Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to use paid SSL cert with Knative #146

Merged
merged 7 commits into from
Jul 19, 2018

Conversation

tcnghia
Copy link
Contributor

@tcnghia tcnghia commented Jul 17, 2018

This gives some instructions of how to use an SSL cert with Knative.

I am currently working on another version with LetsEncrypt (free SSL cert), but I'd like to check in the simple version for people to try out first, in case users already had a certificate.

@tcnghia tcnghia requested a review from rgregg July 17, 2018 15:37
@google-prow-robot google-prow-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 17, 2018
@tcnghia
Copy link
Contributor Author

tcnghia commented Jul 17, 2018

@mdemirhan

Copy link
Contributor

@jonjohnsonjr jonjohnsonjr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some nits

for your cluster. See instructions [here](./using-a-custom-domain.md) to set
up a domain for your cluster.

Note that due to Istio limitation we can only use one certificate for our
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Istio limitations,

up a domain for your cluster.

Note that due to Istio limitation we can only use one certificate for our
cluster -- as a result you will need to make sure that your certificate is
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cluster. As a result,


## Add the Certificate and Private Key into a secret

Istio requires that the secret must be name `istio-ingressgateway-certs`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

must be named

kubectl edit gateway knative-shared-gateway -n knative-serving
```
then update your Gateway spec to look like this
```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does yaml work for syntax highlighting here?

@@ -0,0 +1,52 @@
# Setting up an SSL cert

If you already have an SSL cert for your domain, follow these steps to use it
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A link to some guidance re: obtaining an SSL cert would be nice, but we might not want to be prescriptive here.


## Add the Certificate and Private Key into a secret

Istio requires that the secret must be name `istio-ingressgateway-certs`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/s/name/named/

@@ -0,0 +1,52 @@
# Setting up an SSL cert

If you already have an SSL cert for your domain, follow these steps to use it
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something along the following lines might be better.

To use an SSL cert for your domain, follow the steps below.

for your cluster. See instructions [here](./using-a-custom-domain.md) to set
up a domain for your cluster.

Note that due to Istio limitation we can only use one certificate for our
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would simplify this and say something like:

Knative supports only a single certificate for a cluster. If you will serve multiple domains in a cluster, make sure that the certificate is signed for all of those domains.


## Add the Certificate and Private Key into a secret

Istio requires that the secret must be name `istio-ingressgateway-certs`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't mention istio here. Just mention that the secret must be named that way.

To create the secret, run the following command.

```shell
# Replace <cert.pk> and <cert.pem> in the following command with the correct
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would combine the line above and this. Something like:

Create a secret named '....' by running the commands below. The secret name must be exactly as shown in the command.


## Configure the Knative shared Gateway to use the new secret

Run this,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/s/run this/run/

```shell
kubectl edit gateway knative-shared-gateway -n knative-serving
```
then update your Gateway spec to look like this
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would be more descriptive here. Say something like, add the red lines below to the file and mark the changes in red below.

@rgregg
Copy link
Contributor

rgregg commented Jul 19, 2018

@tcnghia will you have a chance to update the doc today based on the review feedback?

@google-prow-robot google-prow-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 19, 2018
@google-prow-robot google-prow-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 19, 2018
@rgregg
Copy link
Contributor

rgregg commented Jul 19, 2018

/lgtm
/approve

@google-prow-robot google-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 19, 2018
@google-prow-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rgregg, tcnghia

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants