Using a custom TLS certificate for DomainMapping

Feature Availability: beta since Knative v0.24

  • beta features are well-tested and enabling them is considered safe. Support for the overall feature will not be dropped, though details may change in incompatible ways.

By providing the reference to an existing TLS Certificate you can instruct a DomainMapping to use that certificate to secure the mapped service. Using this feature skips autoTLS certificate creation.

Prerequisites

  • You have followed the steps from Configuring custom domains and now have a working DomainMapping.
  • You must have a TLS certificate from your Certificate Authority provider or self-signed.

Procedure

  1. Assuming you have obtained the cert and key files from your Certificate Authority provider or self-signed, create a plain Kubernetes TLS Secret by running the command:

    Use kubectl to create the secret:

    1. kubectl create secret tls <tls-secret-name> --cert=path/to/cert/file --key=path/to/key/file

    Where <tls-secret-name> is the name of the secret object being created.

  2. Update your DomainMapping YAML file to use the newly created secret as follows:

    1. apiVersion: serving.knative.dev/v1alpha1
    2. kind: DomainMapping
    3. metadata:
    4.   name: <domain-name>
    5.   namespace: <namespace>
    6. spec:
    7.   ref:
    8.     name: <service-name>
    9.     kind: Service
    10.     apiVersion: serving.knative.dev/v1
    11. # tls block specifies the secret to be used
    12.   tls:
    13.     secretName: <tls-secret-name>

    Where:

    • <tls-secret-name> is the name of the TLS secret created in the previous step.
    • <domain-name> is the domain name that you want to map a Service to.
    • <namespace> is the namespace that contains both the DomainMapping and Service objects.
    • <service-name> is the name of the Service that will be mapped to the domain.

  3. Verify the DomainMapping status:

    1. Check the status by running the command:

      1. kubectl get domainmapping <domain-name>

      The URL column of the status should show the mapped domain with the scheme updated to https:

      1. NAME                      URL                               READY   REASON
      2. <domain-name>             https://<domain-name>             True

    2. If the Service is exposed publicly, verify that it is available by running:

      1. curl https://<domain-name>

      If the certificate is self-signed skip verification by adding the -k flag to the curl command.