Enabling automatic TLS certificate provisioning

If you install and configure cert-manager, you can configure Knative to automatically obtain new TLS certificates and renew existing ones. To learn more about using secure connections in Knative, see Configuring HTTPS with TLS certificates.

Before you begin

You must meet the following prerequisites to enable automatic certificate provisioning:

Enabling automatic certificate provisioning

To enable support for automatic TLS certificate provisioning in Knative:

  1. Determine if networking-certmanager is already installed by running the  following command:

    kubectl get deployment networking-certmanager -n knative-serving
    1. If networking-certmanager is not found, run the following command:
    kubectl apply --filename https://github.com/knative/serving/releases/download/v0.9.0/serving-cert-manager.yaml
  2. Create and add the ClusterIssuer configuration file to your Knative cluster to define who issues the TLS certificates, how requests are validated (DNS-01), and which DNS provider validates those requests.

    1. Create the ClusterIssuer file:

    Use the cert-manager reference to determine how to configure your ClusterIssuer file:

    Example: Cloud DNS ClusterIssuer configuration file:

    The following letsencrypt-issuer named ClusterIssuer file is configured for the Let’s Encrypt CA and Google Cloud DNS. Under spec, the Let’s Encrypt account info, required DNS-01 challenge type, and Cloud DNS provider info defined. For the complete Google Cloud DNS example, see Configuring HTTPS with cert-manager and Google Cloud DNS.

      apiVersion: certmanager.k8s.io/v1alpha1
      kind: ClusterIssuer
      metadata:
        name: letsencrypt-issuer
        namespace: cert-manager
      spec:
        acme:
          server: https://acme-v02.api.letsencrypt.org/directory
          # This will register an issuer with LetsEncrypt.  Replace
          # with your admin email address.
          email: myemail@gmail.com
          privateKeySecretRef:
            # Set privateKeySecretRef to any unused secret name.
            name: letsencrypt-issuer
          dns01:
            providers:
            - name: cloud-dns-provider
              clouddns:
                # Set this to your GCP project-id
                project: $PROJECT_ID
                # Set this to the secret that we publish our service account key
                # in the previous step.
                serviceAccountSecretRef:
                  name: cloud-dns-key
                  key: key.json
    1. Add your ClusterIssuer configuration to your Knative cluster by running the following commands, where <filename> is the name of the file that you created:

      1. Add the configuration file to Knative:
       kubectl apply -f  <filename>.yaml
      1. Ensure that the file is created successfully:
       kubectl get clusterissuer --namespace cert-manager letsencrypt-issuer --output yaml

      Result: The Status.Conditions should include Ready=True.

    2. Update your config-certmanager ConfigMap in the knative-serving namespace to define your new ClusterIssuer configuration and your your DNS provider.

    3. Run the following command to edit your config-certmanager ConfigMap:

      kubectl edit configmap config-certmanager --namespace knative-serving
    1. Add the issuerRef and solverConfig sections within the data section:
      ...
      data:
      ...
        issuerRef: |
          kind: ClusterIssuer
          name: letsencrypt-issuer
    
        solverConfig: |
          dns01:
            provider: cloud-dns-provider

    Example:

      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: config-certmanager
        namespace: knative-serving
        labels:
          networking.knative.dev/certificate-provider: cert-manager
      data:
        issuerRef: |
          kind: ClusterIssuer
          name: letsencrypt-issuer
        solverConfig: |
          dns01:
            provider: cloud-dns-provider
    1. Ensure that the file was updated successfully:
      kubectl get configmap config-certmanager --namespace knative-serving --output yaml
    1. Update the config-network ConfigMap in the knative-serving namespace to enable autoTLSand specify how HTTP requests are handled:

    2. Run the following command to edit your config-network ConfigMap:

      kubectl edit configmap config-network --namespace knative-serving
    1. Add the autoTLS: Enabled attribute under the data section:
      ...
      data:
      ...
        autoTLS: Enabled
      ...

    Example:

      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: config-network
        namespace: knative-serving
      data:
         ...
         autoTLS: Enabled
         ...
    1. Configure how HTTP and HTTPS requests are handled in the httpProtocol attribute.

    By default, Knative ingress is configured to serve HTTP traffic (httpProtocol: Enabled). Now that your cluster is configured to use TLS certificates and handle HTTPS traffic, you can specify whether or not any HTTP traffic is allowed.

    Supported httpProtocol values:

    • Enabled: Serve HTTP traffic.
    • Disabled: Rejects all HTTP traffic.
    • Redirected: Responds to HTTP request with a 302 redirect to ask the clients to use HTTPS.

       ...
       data:
       ...
         autoTLS: Enabled
       ...

      Example:

       apiVersion: v1
       kind: ConfigMap
       metadata:
         name: config-network
         namespace: knative-serving
       data:
         ...
         autoTLS: Enabled
         ...
         httpProtocol: Redirected
         ...
    1. Ensure that the file was updated successfully:

      kubectl get configmap config-network --namespace knative-serving --output yaml

Congratulations! Knative is now configured to obtain and renew TLS certificates. When your TLS certificate is active on your cluster, your Knative services will be able to handle HTTPS traffic.