Skip to content

Configure cluster-local domain encryption

Warning

The Knative Serving encryption features cluster-local-domain-tls and system-internal-tls are in experimental state. Please use with caution!

Before you begin

You must meet the following requirements to enable secure HTTPS connections:

Warning

This feature is currently only supported with Kourier and Istio as a networking layer.

Installing and configuring cert-manager and integration

First, you need to install and configure cert-manager and the Knative cert-manager integration. Please refer to Configuring Knative cert-manager integration for details.

Enabling cluster-local-domain-tls

To enable cluster-local-domain-tls update the config-network ConfigMap in the knative-serving namespace:

  1. Run the following command to edit your config-network ConfigMap:

    kubectl edit configmap config-network -n knative-serving

  2. Add the cluster-local-domain-tls: Enabled attribute under the data section:

    apiVersion: v1
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving
data:
   ...
   cluster-local-domain-tls: Enabled
   ...

  3. Restart the Knative Serving controller to start the Knative cert-manager integration:

    kubectl rollout restart deploy/controller -n knative-serving

Congratulations! Knative is now configured to obtain and renew TLS certificates for cluster-local domains.

Verification

  1. Deploy a Knative Service

  2. Check the URL with kubectl get ksvc -n <your-namespace> -o yaml

  3. The service URL cluster-local domain (https://helloworld.test.svc.cluster.local) should now be https:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld
  namespace: test
spec:
  # ...
status:
  address:
    # cluster-local-domain:
    url: https://helloworld.test.svc.cluster.local
  # ...
  # external domain:
  url: http://helloworld.first.example.com

Trust

Note

A quick note on trust, all clients that call the cluster-local domain of a Knative Service need to trust the Certificate Authority that signed the certificates. This is out of scope of Knative, but needs to be addressed to ensure a working system. Especially when a Certificate Authority performs a rotation of the CA or the intermediate certificates. Find more information on Configuring Knative cert-manager integration.

We use analytics and cookies to understand site traffic. Information about your use of our site is shared with Google for that purpose. Learn more.

× OK