All Products
Search
Document Center

Container Service for Kubernetes:Configure a certificate for Knative to access Services over HTTPS

Last Updated:Nov 20, 2024

If you want to use a custom domain name to expose a Knative Service, we recommend that you configure a certificate for the domain name to secure data transmission. Knative allows you to use a DomainMapping to configure a certificate to access Services over HTTPS.

Prerequisites

Knative is deployed in your cluster. For more information, see Deploy Knative.

Step 1: Create a Knative Service

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Applications > Knative in the left-side navigation pane.

  3. On the Services tab of the Knative page, set Namespace to default and click Create from Template. Create a Knative Service named helloworld-go from the Sample Template provided in the console and click Create. Then, a Service named helloworld-go is created.

    image.png

Step 2: Create a certificate that is managed as a Secret

In Knative, Secrets are used to store and manage sensitive information, such as keys, passwords, and certificates. In this example, OpenSSL is used to create a self-signed certificate. The certificate and private key files are encoded by using Base64 and stored in a Secret in the cluster. The following example shows how to create a self-signed certificate that is managed as a Secret.

  1. Run the following OpenSSL commands to create a self-signed certificate:

    openssl genrsa -out knativetop-key.pem 4096
    openssl req -subj "/CN=helloworld.knative.top" -sha256  -new -key knativetop-key.pem -out knativetop.csr
    echo subjectAltName = DNS:helloworld.knative.top > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in knativetop.csr -signkey knativetop-key.pem -out knativetop-cert.pem -extfile extfile.cnf

    Expected output:

    Signature ok
    subject=CN = helloworld.knative.top
    Getting Private key
  2. Use Base64 to encode the knativetop-key.pem and knativetop-cert.pem files in Step 1.

    • Run the following command to use Base64 to encode the knativetop-key.pem file:

      cat knativetop-key.pem | base64

      Expected output:

      a25hdGl2ZXRvcC1r******
    • Run the following command to use Base64 to encode the knativetop-cert.pem file:

      cat knativetop-cert.pem | base64

      Expected output:

      a25hdGl2ZXRvcC1jZ******==
  3. Run the following command to create a Secret:

    The Secret can be used in the TLS configuration of the Knative Service to securely access the domain name helloworld.knative.top.

    kubectl create secret tls secret-tls --key knativetop-key.pem --cert knativetop-cert.pem

    Expected output:

    secret/secret-tls created

Step 3: Create a DomainMapping

DomainMappings are resource objects in Knative. A DomainMapping maps a domain name to one or more Knative Services. You can create a DomainMapping to map a custom domain name to a Knative Service so that your applications can access the Service through the domain name.

  1. Run the following command to create a file named helloworld.knative.top.yaml:

    vim helloworld.knative.top.yaml
  2. Open the vi editor, add the following YAML content, save the change, and then exit:

    apiVersion: serving.knative.dev/v1beta1
    kind: DomainMapping
    metadata:
      name: helloworld.knative.top
      namespace: default
    spec:
      ref:
        name: helloworld-go
        kind: Service
        apiVersion: serving.knative.dev/v1
    # tls block specifies the secret to be used
      tls:
        secretName: secret-tls
  3. Run the following command to deploy the resources defined in the helloworld.knative.top.yaml file to the ACK cluster:

    kubectl apply -f helloworld.knative.top.yaml

    Expected output:

    domainmapping.serving.knative.dev/helloworld.knative.top created
  4. Run the following command to verify the DomainMapping:

    kubectl get domainmapping helloworld.knative.top

    Expected output:

    NAME                          URL                                      READY   REASON
    helloworld.knative.top       https://helloworld.knative.top            True

Step 4: Access the Knative Service over HTTPS

Run the following command to access the Knative Service over HTTPS:

ALB

Add a listener on port 443 in the AlbConfig. The following code provides an example of adding a listener on port 443 for knative-internet:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: knative-internet
spec:
  config:
  ...
  listeners:
    - port: 443
      protocol: HTTPS # Valid values for protocol: HTTP, HTTPS, and QUIC.
  ...

Run the following command to perform an access test:

# alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com is the address of the ALB Ingress. 
curl -H "host: helloworld.knative.top" https://alb-ppcate4ox6******.cn-beijing.alb.aliyuncs.com -k

MSE

# 8.141.XX.XX is the address of the MSE Ingress. 
curl -H "host: helloworld-go.default.example.com" https://8.141.XX.XX -k

ASM

# 8.141.XX.XX is the address of the ASM Ingress. 
curl -H "host: helloworld-go.default.example.com" http://8.141.XX.XX -k

Expected output:

Hello Knative!

References