knative
/
docs
mirror of https://github.com/knative/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rename and reword `auto-tls` feature to `external-domain-tls` (#5692) 

* Rename and reword `auto-tls` feature to `external-domain-tls`

* Fix redirects

* Fix broken links
This commit is contained in:
Reto Lehmann 2023-10-05 07:57:06 +02:00 committed by GitHub
parent 1b7a1b0e4d
commit 6d938133f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 150 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
config/nav.yml
View File

@ -126,7 +126,7 @@ nav:
- Configuring ingress class: serving/services/ingress-class.md
- Configuring certificate class: serving/services/certificate-class.md
- Configuring custom domains: serving/services/custom-domains.md
- Using a custom TLS certificate for DomainMapping: serving/services/byo-certificate.md
- Using a custom TLS certificate for DomainMapping: serving/services/custom-tls-certificate-domain-mapping.md
- Using extensions enabled by QPOptions: serving/services/using-queue-extensions.md
# TODO: Add security section to docs?
- Configure resource requests and limits: serving/services/configure-requests-limits-services.md
@ -147,18 +147,18 @@ nav:
- Enabling requests to Knative services when additional authorization policies are enabled: serving/istio-authorization.md
- Exclude namespaces from the Knative webhook: serving/webhook-customizations.md
- Configuring high-availability components: serving/config-ha.md
- Configuring HTTPS connections: serving/using-a-tls-cert.md
- Enabling auto-TLS certs: serving/using-auto-tls.md
- Configuring the ingress gateway: serving/setting-up-custom-ingress-gateway.md
- Configuring domain names: serving/using-a-custom-domain.md
- Converting a Kubernetes Deployment to a Knative Service: serving/convert-deployment-to-knative-service.md
- Extending Queue Proxy image with QPOptions: serving/queue-extensions.md
# Serving config
- Serving configuration:
- Configure Deployment resources: serving/configuration/deployment.md
- Configuring gradual rollout of traffic to Revisions: serving/configuration/rolling-out-latest-revision-configmap.md
- Feature and extension flags: serving/configuration/feature-flags.md
- Configure the Defaults ConfigMap: serving/configuration/config-defaults.md
- Serving encryption configuration:
- Using custom TLS certificates in the networking layer: serving/encryption/using-certificates-in-networking-layer.md
- Enabling automatic TLS certificate provisioning: serving/encryption/enabling-automatic-tls-certificate-provisioning.md
# Serving - Application Security
- Application security:
- About Security-Guard: serving/app-security/security-guard-about.md

7
config/redirects.yml
View File

@ -1,7 +1,7 @@
plugins:
redirects:
redirect_maps:
contributing/about.md: contributing/README.md
contributing/about.md: community/README.md
eventing/broker/kafka-broker/kafka-configmap.md: eventing/configuration/kafka-channel-configuration.md
eventing/broker/create-mtbroker.md: eventing/brokers/create-broker.md
eventing/broker/example-mtbroker.md: eventing/brokers/broker-developer-config-options.md
@ -17,7 +17,6 @@ plugins:
reference/api/serving-api.md: serving/reference/serving-api.md
community/about.md: community/governance.md
contributing/contributing.md: community/contributing.md
contributing/about.md: community/governance.md
contributing/README.md: community/README.md
eventing/getting-started.md: getting-started/getting-started-eventing.md
admin/collecting-logs/README.md: serving/observability/logging/collecting-logs.md
@ -105,7 +104,7 @@ plugins:
developer/serving/deploying-from-private-registry.md: serving/deploying-from-private-registry.md
developer/serving/rolling-out-latest-revision.md: serving/rolling-out-latest-revision.md
developer/serving/services/README.md: serving/services/README.md
developer/serving/services/byo-certificate.md: serving/services/byo-certificate.md
developer/serving/services/byo-certificate.md: serving/services/custom-tls-certificate-domain-mapping.md
developer/serving/services/certificate-class.md: serving/services/certificate-class.md
developer/serving/services/configure-requests-limits-services.md: serving/services/configure-requests-limits-services.md
developer/serving/services/creating-services.md: serving/services/creating-services.md
@ -209,7 +208,7 @@ plugins:
serving/services/deployment.md: serving/configuration/deployment.md
serving/services/http-option.md: serving/services/http-protocol.md
serving/spec/knative-api-specification-1.0.md: https://github.com/knative/specs/blob/main/specs/serving/knative-api-specification-1.0.md
serving/using-an-ssl-cert/index.md: serving/using-a-tls-cert.md
serving/using-an-ssl-cert/index.md: serving/encryption/using-certificates-in-networking-layer.md
serving/using-subroutes.md: serving/traffic-management.md
about/case-studies/README.md: about/case-studies/deepc.md
eventing/brokers/create-mtbroker.md: eventing/brokers/create-broker.md

