Using a custom TLS certificate for DomainMapping¶
Feature Availability: beta since Knative v0.24
- beta features are well-tested and enabling them is considered safe. Support for the overall feature will not be dropped, though details may change in incompatible ways.
By providing the reference to an existing TLS Certificate you can instruct a DomainMapping
to use that
certificate to secure the mapped service.
Please note that for Services using this feature, the automatic certificate creation using
external-domain-tls is skipped.
Prerequisites¶
- You have followed the steps from Configuring custom domains and now have a working
DomainMapping
. - You must have a TLS certificate from your Certificate Authority provider or a self-signed certificate.
Procedure¶
-
Assuming you have obtained the
cert
andkey
files from your Certificate Authority provider or have self-signed certificate, create a plain Kubernetes TLS Secret by running the command:Use kubectl to create the secret:
Wherekubectl create secret tls <tls-secret-name> --cert=path/to/cert/file --key=path/to/key/file
<tls-secret-name>
is the name of the secret object being created. -
Update your
DomainMapping
YAML file to use the newly created secret as follows:Where:apiVersion: serving.knative.dev/v1beta1 kind: DomainMapping metadata: name: <domain-name> namespace: <namespace> spec: ref: name: <service-name> kind: Service apiVersion: serving.knative.dev/v1 # tls block specifies the secret to be used tls: secretName: <tls-secret-name>
<tls-secret-name>
is the name of the TLS secret created in the previous step.<domain-name>
is the domain name that you want to map a Service to.<namespace>
is the namespace that contains both theDomainMapping
andService
objects.<service-name>
is the name of the Service that will be mapped to the domain.
-
Verify the
DomainMapping
status:- Check the status by running the command:
The
kubectl get domainmapping <domain-name>
URL
column of the status should show the mapped domain with the scheme updated tohttps
:NAME URL READY REASON <domain-name> https://<domain-name> True
- If the Service is exposed publicly, verify that it is available by running:
If the certificate is self-signed skip verification by adding the
curl https://<domain-name>
-k
flag to the curl command.
- Check the status by running the command: