-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use paid SSL cert with Knative #146
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nits
serving/using-an-ssl-cert.md
Outdated
for your cluster. See instructions [here](./using-a-custom-domain.md) to set | ||
up a domain for your cluster. | ||
|
||
Note that due to Istio limitation we can only use one certificate for our |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Istio limitations,
serving/using-an-ssl-cert.md
Outdated
up a domain for your cluster. | ||
|
||
Note that due to Istio limitation we can only use one certificate for our | ||
cluster -- as a result you will need to make sure that your certificate is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cluster. As a result,
serving/using-an-ssl-cert.md
Outdated
|
||
## Add the Certificate and Private Key into a secret | ||
|
||
Istio requires that the secret must be name `istio-ingressgateway-certs`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
must be named
serving/using-an-ssl-cert.md
Outdated
kubectl edit gateway knative-shared-gateway -n knative-serving | ||
``` | ||
then update your Gateway spec to look like this | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does yaml
work for syntax highlighting here?
serving/using-an-ssl-cert.md
Outdated
@@ -0,0 +1,52 @@ | |||
# Setting up an SSL cert | |||
|
|||
If you already have an SSL cert for your domain, follow these steps to use it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A link to some guidance re: obtaining an SSL cert would be nice, but we might not want to be prescriptive here.
serving/using-an-ssl-cert.md
Outdated
|
||
## Add the Certificate and Private Key into a secret | ||
|
||
Istio requires that the secret must be name `istio-ingressgateway-certs`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/s/name/named/
serving/using-an-ssl-cert.md
Outdated
@@ -0,0 +1,52 @@ | |||
# Setting up an SSL cert | |||
|
|||
If you already have an SSL cert for your domain, follow these steps to use it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something along the following lines might be better.
To use an SSL cert for your domain, follow the steps below.
serving/using-an-ssl-cert.md
Outdated
for your cluster. See instructions [here](./using-a-custom-domain.md) to set | ||
up a domain for your cluster. | ||
|
||
Note that due to Istio limitation we can only use one certificate for our |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would simplify this and say something like:
Knative supports only a single certificate for a cluster. If you will serve multiple domains in a cluster, make sure that the certificate is signed for all of those domains.
serving/using-an-ssl-cert.md
Outdated
|
||
## Add the Certificate and Private Key into a secret | ||
|
||
Istio requires that the secret must be name `istio-ingressgateway-certs`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't mention istio here. Just mention that the secret must be named that way.
serving/using-an-ssl-cert.md
Outdated
To create the secret, run the following command. | ||
|
||
```shell | ||
# Replace <cert.pk> and <cert.pem> in the following command with the correct |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would combine the line above and this. Something like:
Create a secret named '....' by running the commands below. The secret name must be exactly as shown in the command.
serving/using-an-ssl-cert.md
Outdated
|
||
## Configure the Knative shared Gateway to use the new secret | ||
|
||
Run this, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/s/run this/run/
serving/using-an-ssl-cert.md
Outdated
```shell | ||
kubectl edit gateway knative-shared-gateway -n knative-serving | ||
``` | ||
then update your Gateway spec to look like this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be more descriptive here. Say something like, add the red lines below to the file and mark the changes in red below.
@tcnghia will you have a chance to update the doc today based on the review feedback? |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rgregg, tcnghia The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This gives some instructions of how to use an SSL cert with Knative.
I am currently working on another version with LetsEncrypt (free SSL cert), but I'd like to check in the simple version for people to try out first, in case users already had a certificate.