All Products
Search

This Product

    Container Compute Service:Configure a certificate to access Knative Services over HTTPS

    Document Center

    Container Compute Service:Configure a certificate to access Knative Services over HTTPS

    Last Updated:Mar 26, 2026

    Expose a Knative Service over HTTPS by creating a TLS certificate, storing it as a Kubernetes Secret, and binding it to a DomainMapping. This guide uses OpenSSL to generate a self-signed certificate for the domain helloworld.knative.top.

    Prerequisites

    Before you begin, ensure that you have:

    • Knative deployed in your ACS cluster. See Deploy Knative

    • A Knative Service to expose. The steps below use a sample Service named helloworld-go

    Step 1: Create a Knative Service

    1. Log on to the ACS console and click Clusters in the left-side navigation pane.

    2. On the Clusters page, click the ID of the cluster you want to manage. In the left-side navigation pane of the cluster details page, choose Applications > Knative.

    3. On the Services tab of the Knative page, set Namespace to default and click Create from Template. Select Sample Template, then click Create. A Knative Service named helloworld-go is created.

      image.png

    Step 2: Create a TLS certificate as a Secret

    Kubernetes Secrets store sensitive data such as certificates and private keys. The following steps use OpenSSL to create a self-signed certificate valid for 3,650 days, then store it in a Secret named secret-tls.

    1. Generate a self-signed certificate for helloworld.knative.top:

      openssl genrsa -out knativetop-key.pem 4096
openssl req -subj "/CN=helloworld.knative.top" -sha256 -new -key knativetop-key.pem -out knativetop.csr
echo subjectAltName = DNS:helloworld.knative.top > extfile.cnf
openssl x509 -req -days 3650 -sha256 -in knativetop.csr -signkey knativetop-key.pem -out knativetop-cert.pem -extfile extfile.cnf

      Expected output:

      Signature ok
subject=CN = helloworld.knative.top
Getting Private key

      This produces two files: a private key (knativetop-key.pem) and a certificate (knativetop-cert.pem).

    2. Encode the certificate files using Base64:

      • Encode the private key:

        cat knativetop-key.pem | base64

        Expected output:

        a25hdGl2ZXRvcC1r******

      • Encode the certificate:

        cat knativetop-cert.pem | base64

        Expected output:

        a25hdGl2ZXRvcC1jZ******==

    3. Create a TLS Secret from the certificate files:

      kubectl create secret tls secret-tls --key knativetop-key.pem --cert knativetop-cert.pem

      Expected output:

      secret/secret-tls created

    Step 3: Create a DomainMapping

    A DomainMapping maps a custom domain name to a Knative Service. Adding a tls block to the DomainMapping spec enables HTTPS using the Secret created in the previous step.

    1. Create a file named helloworld.knative.top.yaml:

      vim helloworld.knative.top.yaml

    2. Add the following content, save, and exit:

      apiVersion: serving.knative.dev/v1beta1
kind: DomainMapping
metadata:
  name: <domain-name>
  namespace: <namespace>
spec:
  ref:
    name: <service-name>
    kind: Service
    apiVersion: serving.knative.dev/v1
  tls:
    secretName: <tls-secret-name>

      Replace the placeholders with your values:

      Placeholder Description Example
      <domain-name> The custom domain name to map to the Service helloworld.knative.top
      <namespace> The namespace containing both the DomainMapping and the Service default
      <service-name> The name of the Knative Service to expose helloworld-go
      <tls-secret-name> The name of the TLS Secret created in Step 2 secret-tls

    3. Apply the DomainMapping:

      kubectl apply -f helloworld.knative.top.yaml

      Expected output:

      domainmapping.serving.knative.dev/helloworld.knative.top created

    4. Verify that the DomainMapping is ready:

      kubectl get domainmapping helloworld.knative.top

      Expected output:

      NAME                          URL                                      READY   REASON
helloworld.knative.top       https://helloworld.knative.top            True

      The URL column shows https://, confirming that TLS is active. If READY is not True, wait a few seconds and run the command again.

    Step 4: Test HTTPS access

    Test access through your ingress. The -k flag bypasses TLS verification and is required when using a self-signed certificate.

    ALB

    Add a listener on port 443 in your AlbConfig:

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: knative-internet
spec:
  config:
  ...
  listeners:
    - port: 443
      protocol: HTTPS # Valid values: HTTP, HTTPS, QUIC
  ...

    Then test with the Application Load Balancer (ALB) Ingress address:

    # Replace alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com with your ALB Ingress address
curl -H "host: helloworld.knative.top" https://alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com -k

    MSE

    Test with the Microservice Engine (MSE) Ingress address:

    # Replace 8.141.XX.XX with your MSE Ingress address
curl -H "host: helloworld-go.default.example.com" https://8.141.XX.XX -k

    ASM

    Test with the Service Mesh (ASM) Ingress address:

    # Replace 8.141.XX.XX with your ASM Ingress address
curl -H "host: helloworld-go.default.example.com" http://8.141.XX.XX -k

    All three options return:

    Hello Knative!

    What's next

    Configure health checks for your Knative Services to monitor their availability. See Configure port probing in Knative.