From a0bdedc4f39fabdd36ea18277fa9a4dda0eb8a79 Mon Sep 17 00:00:00 2001 From: Fabian Leonardo Lopez Bernal Date: Wed, 18 Aug 2021 07:20:09 -0500 Subject: [PATCH] add docs for byo certificate via domainmapping (#4104) * add docs for byo certificate via domainmapping Signed-off-by: Fabian Lopez * fix trailing spaces Signed-off-by: Fabian Lopez * fix verification typo Signed-off-by: Fabian Lopez * fix nits Signed-off-by: Fabian Lopez * address documentation feedback Signed-off-by: Fabian Lopez --- config/nav.yml | 1 + .../serving/services/byo-certificate.md | 62 +++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 docs/developer/serving/services/byo-certificate.md diff --git a/config/nav.yml b/config/nav.yml index c9955efa9..73408f4ff 100644 --- a/config/nav.yml +++ b/config/nav.yml @@ -67,6 +67,7 @@ nav: - Creating a Service: developer/serving/services/creating-services.md - Configuring private Services: developer/serving/services/private-services.md - Configuring custom domains: developer/serving/services/custom-domains.md + - Using a custom TLS certificate for DomainMapping: developer/serving/services/byo-certificate.md - Configure resource requests and limits: developer/serving/services/configure-requests-limits-services.md - Traffic management: developer/serving/traffic-management.md - Configuring gradual rollout of traffic to Revisions: developer/serving/rolling-out-latest-revision.md diff --git a/docs/developer/serving/services/byo-certificate.md b/docs/developer/serving/services/byo-certificate.md new file mode 100644 index 000000000..0bf2aed6d --- /dev/null +++ b/docs/developer/serving/services/byo-certificate.md @@ -0,0 +1,62 @@ +# Using a custom TLS certificate for DomainMapping + +{{ feature(beta="0.24") }} + +By providing the reference to an existing _TLS Certificate_ you can instruct a `DomainMapping` to use that +certificate to secure the mapped service. Using this feature skips [autoTLS](../../../../serving/using-auto-tls) certificate creation. + +## Prerequisites + +- You have followed the steps from [Configuring custom domains](../custom-domains) and now have a working `DomainMapping`. +- You must have a TLS certificate from your Certificate Authority provider or self-signed. + +## Procedure + +1. Assuming you have obtained the `cert` and `key` files from your Certificate Authority provider or self-signed, create a plain Kubernetes [TLS Secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) by running the command: + + Use kubectl to create the secret: + ```bash + kubectl create secret tls --cert=path/to/cert/file --key=path/to/key/file + ``` + Where `` is the name of the secret object being created. + +1. Update your `DomainMapping` YAML file to use the newly created secret as follows: + + ```yaml + apiVersion: serving.knative.dev/v1alpha1 + kind: DomainMapping + metadata: + name: + namespace: + spec: + ref: + name: + kind: Service + apiVersion: serving.knative.dev/v1 + # tls block specifies the secret to be used + tls: + secretName: + ``` + Where: + + - `` is the name of the TLS secret created in the previous step. + - `` is the domain name that you want to map a Service to. + - `` is the namespace that contains both the `DomainMapping` and `Service` objects. + - `` is the name of the Service that will be mapped to the domain. + +1. Verify the `DomainMapping` status: + + 1. Check the status by running the command: + ```bash + kubectl get domainmapping + ``` + The `URL` column of the status should show the mapped domain with the scheme updated to `https`: + ``` + NAME URL READY REASON + https:// True + ``` + 1. If the Service is exposed publicly, verify that it is available by running: + ```bash + curl https:// + ``` + If the certificate is self-signed skip verification by adding the `-k` flag to the curl command.