Configure a certificate for Knative to access Services over HTTPS - Container Service for Kubernetes

If you want to use a custom domain name to expose a Knative Service, we recommend that you configure a certificate for the domain name to secure data transmission. Knative allows you to use a DomainMapping to configure a certificate to access Services over HTTPS.

Prerequisites

Knative is deployed in your cluster. For more information, see Deploy Knative.

Step 1: Create a Knative Service

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Applications > Knative in the left-side navigation pane.
On the Services tab of the Knative page, set Namespace to default and click Create from Template. Create a Knative Service named helloworld-go from the Sample Template provided in the console and click Create. Then, a Service named helloworld-go is created.

Step 2: Create a certificate that is managed as a Secret

In Knative, Secrets are used to store and manage sensitive information, such as keys, passwords, and certificates. In this example, OpenSSL is used to create a self-signed certificate. The certificate and private key files are encoded by using Base64 and stored in a Secret in the cluster. The following example shows how to create a self-signed certificate that is managed as a Secret.

Run the following OpenSSL commands to create a self-signed certificate:

openssl genrsa -out knativetop-key.pem 4096
openssl req -subj "/CN=helloworld.knative.top" -sha256  -new -key knativetop-key.pem -out knativetop.csr
echo subjectAltName = DNS:helloworld.knative.top > extfile.cnf
openssl x509 -req -days 3650 -sha256 -in knativetop.csr -signkey knativetop-key.pem -out knativetop-cert.pem -extfile extfile.cnf

Expected output:

Signature ok
subject=CN = helloworld.knative.top
Getting Private key

Use Base64 to encode the knativetop-key.pem and knativetop-cert.pem files in Step 1.
- Run the following command to use Base64 to encode the knativetop-key.pem file:
```
cat knativetop-key.pem | base64
```
  Expected output:
```
a25hdGl2ZXRvcC1r******
```
- Run the following command to use Base64 to encode the knativetop-cert.pem file:
```
cat knativetop-cert.pem | base64
```
  Expected output:
```
a25hdGl2ZXRvcC1jZ******==
```
Run the following command to create a Secret:
The Secret can be used in the TLS configuration of the Knative Service to securely access the domain name helloworld.knative.top.
```
kubectl create secret tls secret-tls --key knativetop-key.pem --cert knativetop-cert.pem
```
Expected output:
```
secret/secret-tls created
```

Step 3: Create a DomainMapping

DomainMappings are resource objects in Knative. A DomainMapping maps a domain name to one or more Knative Services. You can create a DomainMapping to map a custom domain name to a Knative Service so that your applications can access the Service through the domain name.

Run the following command to create a file named helloworld.knative.top.yaml:
```
vim helloworld.knative.top.yaml
```

Open the vi editor, add the following YAML content, save the change, and then exit:

apiVersion: serving.knative.dev/v1beta1
kind: DomainMapping
metadata:
  name: helloworld.knative.top
  namespace: default
spec:
  ref:
    name: helloworld-go
    kind: Service
    apiVersion: serving.knative.dev/v1
# tls block specifies the secret to be used
  tls:
    secretName: secret-tls

Run the following command to deploy the resources defined in the helloworld.knative.top.yaml file to the ACK cluster:
```
kubectl apply -f helloworld.knative.top.yaml
```
Expected output:
```
domainmapping.serving.knative.dev/helloworld.knative.top created
```

Run the following command to verify the DomainMapping:

kubectl get domainmapping helloworld.knative.top

Expected output:

NAME                          URL                                      READY   REASON
helloworld.knative.top       https://helloworld.knative.top            True

Step 4: Access the Knative Service over HTTPS

Run the following command to access the Knative Service over HTTPS:

ALB

Add a listener on port 443 in the AlbConfig. The following code provides an example of adding a listener on port 443 for knative-internet:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: knative-internet
spec:
  config:
  ...
  listeners:
    - port: 443
      protocol: HTTPS # Valid values for protocol: HTTP, HTTPS, and QUIC.
  ...

Run the following command to perform an access test:

# alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com is the address of the ALB Ingress. 
curl -H "host: helloworld.knative.top" https://alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com -k

MSE

# 8.141.XX.XX is the address of the MSE Ingress. 
curl -H "host: helloworld-go.default.example.com" https://8.141.XX.XX -k

ASM

# 8.141.XX.XX is the address of the ASM Ingress. 
curl -H "host: helloworld-go.default.example.com" http://8.141.XX.XX -k

Expected output:

Hello Knative!

References

You can configure probes to monitor the status and availability of the Knative Service. For more information, see Configure port probing in Knative.
You can enable Internet access for an elastic container instance by associating it with an elastic IP address (EIP). For more information, see Associate an EIP with the elastic container instance on which a Knative Service runs.