Skip to content

Configure Knative system-internal encryption

Warning

The Knative Serving encryption features cluster-local-domain-tls and system-internal-tls are in experimental state. Please use with caution!

Before you begin

You must meet the following requirements to enable secure HTTPS connections:

Warning

This feature is currently only supported with Kourier as a networking layer.

Installing and configuring cert-manager and integration

First, you need to install and configure cert-manager and the Knative cert-manager integration. Please refer to Configuring Knative cert-manager integration for details.

Enabling system-internal-tls

To enable system-internal-tls update the config-network ConfigMap in the knative-serving namespace:

  1. Run the following command to edit your config-network ConfigMap:

    kubectl edit configmap config-network -n knative-serving
    
  2. Add the system-internal-tls: Enabled attribute under the data section:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: config-network
      namespace: knative-serving
    data:
       ...
       system-internal-tls: Enabled
       ...
    
  3. Restart the Knative activator and controller component to start the Knative cert-manager integration:

    kubectl rollout restart deploy/activator -n knative-serving
    kubectl rollout restart deploy/controller -n knative-serving
    

Congratulations! Knative will now use TLS between its internal system components (Ingress-Controller, Activator and Queue-Proxy).

Verification

  1. Deploy a Knative Service

  2. Check if certificates are created and ready with kubectl get kcert -n <your-knative-service-namespace>

  3. Check if the Queue-Proxy container reads the certificate on startup with

    kubectl logs your-pod -n your-knative-service-namespace -c queue-proxy | grep -E 'certDir|Certificate|tls'
    

    It should look like this:

    {"severity":"INFO","timestamp":"2024-01-03T07:07:32.892810888Z","logger":"queueproxy","caller":"certificate/watcher.go:62","message":"Starting to watch the following directories for changes{certDir 15 0 /var/lib/knative/certs <nil>} {keyDir 15 0 /var/lib/knative/certs <nil>}","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"}
    {"severity":"INFO","timestamp":"2024-01-03T07:07:32.89397512Z","logger":"queueproxy","caller":"certificate/watcher.go:131","message":"Certificate and/or key have changed on disk and were reloaded.","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"}
    {"severity":"INFO","timestamp":"2024-01-03T07:07:32.894232939Z","logger":"queueproxy","caller":"sharedmain/main.go:282","message":"Starting tls server admin:8022","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"}
    {"severity":"INFO","timestamp":"2024-01-03T07:07:32.894268548Z","logger":"queueproxy","caller":"sharedmain/main.go:282","message":"Starting tls server main:8112","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"}
    

Trust

Warning

A quick note on trust, Knative will automatically trust the CA that signed the Certificates, if the cert-manager issuer allows putting the CA directly in the field ca.crt of the certificates Secret. Regardless of that, Cluster admins should always provide a trust-bundle, as described in Configuring Knative cert-manager integration. This is also strongly recommended in the cert-manager documentation to avoid issues with rotation.

We use analytics and cookies to understand site traffic. Information about your use of our site is shared with Google for that purpose. Learn more.

× OK