11
docs/install/installing-cert-manager.md
View File

@ -3,12 +3,11 @@
Install the [Cert-Manager](https://github.com/jetstack/cert-manager) tool to
obtain TLS certificates that you can use for secure HTTPS connections in
Knative. For more information about enabling HTTPS connections in Knative, see
[Configuring HTTPS with TLS certificates](../serving/using-a-tls-cert.md).
[Using custom certificates in networking-layer](../serving/encryption/using-certificates-in-networking-layer.md).
You can use cert-manager to either manually obtain certificates, or to enable
Knative for automatic certificate provisioning. Complete instructions about
automatic certificate provisioning are provided in
[Enabling automatic TLS cert provisioning](../serving/using-auto-tls.md).
Knative for automatic certificate provisioning. Complete instructions about this are provided in
[Enabling automatic TLS certificate provisioning](../serving/encryption/enabling-automatic-tls-certificate-provisioning.md).
Regardless of if your want to manually obtain certificates, or configure Knative
for automatic provisioning, you can use the following steps to install
@ -36,8 +35,8 @@ configuring Knative:
- **Manual**: If you installed cert-manager to manually obtain certificates,
continue to the following topic for instructions about creating a Kubernetes
secret:
[Manually adding a TLS certificate](../serving/using-a-tls-cert.md#manually-adding-a-tls-certificate)
[Manually adding a TLS certificate](../serving/encryption/using-certificates-in-networking-layer.md#manually-adding-a-tls-certificate)
- **Automatic**: If you installed cert-manager to use for automatic certificate
provisioning, continue to the following topic to enable that feature:
[Enabling automatic TLS certificate provisioning in Knative](../serving/using-auto-tls.md)
[Enabling automatic TLS certificate provisioning](../serving/encryption/enabling-automatic-tls-certificate-provisioning.md)

21
docs/install/yaml-install/serving/install-serving-with-yaml.md
View File

@ -170,20 +170,9 @@ The following tabs expand to show instructions for installing each Serving exten
=== "TLS with cert-manager"
Knative supports automatically provisioning TLS certificates through
[cert-manager](https://cert-manager.io/docs/). The following commands
install the components needed to support the provisioning of TLS certificates
through cert-manager.
1. Install [cert-manager version v1.0.0 or later](../../installing-cert-manager.md).
1. Install the component that integrates Knative with `cert-manager` by running the command:
```bash
kubectl apply -f {{ artifact(repo="net-certmanager",file="release.yaml")}}
```
1. Configure Knative to automatically configure TLS certificates by following the steps in
[Enabling automatic TLS certificate provisioning](../../../serving/using-auto-tls.md).
[cert-manager](https://cert-manager.io/docs/).
Follow the documentation in [Enabling automatic TLS certificate provisioning](../../../serving/encryption/enabling-automatic-tls-certificate-provisioning.md)
for more information.
=== "TLS with HTTP01"
@ -204,11 +193,11 @@ The following tabs expand to show instructions for installing each Serving exten
--patch '{"data":{"certificate-class":"net-http01.certificate.networking.knative.dev"}}'
```
3. Enable autoTLS by running the command:
3. Enable `external-domain-tls` by running the command:
```bash
kubectl patch configmap/config-network \
--namespace knative-serving \
--type merge \
--patch '{"data":{"auto-tls":"Enabled"}}'
--patch '{"data":{"external-domain-tls":"Enabled"}}'
```

2
docs/serving/README.md
View File

@ -10,7 +10,7 @@ Examples of supported Knative Serving use cases:
- Autoscaling, including scaling pods down to zero.
- Support for multiple networking layers, such as Contour, Kourier, and Istio, for integration into existing environments.
Knative Serving supports both HTTP and [HTTPS](using-a-tls-cert.md) networking protocols.
Knative Serving supports both HTTP and [HTTPS](encryption/using-certificates-in-networking-layer.md) networking protocols.
## Installation

184
docs/serving/using-auto-tls.md → docs/serving/encryption/enabling-automatic-tls-certificate-provisioning.md
View File

@ -1,61 +1,65 @@
# Enabling auto-TLS certs
# Enabling automatic TLS certificate provisioning
If you install and configure cert-manager, you can configure Knative to
automatically obtain new TLS certificates and renew existing ones for Knative
Services. To learn more about using secure connections in Knative, see
[Configuring HTTPS with TLS certificates](using-a-tls-cert.md).
Services for external domains (like `application.example.com`). Please note that we are working on bringing automatic HTTPS
connections for cluster-local domains (like `application.namespace.svc.cluster.local`) as well (for more details see the [issue](https://github.com/knative/serving/issues/13472)).
## Before you begin
The following must be installed on your Knative cluster:
- [Knative Serving](../install/yaml-install/serving/install-serving-with-yaml.md).
- [Knative Serving](../../install/yaml-install/serving/install-serving-with-yaml.md).
- A Networking layer such as Kourier, Istio with SDS v1.3 or higher, or Contour v1.1 or higher. See [Install a networking layer](../install/yaml-install/serving/install-serving-with-yaml.md#install-a-networking-layer) or [Istio with SDS, version 1.3 or higher](../install/installing-istio.md#installing-istio-with-SDS-to-secure-the-ingress-gateway).
- A Networking layer such as Kourier, Istio with SDS v1.3 or higher, or Contour v1.1 or higher. See [Install a networking layer](../../install/yaml-install/serving/install-serving-with-yaml.md#install-a-networking-layer) or [Istio with SDS, version 1.3 or higher](../../install/installing-istio.md#installing-istio-with-SDS-to-secure-the-ingress-gateway).
- [`cert-manager` version `1.0.0` or higher](../install/installing-cert-manager.md).
- [`cert-manager`](../../install/installing-cert-manager.md) version `1.0.0` or higher.
- Your Knative cluster must be configured to use a [custom domain](using-a-custom-domain.md).
- Your Knative cluster must be configured to use a [custom domain](../using-a-custom-domain.md).
- Your DNS provider must be setup and configured to your domain.
- If you want to use HTTP-01 challenge, you need to configure your custom
domain to map to the IP of ingress. You can achieve this by adding a DNS A record to map the domain to the IP according to the instructions of your DNS provider.
- If you want to use HTTP-01 challenge, you need to configure your custom domain to map to the IP of ingress.
You can achieve this by adding a DNS A record to map the domain to the IP according to the instructions of your DNS provider.
## Automatic TLS provision mode
Knative supports the following Auto TLS modes:
## Automatic TLS certificate provisioning configurations
Knative supports the following automatic TLS certificate provisioning configurations:
1. Using DNS-01 challenge
In this mode, your cluster needs to be able to talk to your DNS server to verify the ownership of your domain.
In this configuration, your cluster needs to be able to talk to your DNS server to verify the ownership of your domain.
In this configuration, you are able to configure two modes:
- **Provision Certificate per namespace is supported when using DNS-01 challenge mode.**
- **Provisioning of a wildcard Certificate for each namespace**
- This is the recommended mode for faster certificate provision.
- In this mode, a single Certificate will be provisioned per namespace and is reused across the Knative Services within the same namespace.
- In this mode, a wildcard Certificate will be provisioned for each namespace and is reused across the Knative Services within the same namespace.
- **Provision Certificate per Knative Service is supported when using DNS-01 challenge mode.**
- This is the recommended mode for better certificate isolation between Knative Services.
- **Provisioning of a Certificate for each Knative Service**
- This is the recommended mode for better Certificate isolation between Knative Services.
- In this mode, a Certificate will be provisioned for each Knative Service.
- The TLS effective time is longer as it needs Certificate provision for each Knative Service creation.
- The time to issue Certificates is longer as more Certificates are created in this mode.
1. Using HTTP-01 challenge
- In this type, your cluster does not need to be able to talk to your DNS server. You must map your domain to the IP of the cluster ingress.
- When using HTTP-01 challenge, **a certificate will be provisioned per Knative Service.**
- **HTTP-01 does not support provisioning a certificate per namespace.**
- In this configuration, your cluster does not need to be able to talk to your DNS server, but you must make sure that your DNS entry points to the IP of the cluster ingress.
- When using HTTP-01 challenge, **a certificate will be provisioned for each Knative Service.**
- **HTTP-01 does not support provisioning wildcard Certificates per namespace.**
## Enabling Auto TLS
1. Create and add the `ClusterIssuer` configuration file to your Knative cluster
## Enabling automatic TLS provisioning
### Creating a `ClusterIssuer`
1. Create and add the `ClusterIssuer` configuration to your Knative cluster
to define who issues the TLS certificates, how requests are validated,
and which DNS provider validates those requests.
- **ClusterIssuer for DNS-01 challenge:** use the cert-manager reference to determine how to configure your `ClusterIssuer` file.
- **ClusterIssuer for DNS-01 challenge:**
- See the generic [`ClusterIssuer` example](https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer)
- Also see the
[`DNS01` example](https://docs.cert-manager.io/en/latest/tasks/acme/configuring-dns01/index.html)
Refer to the cert-manager documentation, like the [Generic `ClusterIssuer`](https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer) and the [`DNS01` example](https://cert-manager.io/docs/configuration/acme/dns01/)
For example, the following `ClusterIssuer` file named `letsencrypt-issuer` is
configured for the Let's Encrypt CA and Google Cloud DNS.
@ -90,32 +94,31 @@ and which DNS provider validates those requests.
