diff --git a/docs/install/serving/install-serving-with-yaml.md b/docs/install/serving/install-serving-with-yaml.md index 2cf13dd8b..6136d4077 100644 --- a/docs/install/serving/install-serving-with-yaml.md +++ b/docs/install/serving/install-serving-with-yaml.md @@ -258,20 +258,3 @@ The following tabs expand to show instructions for installing each Serving exten --type merge \ --patch '{"data":{"autoTLS":"Enabled"}}' ``` - - -=== "TLS wildcard support" - - !!! warning - TLS wildcard support does not work with HTTP01. - - If you are using a certificate implementation that supports provisioning - wildcard certificates (for example, cert-manager with a DNS01 issuer) then the most - efficient way to provision certificates is with the namespace wildcard - certificate controller. - - * Install the components needed to provision wildcard certificates in each namespace by running the command: - - ```bash - kubectl apply -f {{ artifact(repo="serving",file="serving-nscert.yaml")}} - ``` diff --git a/docs/install/serving/serving-installation-files.md b/docs/install/serving/serving-installation-files.md index d88e972fe..b61489795 100644 --- a/docs/install/serving/serving-installation-files.md +++ b/docs/install/serving/serving-installation-files.md @@ -15,6 +15,5 @@ The following table describes the installation files included in Knative Serving | serving-crds.yaml | Required: Knative Serving core CRDs. | none | | serving-default-domain.yaml | Configures Knative Serving to use [http://sslip.io](http://sslip.io) as the default DNS suffix. | serving-core.yaml | | serving-hpa.yaml | Components to autoscale Knative revisions through the Kubernetes Horizontal Pod Autoscaler. | serving-core.yaml | - serving-nscert.yaml | Components to provision TLS wildcard certificates. | serving-core.yaml | | serving-post-install-jobs.yaml | Additional jobs after installing `serving-core.yaml`. Currently it is the same as `serving-storage-version-migration.yaml`. | serving-core.yaml | | serving-storage-version-migration.yaml | Migrates the storage version of Knative resources, including Service, Route, Revision, and Configuration, from `v1alpha1` and `v1beta1` to `v1`. Required by upgrade from version 0.18 to 0.19. | serving-core.yaml | diff --git a/docs/install/uninstall.md b/docs/install/uninstall.md index 5b2e30b77..6948212f5 100644 --- a/docs/install/uninstall.md +++ b/docs/install/uninstall.md @@ -50,16 +50,6 @@ Uninstall any Serving extensions you have installed by performing the steps in t -=== "TLS wildcard support" - - Uninstall the components needed to provision wildcard certificates in each namespace by running: - - ```bash - kubectl delete -f {{ artifact( repo="serving", file="serving-nscert.yaml") }} - ``` - - - ### Uninstalling a networking layer Follow the relevant procedure to uninstall the networking layer you installed: diff --git a/docs/serving/using-auto-tls.md b/docs/serving/using-auto-tls.md index b1508c4f0..6067cdfea 100644 --- a/docs/serving/using-auto-tls.md +++ b/docs/serving/using-auto-tls.md @@ -132,6 +132,9 @@ Instructions about configuring cert-manager, for all the supported DNS providers, are provided in [DNS01 challenge providers and configuration instructions](https://cert-manager.io/docs/configuration/acme/dns01/#supported-dns01-providers). +Note that DNS-01 challenges can be used to either validate an +individual domain name or to validate an entire namespace using a +wildcard certificate like `*.my-ns.example.com`. ### Install net-certmanager-controller deployment @@ -148,25 +151,30 @@ providers, are provided in kubectl apply --filename {{ artifact( repo="net-certmanager", file="release.yaml") }} ``` -### Install net-nscert-controller component - -If you choose to use the mode of provisioning certificate per namespace, you need to install `net-nscert-controller` components. +### Provising certificates per namespace (wildcard certificates) **IMPORTANT:** Provisioning a certificate per namespace only works with DNS-01 challenge. This component cannot be used with HTTP-01 challenge. -1. Determine if `net-nscert-controller` deployment is already installed by -running the following command: +The per-namespace certificate manager uses namespace labels to select which +namespaces should have a certificate applied. For more details on namespace +selectors, see +[the Kubernetes documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors). - ```bash - kubectl get deployment net-nscert-controller -n knative-serving - ``` +Prior to release 1.0, the fixed label +`networking.knative.dev/disableWildcardCert: true` was used to disable +certificate generation for a namespace. In 1.0 and later, other labels such as +`kubernetes.io/metadata.name` may be used to select or restrict namespaces. -1. If `net-nscert-controller` deployment is not found, run the following command: +To enable certificates for all namespaces except those with the +`networking.knative.dev/disableWildcardCert: true` label, use the following +command: - ```bash - kubectl apply --filename {{ artifact( repo="serving", file="serving-nscert.yaml") }} - ``` +```bash +kubectl patch --namespace knative-serving configmap config-network -p '{"data": {"namespace-wildcard-cert-selector": "{\"matchExpressions\": [{\"key\":\"networking.knative.dev/disableWildcardCert\", \"operator\": \"NotIn\", \"values\":[\"true\"]}]}"}}' +``` + +This selects all namespaces where the label value is not in the set `"true"`. ### Configure config-certmanager ConfigMap @@ -333,17 +341,3 @@ Using the previous `autoscale-go` example: NAME URL LATEST AGE CONDITIONS READY REASON autoscale-go http://autoscale-go.default.1.arenault.dev autoscale-go-dd42t 8m17s 3 OK / 3 True ``` - -### Disable Auto TLS per namespace - -If you have Auto TLS enabled to provision a certificate per namespace, you can choose to disable it for an individual namespace by adding the annotation `networking.knative.dev/disableWildcardCert: true` -1. Edit your namespace `kubectl edit namespace default` and add the annotation: -```yaml - apiVersion: v1 - kind: Namespace - metadata: - annotations: - ... - networking.knative.dev/disableWildcardCert: "true" - ... -```