Configure cluster-local domain encryption

Warning

The Knative Serving encryption features cluster-local-domain-tls and system-internal-tls are in experimental state. Please use with caution!

Before you begin

You must meet the following requirements to enable secure HTTPS connections:

Warning

This feature is currently only supported with Kourier and Istio as a networking layer.

Installing and configuring cert-manager and integration

First, you need to install and configure cert-manager and the Knative cert-manager integration. Please refer to Configuring Knative cert-manager integration for details.

Enabling cluster-local-domain-tls

To enable cluster-local-domain-tls update the config-network ConfigMap in the knative-serving namespace:

  1. Run the following command to edit your config-network ConfigMap:

    1. kubectl edit configmap config-network -n knative-serving

  2. Add the cluster-local-domain-tls: Enabled attribute under the data section:

    1. apiVersion: v1
    2. kind: ConfigMap
    3. metadata:
    4.   name: config-network
    5.   namespace: knative-serving
    6. data:
    7.    ...
    8.    cluster-local-domain-tls: Enabled
    9.    ...

  3. Restart the Knative Serving controller to start the Knative cert-manager integration:

    1. kubectl rollout restart deploy/controller -n knative-serving

Congratulations! Knative is now configured to obtain and renew TLS certificates for cluster-local domains.

Verification

  1. Deploy a Knative Service

  2. Check the URL with kubectl get ksvc -n <your-namespace> -o yaml

  3. The service URL cluster-local domain (https://helloworld.test.svc.cluster.local) should now be https:

  1. apiVersion: serving.knative.dev/v1
  2. kind: Service
  3. metadata:
  4.   name: helloworld
  5.   namespace: test
  6. spec:
  7.   # ...
  8. status:
  9.   address:
  10.     # cluster-local-domain:
  11.     url: https://helloworld.test.svc.cluster.local
  12.   # ...
  13.   # external domain:
  14.   url: http://helloworld.first.example.com

Trust

Note

A quick note on trust, all clients that call the cluster-local domain of a Knative Service need to trust the Certificate Authority that signed the certificates. This is out of scope of Knative, but needs to be addressed to ensure a working system. Especially when a Certificate Authority performs a rotation of the CA or the intermediate certificates. Find more information on Configuring Knative cert-manager integration.