- **ClusterIssuer for HTTP-01 challenge**
To apply the ClusterIssuer for HTTP01 challenge:
Refer to the cert-manager documentation, like the [`HTTP01 `ClusterIssuer`](https://cert-manager.io/docs/configuration/acme/http01/).
For example, the following `ClusterIssuer` uses Let's Encrypt using `HTTP01:
1. Create a YAML file using the following template:
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-http01-issuer
spec:
acme:
privateKeySecretRef:
name: letsencrypt
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: istio
```
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-http01-issuer
spec:
acme:
privateKeySecretRef:
name: letsencrypt
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: istio
```
1. Apply your `ClusterIssuer` YAML file by running the command:
1. Apply the YAML file by running the command:
```bash
kubectl apply -f <filename>.yaml
```
Where `<filename>` is the name of the file you created in the previous step.
```bash
kubectl apply -f <filename>.yaml
```
1. Ensure that the ClusterIssuer is created successfully:
@ -125,6 +128,7 @@ and which DNS provider validates those requests.
Result: The `Status.Conditions` should include `Ready=True`.
### DNS-01 challenge only: Configure your DNS provider
If you choose to use DNS-01 challenge, configure which DNS provider is used to
@ -156,28 +160,46 @@ wildcard certificate like `*.my-ns.example.com`.
### Provisioning certificates per namespace (wildcard certificates)
!!! warning
Provisioning a certificate per namespace only works with DNS-01
Provisioning a wildcard Certificate per namespace only works with DNS-01
challenge. This component cannot be used with HTTP-01 challenge.
The per-namespace certificate manager uses namespace labels to select which
namespaces should have a certificate applied. For more details on namespace
selectors, see
[the Kubernetes documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors).
The per-namespace configuration uses namespace labels to select which
namespaces should have a certificate applied. The selection is configured using the
key `namespace-wildcard-cert-selector` in the `config-network` ConfigMap.
For example, you can use the following configurations:
Prior to release 1.0, the fixed label
`networking.knative.dev/disableWildcardCert: true` was used to disable
certificate generation for a namespace. In 1.0 and later, other labels such as
`kubernetes.io/metadata.name` may be used to select or restrict namespaces.
- `namespace-wildcard-cert-selector`: `""` = Use an empty value to disable the feature (this is the default).
- `namespace-wildcard-cert-selector`: `{}` = Use an empty object to enable for all namespaces.
To enable certificates for all namespaces except those with the
`networking.knative.dev/disableWildcardCert: true` label, use the following
command:
You can also configure the selector to opt-out when a specific label is on the namespace:
```yaml
namespace-wildcard-cert-selector:
matchExpressions:
- key: "networking.knative.dev/disableWildcardCert"
operator: "NotIn"
values: ["true"]
```
This selects all namespaces where the label value is not in the set `"true"`.
Or use existing kubernetes labels to select namespaces based on their name:
```yaml
namespace-wildcard-cert-selector:
matchExpressions:
- key: "kubernetes.io/metadata.name"
operator: "In"
values: ["my-namespace", "my-other-namespace"]
```
To apply the configuration you can use the following command (optionally adapting the label-selector):
```bash
kubectl patch --namespace knative-serving configmap config-network -p '{"data": {"namespace-wildcard-cert-selector": "{\"matchExpressions\": [{\"key\":\"networking.knative.dev/disableWildcardCert\", \"operator\": \"NotIn\", \"values\":[\"true\"]}]}"}}'
```
This selects all namespaces where the label value is not in the set `"true"`.
For more details on namespace selectors, see [the Kubernetes documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors).
### Configure config-certmanager ConfigMap
@ -215,9 +237,9 @@ in the `knative-serving` namespace to reference your new `ClusterIssuer`.
kubectl get configmap config-certmanager -n knative-serving -o yaml
```
