How to use paid SSL cert with Knative (#146)

* Add simple SSL instruction.

* Remove whitespaces.

* Revise based on the comments

* Add license footer

* Add LetsEncrypt instructions

* Remove TLS limitation

serving/README.md

@@ -84,9 +84,6 @@ in the Knative Serving repository.
 See the [Knative Serving Issues](https://github.com/knative/serving/issues) page for a full list of
 known issues.
 
-* **No support for TLS** - Currently the Knative Serving components do not support TLS connections for
-  inbound HTTPS traffic. See [#537](https://github.com/knative/serving/issues/537) for more details.
-
 ---
 
 Except as otherwise noted, the content of this page is licensed under the

serving/using-an-ssl-cert.md

@@ -0,0 +1,96 @@
+# Configuring HTTPS with a custom certificate
+
+If you already have an SSL/TLS certificate for your domain you can
+follow the steps below to configure Knative to use your certificate
+and enable HTTPS connections.
+
+Before you begin, you will need to 
+[configure Knative to use your custom domain](./using-a-custom-domain.md).
+
+**Note:** due to limitations in Istio, Knative only supports a single 
+certificate per cluster. If you will serve multiple domains in the same
+cluster, make sure the certificate is signed for all the domains.
+
+## Add the Certificate and Private Key into a secret
+
+Assuming you have two files, `cert.pk` which contains your certificate private
+key, and `cert.pem` which contains the public certificate, you can use the 
+following command to create a secret that stores the certificate. Note the
+name of the secret, `istio-ingressgateway-certs` is required.
+
+```shell
+kubectl create -n istio-system secret tls istio-ingressgateway-certs \
+  --key cert.pk \
+  --cert cert.pem
+```
+
+## Configure the Knative shared Gateway to use the new secret
+
+Once you have created a secret that contains the certificate,
+you need to update the Gateway spec to use the HTTPS.
+
+To edit the shared gateway, run:
+
+```shell
+kubectl edit gateway knative-shared-gateway -n knative-serving
+```
+
+Change the Gateway spec to include the `tls:` section as shown below, then
+save the changes.
+
+```yaml
+# Please edit the object below. Lines beginning with a '#' will be ignored.
+# and an empty file will abort the edit. If an error occurs while saving this file will be
+# reopened with the relevant failures.
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  # ... skipped ...
+spec:
+  selector:
+    knative: ingressgateway
+  servers:
+  - hosts:
+    - '*'
+    port:
+      name: http
+      number: 80
+      protocol: HTTP
+  - hosts:
+    - '*'
+    port:
+      name: https
+      number: 443
+      protocol: HTTPS
+    tls:
+      mode: SIMPLE
+      privateKey: /etc/istio/ingressgateway-certs/tls.key
+      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+```
+
+Once the change has been made, you can now use the HTTPS protocol to access
+your deployed services.
+
+
+## Obtaining an SSL/TLS certificate using LetsEncrypt
+
+If you don't have an existing SSL/TLS certificate, you can use [LetsEncrypt](https://letsencrypt.org)
+to obtain a certificate manually.
+
+1. Install the `certbot-auto` script from the [Certbot website](https://certbot.eff.org/docs/install.html#certbot-auto).
+1. Use the certbot to request a certificate, using DNS validation. The certbot tool will walk
+   you through validating your domain ownership by creating TXT records in your domain.
+
+    ```shell
+    ./certbot-auto certonly --manual --preferred-challenges dns -d '*.default.yourdomain.com'
+    ```
+
+1. When certbot is complete, you will have two output files, `privkey.pem` and `fullchain.pem`. These files
+   map to the `cert.pk` and `cert.pem` files used above.
+
+---
+
+Except as otherwise noted, the content of this page is licensed under the
+[Creative Commons Attribution 4.0 License](https://creativecommons.org/licenses/by/4.0/),
+and code samples are licensed under the
+[Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0).