Skip to content

Latest commit

 

History

History
253 lines (201 loc) · 7.81 KB

using-auto-tls.md

File metadata and controls

253 lines (201 loc) · 7.81 KB
title linkTitle weight type
Enabling automatic TLS certificate provisioning
Enabling auto TLS certs
64
docs

If you install and configure cert-manager, you can configure Knative to automatically obtain new TLS certificates and renew existing ones. To learn more about using secure connections in Knative, see Configuring HTTPS with TLS certificates.

Before you begin

You must meet the following prerequisites to enable automatic certificate provisioning:

Enabling automatic certificate provisioning

To enable Knative to automatically provision TLS certificates:

  1. Determine if networking-certmanager is installed by running the following command:

    kubectl get deployment networking-certmanager -n knative-serving

  2. If networking-certmanager is not found, run the following commands to install it:

    # KNATIVE_VERSION needs to be 0.6.0 or above.
KNATIVE_VERSION=0.6.0

kubectl apply --filename https://github.com/knative/serving/releases/download/v${KNATIVE_VERSION}/serving.yaml \
--selector networking.knative.dev/certificate-provider=cert-manager

  3. Create and add the ClusterIssuer configuration file to your Knative cluster to define who issues the TLS certificates, how requests are validated (DNS-01), and which DNS provider validates those requests.

    1. Create the ClusterIssuer file:

      Use the cert-manager reference to determine how to configure your ClusterIssuer file:

      Example: Cloud DNS ClusterIssuer configuration file:

      The following letsencrypt-issuer named ClusterIssuer file is configured for the Let's Encrypt CA and Google Cloud DNS. Under spec, the Let's Encrypt account info, required DNS-01 challenge type, and Cloud DNS provider info defined. For the complete Google Cloud DNS example, see Configuring HTTPS with cert-manager and Google Cloud DNS.

      apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-issuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    # This will register an issuer with LetsEncrypt.  Replace
    # with your admin email address.
    email: [email protected]
    privateKeySecretRef:
      # Set privateKeySecretRef to any unused secret name.
      name: letsencrypt-issuer
    dns01:
      providers:
      - name: cloud-dns-provider
        clouddns:
          # Set this to your GCP project-id
          project: $PROJECT_ID
          # Set this to the secret that we publish our service account key
          # in the previous step.
          serviceAccountSecretRef:
            name: cloud-dns-key
            key: key.json

    2. Add your ClusterIssuer configuration to your Knative cluster by running the following commands, where <filename> is the name of the file that you created:

      1. Add the configuration file to Knative:

        kubectl apply -f  <filename>.yaml

      2. Ensure that the file is created successfully:

        kubectl get clusterissuer --namespace cert-manager letsencrypt-issuer --output yaml

        Result: The Status.Conditions should include Ready=True.

  4. Update your config-certmanager ConfigMap in the knative-serving namespace to define your new ClusterIssuer configuration and your your DNS provider.

    1. Run the following command to edit your config-certmanager ConfigMap:

      kubectl edit configmap config-certmanager --namespace knative-serving

    2. Add the issuerRef and solverConfig sections within the data section:

      ...
data:
...
  issuerRef: |
    kind: ClusterIssuer
    name: letsencrypt-issuer

  solverConfig: |
    dns01:
      provider: cloud-dns-provider

      Example:

      apiVersion: v1
kind: ConfigMap
metadata:
  name: config-certmanager
  namespace: knative-serving
  labels:
    networking.knative.dev/certificate-provider: cert-manager
data:
  issuerRef: |
    kind: ClusterIssuer
    name: letsencrypt-issuer
  solverConfig: |
    dns01:
      provider: cloud-dns-provider

    3. Ensure that the file was updated successfully:

      kubectl get configmap config-certmanager --namespace knative-serving --output yaml

  5. Update the config-network ConfigMap in the knative-serving namespace to enable autoTLSand specify how HTTP requests are handled:

    1. Run the following command to edit your config-network ConfigMap:

      kubectl edit configmap config-network --namespace knative-serving

    2. Add the autoTLS: Enabled attribute under the data section:

      ...
data:
...
  autoTLS: Enabled
...

      Example:

      apiVersion: v1
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving
data:
   ...
   autoTLS: Enabled
   ...

    3. Configure how HTTP and HTTPS requests are handled in the httpProtocol attribute.

      By default, Knative ingress is configured to serve HTTP traffic (httpProtocol: Enabled). Now that your cluster is configured to use TLS certificates and handle HTTPS traffic, you can specify whether or not any HTTP traffic is allowed.

      Supported httpProtocol values:

      • Enabled: Serve HTTP traffic.

      • Disabled: Rejects all HTTP traffic.

      • Redirected: Responds to HTTP request with a 302 redirect to ask the clients to use HTTPS.

        ...
data:
...
  autoTLS: Enabled
...

        Example:

        apiVersion: v1
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving
data:
  ...
  autoTLS: Enabled
  ...
  httpProtocol: Redirected
  ...

    4. Ensure that the file was updated successfully:

      kubectl get configmap config-network --namespace knative-serving --output yaml

Congratulations! Knative is now configured to obtain and renew TLS certificates. When your TLS certificate is active on your cluster, your Knative services will be able to handle HTTPS traffic.