### Turn on Auto TLS
### Turn on automatic TLS provisioning
Update the [`config-network` ConfigMap](https://github.com/knative/serving/blob/main/config/core/configmaps/network.yaml) in the `knative-serving` namespace to enable `auto-tls` and specify how HTTP requests are handled:
Update the [`config-network` ConfigMap](https://github.com/knative/serving/blob/main/config/core/configmaps/network.yaml) in the `knative-serving` namespace to enable `external-domain-tls` and specify how HTTP requests are handled:
1. Run the following command to edit your `config-network` ConfigMap:
@ -225,7 +247,7 @@ Update the [`config-network` ConfigMap](https://github.com/knative/serving/blob/
kubectl edit configmap config-network -n knative-serving
```
1. Add the `auto-tls: Enabled` attribute under the `data` section:
1. Add the `external-domain-tls: Enabled` attribute under the `data` section:
```yaml
apiVersion: v1
@ -235,22 +257,21 @@ Update the [`config-network` ConfigMap](https://github.com/knative/serving/blob/
namespace: knative-serving
data:
...
auto-tls: Enabled
external-domain-tls: Enabled
...
```
1. Configure how HTTP and HTTPS requests are handled in the [`http-protocol`](https://github.com/knative/serving/blob/main/config/core/configmaps/network.yaml#L109) attribute.
1. Configure how HTTP and HTTPS requests are handled with the `http-protocol` attribute.
By default, Knative ingress is configured to serve HTTP traffic
(`http-protocol: Enabled`). Now that your cluster is configured to use TLS
certificates and handle HTTPS traffic, you can specify whether or not any
HTTP traffic is allowed.
certificates and handle HTTPS traffic on external domains, you can specify whether any
HTTP traffic is allowed or not.
Supported `http-protocol` values:
- `Enabled`: Serve HTTP traffic.
- `Redirected`: Responds to HTTP request with a `302` redirect to ask the
clients to use HTTPS.
- `Redirected`: Responds to HTTP request with a `302` redirect to ask the clients to use HTTPS.
```yaml
data:
@ -267,7 +288,7 @@ Update the [`config-network` ConfigMap](https://github.com/knative/serving/blob/
namespace: knative-serving
data:
...
auto-tls: Enabled
external-domain-tls: Enabled
http-protocol: Redirected
...
```
@ -279,10 +300,11 @@ Update the [`config-network` ConfigMap](https://github.com/knative/serving/blob/
```
Congratulations! Knative is now configured to obtain and renew TLS certificates.
When your TLS certificate is active on your cluster, your Knative services will
be able to handle HTTPS traffic.
When your TLS Certificate is issued and available on your cluster, your Knative services will
be able to handle HTTPS traffic on the external domain.
### Verify Auto TLS
### Verification
1. Run the following command to create a Knative Service:
@ -294,14 +316,16 @@ be able to handle HTTPS traffic.
```bash
NAME URL LATESTCREATED LATESTREADY READY REASON
autoscale-go https://autoscale-go.default.{custom-domain} autoscale-go-6jf85 autoscale-go-6jf85 True
autoscale-go https://autoscale-go.default.{custom-domain} autoscale-go-6jf85 autoscale-go-6jf85 True
```
Note that the URL will be **https** in this case.
### Disable Auto TLS per service or route
If you have Auto TLS enabled in your cluster, you can choose to disable Auto TLS for individual services or routes by adding the annotation `networking.knative.dev/disable-auto-tls: true`.
## Disable automatic TLS certificate provisioning per Service or Route
If you have automatic TLS certificate provisioning enabled in your cluster, you can choose to disable the feature
for individual Knative Services or Routes by adding the annotation `networking.knative.dev/disable-external-domain-tls: true`.
Using the previous `autoscale-go` example:
@ -313,11 +337,11 @@ Using the previous `autoscale-go` example:
metadata:
annotations:
...
networking.knative.dev/disable-auto-tls: "true"
networking.knative.dev/disable-external-domain-tls: "true"
...
```
1. The service URL should now be **http**, indicating that AutoTLS is disabled:
1. The service URL should now be **http**, indicating that automatic TLS Certificate provisioning is disabled:
```bash
NAME URL LATEST AGE CONDITIONS READY REASON

