Configure HTTPS access for a Knative Service with a certificate and DomainMapping - Container Service for Kubernetes

Use a DomainMapping to expose a Knative Service over HTTPS with a custom domain. This involves creating a TLS Secret from a certificate and referencing it in the DomainMapping resource. When the tls block is present in a DomainMapping, the protocol switches from HTTP to HTTPS automatically.

Prerequisites

Before you begin, ensure that you have:

Knative deployed in your ACK cluster. For more information, see Deploy Knative.
kubectl configured to connect to your cluster.

Step 1: Create a Knative Service

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster you want to manage, then choose Applications > Knative in the left-side navigation pane.
On the Services tab of the Knative page, set Namespace to default and click Create from Template. Select the Sample Template and click Create. A Service named helloworld-go is created.

Step 2: Create a TLS Secret

Knative uses Kubernetes Secrets to store TLS certificates and private keys. This step creates a self-signed certificate with OpenSSL and stores it as a Secret named secret-tls.

Self-signed certificates are suitable for testing only. Browsers do not trust self-signed certificates, and the certificate in this example is valid for 3,650 days with no automatic renewal. For production environments, use a certificate issued by a trusted Certificate Authority (CA).

Run the following OpenSSL commands to generate a 4096-bit private key and a self-signed certificate for the domain helloworld.knative.top:

openssl genrsa -out knativetop-key.pem 4096
openssl req -subj "/CN=helloworld.knative.top" -sha256  -new -key knativetop-key.pem -out knativetop.csr
echo subjectAltName = DNS:helloworld.knative.top > extfile.cnf
openssl x509 -req -days 3650 -sha256 -in knativetop.csr -signkey knativetop-key.pem -out knativetop-cert.pem -extfile extfile.cnf

Expected output:

Signature ok
subject=CN = helloworld.knative.top
Getting Private key

Verify the Base64-encoded content of each file before creating the Secret:
- Encode the private key: ``bash cat knativetop-key.pem | base64 ` Expected output: ` a25hdGl2ZXRvcC1r****** ``
- Encode the certificate: ``bash cat knativetop-cert.pem | base64 ` Expected output: ` a25hdGl2ZXRvcC1jZ******== ``

Create the Secret:

kubectl create secret tls secret-tls --key knativetop-key.pem --cert knativetop-cert.pem

Expected output:

secret/secret-tls created

Step 3: Create a DomainMapping

A DomainMapping is a Knative resource object that maps a custom domain to one or more Knative Services. The tls.secretName field references the Secret created in the previous step. Adding this field switches the Service URL from HTTP to HTTPS.

Create a file named helloworld.knative.top.yaml:
```
vim helloworld.knative.top.yaml
```

Add the following content, then save and exit:

Field	Description
`metadata.name`	The custom domain to map. Must match the domain in your certificate.
`metadata.namespace`	The namespace containing both the DomainMapping and the target Service.
`spec.ref.name`	The name of the Knative Service to route traffic to.
`tls.secretName`	The name of the TLS Secret. Adding this field switches the protocol from HTTP to HTTPS.

apiVersion: serving.knative.dev/v1beta1
kind: DomainMapping
metadata:
  name: helloworld.knative.top
  namespace: default
spec:
  ref:
    name: helloworld-go
    kind: Service
    apiVersion: serving.knative.dev/v1
# tls block specifies the secret to be used
  tls:
    secretName: secret-tls

Key fields:

Apply the configuration:

kubectl apply -f helloworld.knative.top.yaml

Expected output:

domainmapping.serving.knative.dev/helloworld.knative.top created

Verify that the DomainMapping is ready and the URL uses HTTPS:

kubectl get domainmapping helloworld.knative.top

Expected output:

NAME                          URL                                      READY   REASON
helloworld.knative.top       https://helloworld.knative.top            True

When READY is True and the URL shows https://, TLS is configured successfully.

Step 4: Test HTTPS access

The test command depends on which ingress type your cluster uses: ALB, MSE, or ASM.

ALB

Add a listener on port 443 in the AlbConfig resource. The following example adds an HTTPS listener to knative-internet:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: knative-internet
spec:
  config:
  ...
  listeners:
    - port: 443
      protocol: HTTPS # Valid values for protocol: HTTP, HTTPS, and QUIC.
  ...

Run the following command to test access. The -k flag skips certificate verification, which is required for self-signed certificates.

# Replace alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com with your ALB ingress address.
curl -H "host: helloworld.knative.top" https://alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com -k

MSE

# Replace 8.141.XX.XX with your MSE ingress address.
curl -H "host: helloworld-go.default.example.com" https://8.141.XX.XX -k

ASM

# Replace 8.141.XX.XX with your ASM ingress address.
curl -H "host: helloworld-go.default.example.com" http://8.141.XX.XX -k

Expected output for all three:

Hello Knative!

What's next

Configure health checks for your Knative Service: Configure port probing in Knative
Enable Internet access for an elastic container instance by associating it with an elastic IP address (EIP): Associate an EIP with the elastic container instance on which a Knative Service runs