我的书签
添加书签
移除书签- Enabling automatic TLS certificate provisioning
- Automatic TLS provision mode
- Before you begin
- Enabling Auto TLS
Enabling automatic TLS certificate provisioning
If you install and configure cert-manager, you can configure Knative to automatically obtain new TLS certificates and renew existing ones for Knative Services. To learn more about using secure connections in Knative, see Configuring HTTPS with TLS certificates.
Automatic TLS provision mode
Knative supports the following Auto TLS modes:
Using DNS-01 challenge
In this mode, your cluster needs to be able to talk to your DNS server to verify the ownership of your domain.
Provision Certificate per namespace is supported when using DNS-01 challenge mode.
- This is the recommended mode for faster certificate provision.
- In this mode, a single Certificate will be provisioned per namespace and is reused across the Knative Services within the same namespace.
Provision Certificate per Knative Service is supported when using DNS-01 challenge mode.
- This is the recommended mode for better certificate islation between Knative Services.
- In this mode, a Certificate will be provisioned for each Knative Service.
- The TLS effective time is longer as it needs Certificate provision for each Knative Service creation.
Using HTTP-01 challenge
- In this type, your cluster does not need to be able to talk to your DNS server. You must map your domain to the IP of the cluser ingress.
- When using HTTP-01 challenge, a certificate will be provisioned per Knative Service.
- HTTP-01 does not support provisioning a certificate per namespace.
Before you begin
You must meet the following prerequisites to enable Auto TLS:
- The following must be installed on your Knative cluster:
- Knative Serving.
- A Networking layer such as Kourier, Istio with SDS v1.3 or higher, Contour v1.1 or higher, or Gloo v0.18.16 or higher. See Install a networking layer or Istio with SDS, version 1.3 or higher.
Note: Currently, Ambassador is unsupported for use with Auto TLS.
- cert-manager version
1.0.0and higher. - Your Knative cluster must be configured to use a custom domain.
- Your DNS provider must be setup and configured to your domain.
- If you want to use HTTP-01 challenge, you need to configure your custom domain to map to the IP of ingress. You can achieve this by adding a DNS A record to map the domain to the IP according to the instructions of your DNS provider.
Enabling Auto TLS
To enable support for Auto TLS in Knative:
Create cert-manager ClusterIssuer
Create and add the
ClusterIssuerconfiguration file to your Knative cluster to define who issues the TLS certificates, how requests are validated, and which DNS provider validates those requests.ClusterIssuer for DNS-01 challenge
Use the cert-manager reference to determine how to configure your
ClusterIssuerfile:See the generic
ClusterIssuerexampleAlso see the
DNS01exampleExample: Cloud DNS
ClusterIssuerconfiguration file:The following
letsencrypt-issuernamedClusterIssuerfile is configured for the Let’s Encrypt CA and Google Cloud DNS. Underspec, the Let’s Encrypt account info, requiredDNS-01challenge type, and Cloud DNS provider info defined. For the complete Google Cloud DNS example, see Configuring HTTPS with cert-manager and Google Cloud DNS.apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata:name: letsencrypt-dns-issuerspec:acme:server: https://acme-v02.api.letsencrypt.org/directory# This will register an issuer with LetsEncrypt. Replace# with your admin email address.email: myemail@gmail.comprivateKeySecretRef:# Set privateKeySecretRef to any unused secret name.name: letsencrypt-dns-issuersolvers:- dns01:clouddns:# Set this to your GCP project-idproject: $PROJECT_ID# Set this to the secret that we publish our service account key# in the previous step.serviceAccountSecretRef:name: cloud-dns-keykey: key.json
ClusterIssuer for HTTP-01 challenge
Run the following command to apply the ClusterIssuer for HTT01 challenge:
kubectl apply -f - <<EOFapiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata:name: letsencrypt-http01-issuerspec:acme:privateKeySecretRef:name: letsencryptserver: https://acme-v02.api.letsencrypt.org/directorysolvers:- http01:ingress:class: istioEOF
Ensure that the ClusterIssuer is created successfully:
kubectl get clusterissuer <cluster-issuer-name> --output yaml
Result: The
Status.Conditionsshould includeReady=True.
DNS-01 challenge only: Configure your DNS provider
If you choose to use DNS-01 challenge, configure which DNS provider is used to validate the DNS-01 challenge requests.
Instructions about configuring cert-manager, for all the supported DNS providers, are provided in DNS01 challenge providers and configuration instructions.
Example:
See how the Google Cloud DNS is defined as the provider: Configuring HTTPS with cert-manager and Google Cloud DNS
Install networking-certmanager deployment
Determine if
networking-certmanageris already installed by running the following command:kubectl get deployment networking-certmanager -n knative-serving
If
networking-certmanageris not found, run the following command:kubectl apply --filename https://github.com/knative/net-certmanager/releases/download/v0.22.0/release.yaml
Install networking-ns-cert component
If you choose to use the mode of provisioning certificate per namespace, you need to install networking-ns-cert components.
IMPORTANT: Provisioning a certificate per namespace only works with DNS-01 challenge. This component cannot be used with HTTP-01 challenge.
Determine if
networking-ns-certdeployment is already installed by running the following command:kubectl get deployment networking-ns-cert -n knative-serving
If
networking-ns-certdeployment is not found, run the following command:kubectl apply --filename https://github.com/knative/serving/releases/download/v0.22.0/serving-nscert.yaml
Configure config-certmanager ConfigMap
Update your config-certmanager ConfigMap in the knative-serving namespace to reference your new ClusterIssuer.
Run the following command to edit your
config-certmanagerConfigMap:kubectl edit configmap config-certmanager --namespace knative-serving
Add the
issuerRefwithin thedatasection:...data:...issuerRef: |kind: ClusterIssuername: letsencrypt-issuer
Example:
apiVersion: v1kind: ConfigMapmetadata:name: config-certmanagernamespace: knative-servinglabels:networking.knative.dev/certificate-provider: cert-managerdata:issuerRef: |kind: ClusterIssuername: letsencrypt-http01-issuer
issueRefdefines whichClusterIssuerwill be used by Knative to issue certificates.Ensure that the file was updated successfully:
kubectl get configmap config-certmanager --namespace knative-serving --output yaml
Turn on Auto TLS
Update the config-network ConfigMap in the knative-serving namespace to enable autoTLSand specify how HTTP requests are handled:
Run the following command to edit your
config-networkConfigMap:kubectl edit configmap config-network --namespace knative-serving
Add the
autoTLS: Enabledattribute under thedatasection:...data:...autoTLS: Enabled...
Example:
apiVersion: v1kind: ConfigMapmetadata:name: config-networknamespace: knative-servingdata:...autoTLS: Enabled...
Configure how HTTP and HTTPS requests are handled in the
httpProtocolattribute.By default, Knative ingress is configured to serve HTTP traffic (
httpProtocol: Enabled). Now that your cluster is configured to use TLS certificates and handle HTTPS traffic, you can specify whether or not any HTTP traffic is allowed.Supported
httpProtocolvalues:Enabled: Serve HTTP traffic.Disabled: Rejects all HTTP traffic.Redirected: Responds to HTTP request with a302redirect to ask the clients to use HTTPS.
...data:...autoTLS: Enabled...
Example:
apiVersion: v1kind: ConfigMapmetadata:name: config-networknamespace: knative-servingdata:...autoTLS: Enabled...httpProtocol: Redirected...
Note: When using HTTP-01 challenge,
httpProtocolfield has to be set toEnabledto make sure HTTP-01 challenge requests can be accepted by the cluster.Ensure that the file was updated successfully:
kubectl get configmap config-network --namespace knative-serving --output yaml
Congratulations! Knative is now configured to obtain and renew TLS certificates. When your TLS certificate is active on your cluster, your Knative services will be able to handle HTTPS traffic.
Verify Auto TLS
Run the following comand to create a Knative Service:
kubectl apply -f https://raw.githubusercontent.com/knative/docs/main/docs/serving/autoscaling/autoscale-go/service.yaml
When the certificate is provisioned (which could take up to several minutes depending on the challenge type), you should see something like:
NAME URL LATESTCREATED LATESTREADY READY REASONautoscale-go https://autoscale-go.default.{custom-domain} autoscale-go-6jf85 autoscale-go-6jf85 True
Note that the URL will be https in this case.
Disable Auto TLS per service or route
If you have Auto TLS enabled in your cluster, you can choose to disable Auto TLS for individual services or routes by adding the annotation networking.knative.dev/disableAutoTLS: true.
Using the previous autoscale-go example:
- Edit the service using
kubectl edit service.serving.knative.dev/autoscale-go -n defaultand add the annotation:
apiVersion: serving.knative.dev/v1kind: Servicemetadata:annotations:...networking.knative.dev/disableAutoTLS: "true"...
- The service URL should now be http, indicating that AutoTLS is disabled:
NAME URL LATEST AGE CONDITIONS READY REASONautoscale-go http://autoscale-go.default.1.arenault.dev autoscale-go-dd42t 8m17s 3 OK / 3 True