51
docs/serving/using-a-tls-cert.md → docs/serving/encryption/using-certificates-in-networking-layer.md
View File

@ -1,11 +1,11 @@
# Configuring HTTPS with TLS certificates
# Using custom certificates in the networking layers
Learn how to configure secure HTTPS connections in Knative using TLS
certificates
([TLS replaces SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security)).
Configure secure HTTPS connections to enable your Knative services and routes to
[terminate external TLS connections](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_interception).
You can configure Knative to handle certificates that you manually specify, or
Knative allows to use custom TLS certificates to enable secure HTTPS connections for your Knative Services
for the external domain (like `application.example.com`). Please note that we are working on bringing automatic HTTPS
connections for cluster-local domains (like `application.namespace.svc.cluster.local`) as well
(for more details see the [issue](https://github.com/knative/serving/issues/13472)).
For external domains, you can configure Knative to handle certificates that you manually specify, or
you can enable Knative to automatically obtain and renew certificates.
You can use either [Certbot][cb] or [cert-manager][cm] to obtain certificates.
@ -23,7 +23,7 @@ cert-manager tool:
also use cert-manager to configure Knative to automatically obtain new TLS
certificates and renew existing ones. If you want to enable Knative to
automatically provision TLS certificates, instead see the
[Enabling automatic TLS certificate provisioning](using-auto-tls.md) topic.
[Enabling automatic TLS certificate provisioning](enabling-automatic-tls-certificate-provisioning.md) topic.
By default, the [Let's Encrypt Certificate Authority (CA)][le] is used to
demonstrate how to enable HTTPS connections, but you can configure Knative to
@ -36,8 +36,7 @@ use and configure your certificate issuer to use the
[cm]: https://github.com/jetstack/cert-manager
[cm-docs]: https://cert-manager.readthedocs.io/en/latest/getting-started/
[cm-providers]:
http://docs.cert-manager.io/en/latest/tasks/acme/configuring-dns01/index.html?highlight=supported%20DNS01%20providers#supported-dns01-providers
[cm-providers]: https://cert-manager.io/docs/configuration/acme/dns01/
[le]: https://letsencrypt.org
[le-faqs]: https://letsencrypt.org/docs/faq/
[cb]: https://certbot.eff.org
@ -50,9 +49,8 @@ use and configure your certificate issuer to use the
You must meet the following requirements to enable secure HTTPS connections:
- Knative Serving must be installed. For details about installing the Serving
component, see the [Knative installation guides](../install/yaml-install/serving/install-serving-with-yaml.md).
- You must configure your Knative cluster to use a
[custom domain](using-a-custom-domain.md).
component, see the [Knative installation guides](../../install/yaml-install/serving/install-serving-with-yaml.md).
- You must configure your Knative cluster to use a [custom domain](../using-a-custom-domain.md).
!!! warning
Istio only supports a single certificate per Kubernetes cluster.
@ -61,7 +59,7 @@ You must meet the following requirements to enable secure HTTPS connections:
## Obtaining a TLS certificate
If you already have a signed certificate for your domain, see
[Manually adding a TLS certificate](#manually-adding-a-tls-certificate) for
[manually adding a TLS certificate](#manually-adding-a-tls-certificate) for
details about configuring your Knative cluster.
If you need a new TLS certificate, you can choose to use one of the following
@ -117,31 +115,24 @@ You can install and use [cert-manager][cm] to either manually obtain a
certificate or to configure your Knative cluster for automatic certificate
provisioning:
- **Manual certificates**: Install cert-manager and then use the tool to
manually obtain a certificate.
**Manual certificates**:
To use cert-manager to manually obtain certificates:
1. [Install and configure cert-manager](../install/installing-cert-manager.md).
1. [Install and configure cert-manager](../../install/installing-cert-manager.md).
1. Continue to the steps about
[manually adding a TLS certificate](#manually-adding-a-tls-certificate) by
creating and using a Kubernetes secret.
- **Automatic certificates**: Configure Knative to use cert-manager for
automatically obtaining and renewing TLS certificate. The steps for installing
and configuring cert-manager for this method are covered in full in the
[Enabling automatic TLS cert provisioning](using-auto-tls.md) topic.
**Automatic certificates**:
See [enabling automatic TLS certificate provisioning](enabling-automatic-tls-certificate-provisioning.md).
## Manually adding a TLS certificate
If you have an existing certificate or have used one of the Certbot or
cert-manager tool to manually obtain a new certificate, you can use the
following steps to add that certificate to your Knative cluster.
For instructions about enabling Knative for automatic certificate provisioning,
see [Enabling automatic TLS cert provisioning](using-auto-tls.md). Otherwise,
follow the steps in the relevant tab to manually add a certificate:
following steps in the relevant tab to add that certificate to your Knative cluster.
=== "Contour"
@ -184,7 +175,7 @@ follow the steps in the relevant tab to manually add a certificate:
Where `<filename>` is the name of the file you created in the previous step.
1. Update the Knative Contour plugin to use the certificate as a fallback
when autoTLS is disabled by running the command:
when `external-domain-tls` is disabled by running the command:
```bash
kubectl patch configmap config-contour -n knative-serving \
@ -262,4 +253,4 @@ follow the steps in the relevant tab to manually add a certificate:
## What's next:
After your changes are running on your Knative cluster, you can begin using the
HTTPS protocol for secure access your deployed Knative services.
HTTPS protocol for secure access your deployed Knative services on external domains.

2
docs/serving/services/certificate-class.md
View File

@ -1,6 +1,6 @@
# Configuring a custom certificate class for a Service
When autoTLS is enabled and Knative Services are created, a certificate class (`certificate-class`) is automatically chosen based on the value in the `config-network` ConfigMap located inside the `knative-serving` namespace. This ConfigMap is part of Knative Serving installation. If the certificate class is not specified, this defaults to `cert-manager.certificate.networking.knative.dev`. After `certificate-class` is configured, it is used for all Knative Services unless it is overridden with a `certificate-class` annotation.
When `external-domain-tls` is enabled and Knative Services are created, a certificate class (`certificate-class`) is automatically chosen based on the value in the `config-network` ConfigMap located inside the `knative-serving` namespace. This ConfigMap is part of Knative Serving installation. If the certificate class is not specified, this defaults to `cert-manager.certificate.networking.knative.dev`. After `certificate-class` is configured, it is used for all Knative Services unless it is overridden with a `certificate-class` annotation.
## Using the certificate class annotation

7
docs/serving/services/byo-certificate.md → docs/serving/services/custom-tls-certificate-domain-mapping.md
View File

@ -3,16 +3,17 @@
{{ feature(beta="0.24") }}
By providing the reference to an existing _TLS Certificate_ you can instruct a `DomainMapping` to use that
certificate to secure the mapped service. Using this feature skips [autoTLS](../using-auto-tls.md) certificate creation.
certificate to secure the mapped service.
Please note that for Services using this feature, the automatic certificate creation using [external-domain-tls](../encryption/enabling-automatic-tls-certificate-provisioning.md) is skipped.
## Prerequisites
- You have followed the steps from [Configuring custom domains](custom-domains.md) and now have a working `DomainMapping`.
- You must have a TLS certificate from your Certificate Authority provider or self-signed.
- You must have a TLS certificate from your Certificate Authority provider or a self-signed certificate.
## Procedure
1. Assuming you have obtained the `cert` and `key` files from your Certificate Authority provider or self-signed, create a plain Kubernetes [TLS Secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) by running the command:
1. Assuming you have obtained the `cert` and `key` files from your Certificate Authority provider or have self-signed certificate, create a plain Kubernetes [TLS Secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) by running the command:
Use kubectl to create the secret:
```bash

