The Application Load Balancer (ALB) Ingress controller supports automatic certificate
discovery. ALB instances can discover certificates based on the domain name of Knative
Services. This topic describes how to create a Transport Layer Security (TLS) certificate
and use the certificate to configure access over HTTPS.
Procedure
You must create a TLS certificate, upload the certificate to the Certificate Management
Service console, and then create a Knative Service that has TLS enabled. Then, the
related ALB instance can automatically discover the TLS certificate based on the domain
name of the Knative Service. Perform the following steps:
- Run the following openssl commands to create a certificate:
openssl genrsa -out albtop-key.pem 4096
openssl req -subj "/CN=helloworld.default.knative.top" -sha256 -new -key albtop-key.pem -out albtop.csr
echo subjectAltName = DNS:helloworld.default.knative.top > extfile.cnf
openssl x509 -req -days 3650 -sha256 -in albtop.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out albtop-cert.pem -extfile extfile.cnf
- Upload the certificate that you created to the Certificate Management Service console. For more information, see Upload a certificate.
- Create a Knative Service that has TLS enabled with the following YAML template.
Set
knative.k8s.alibabacloud/tls to
true to enable access over HTTPS.
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: helloworld
namespace: default
annotations:
knative.k8s.alibabacloud/tls: "true"
spec:
template:
spec:
containers:
- image: registry-vpc.cn-shenzhen.aliyuncs.com/knative-sample/helloworld-go:73fbdd56
env:
- name: TARGET
value: "Knative"
- Run the following command to access the Knative Service over HTTPS:
curl -H "host: helloworld.default.knative.top" https://alb-ppcate4ox6ge9m1wik.cn-shenzhen.alb.aliyuncs.com -k
Expected output:
Hello Knative!
The output shows that the Knative Service can be accessed over HTTPS.