the knativetop-key.pem file:

      cat knativetop-key.pem | base64

      Expected output:

      a25hdGl2ZXRvcC1r******
    • Run the following command to use Base64 to encode the knativetop-cert.pem file:

      cat knativetop-cert.pem | base64

      Expected output:

      a25hdGl2ZXRvcC1jZ******==
  3. Create a Secret.

    The Secret can be used in the TLS configuration of the Knative Service to securely access the domain name helloworld.knative.top.

    1. Run the following command to create a file named secret-tls.yaml:

      vim secret-tls.yaml
    2. Open the vi editor, add the following YAML content, save the change, and then exit:

      apiVersion: v1
      kind: Secret
      metadata:
        name: secret-tls
      type: kubernetes.io/tls
      data:
        # the data is abbreviated in this example
        tls.crt: a25hdGl2ZXRvcC1jZ******== # The Base64-encoded knativetop-cert.pem file. 
        tls.key: a25hdGl2ZXRvcC1r******  # The Base64-encoded knativetop-key.pem file.

    3. Run the following command to deploy the resources defined in the secret-tls.yaml file to the ACK cluster:

      kubectl apply -f secret-tls.yaml

      Expected output:

      secret/secret-tls created

Step 3: Create a DomainMapping

DomainMappings are resource objects in Knative. A DomainMapping maps a domain name to one or more Knative Services. You can create a DomainMapping to map a custom domain name to a Knative Service so that your applications can access the Service through the domain name.

  1. Run the following command to create a file named helloworld.knative.top.yaml:

    vim helloworld.knative.top.yaml
  2. Open the vi editor, add the following YAML content, save the change, and then exit:

    apiVersion: serving.knative.dev/v1alpha1
    kind: DomainMapping
    metadata:
      name: helloworld.knative.top
      namespace: default
    spec:
      ref:
        name: helloworld-go
        kind: Service
        apiVersion: serving.knative.dev/v1
    # tls block specifies the secret to be used
      tls:
        secretName: secret-tls
  3. Run the following command to deploy the resources defined in the helloworld.knative.top.yaml file to the ACK cluster:

    kubectl apply -f helloworld.knative.top.yaml

    Expected output:

    domainmapping.serving.knative.dev/helloworld.knative.top created
  4. Run the following command to verify the DomainMapping:

    kubectl get domainmapping helloworld.knative.top

    Expected output:

    NAME                          URL                                      READY   REASON
    helloworld.knative.top       https://helloworld.knative.top            True

Step 4: Access the Knative Service over HTTPS

Run the following command to access the Knative Service over HTTPS:

ALB

# alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com is the address of the ALB Ingress. 
curl -H "host: helloworld.knative.top" https://alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com -k

MSE

# 8.141.XX.XX is the address of the MSE Ingress. 
curl -H "host: helloworld-go.default.example.com" https://8.141.XX.XX -k

Expected output:

Hello Knative!