2
docs/serving/services/http-protocol.md
View File

@ -1,6 +1,6 @@
# HTTPS redirection
Operators can force HTTPS redirection for all Services. See the `http-protocol` mentioned in the [Turn on AutoTLS](../using-auto-tls.md) page for more details.
Operators can force HTTPS redirection for all Services. See the `http-protocol` mentioned in the [Enabling automatic TLS certificate provisioning](../encryption/enabling-automatic-tls-certificate-provisioning.md) page for more details.
## Overriding the default HTTP behavior

2
docs/serving/services/service-metrics.md
View File

@ -25,7 +25,7 @@ Queue proxy exports metrics for the requests endpoint on port 9091. The metrics
address which can be set in the same configmap via `metrics.opencensus-address`. User can control the reporting period for both backends with
`metrics.request-metrics-reporting-period-seconds`. If `metrics.request-metrics-reporting-period-seconds` is not set at all then the reporting period depends on the value of the global reporting period, `metrics.reporting-period-seconds`, that affects both control and data planes. If both properties are not available then the reporting period defaults to 5s for the Prometheus backend and 60s for the Opencensus one.
Here is a sample configuration for the observability configmap in order to connect to the [OpenTelemetry collector](../../observability/metrics/collecting-metrics/#understanding-the-collector):
Here is a sample configuration for the observability configmap in order to connect to the [OpenTelemetry collector](../observability/metrics/collecting-metrics.md#understanding-the-collector):
```
metrics.request-metrics-backend-destination: "opencensus"