From 417ee9523139072e48121ad23a1f862635a1fa10 Mon Sep 17 00:00:00 2001 From: Zhimin Xiang Date: Sat, 4 Jan 2020 00:54:15 +0000 Subject: [PATCH 1/5] initial version of auto tls instruction --- docs/serving/using-auto-tls.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/serving/using-auto-tls.md b/docs/serving/using-auto-tls.md index abd2314b1e5..78703de5b38 100644 --- a/docs/serving/using-auto-tls.md +++ b/docs/serving/using-auto-tls.md @@ -10,6 +10,12 @@ automatically obtain new TLS certificates and renew existing ones. To learn more about using secure connections in Knative, see [Configuring HTTPS with TLS certificates](./using-a-tls-cert.md). +## Auto TLS types +In Knative, we support 3 types of Auto TLS: +1. Certificate per Knative Service using HTTP01 challenge +2. Certificate per namespace using DNS challenge +3. Certificate per Knative Service using DNS challenge + ## Before you begin You must meet the following prerequisites to enable automatic certificate @@ -19,7 +25,7 @@ provisioning: - [Knative Serving](../install/). - [Istio with SDS, version 1.1 or higher](../install/installing-istio.md#installing-istio-with-SDS-to-secure-the-ingress-gateway) or [Gloo, version 0.18.16 or higher](../install/Knative-with-Gloo.md). Note: Currently, [Ambassador](https://github.com/datawire/ambassador) is unsupported. - - [cert-manager version `0.6.1` or higher](./installing-cert-manager.md). + - [cert-manager version `0.12.0` or higher](./installing-cert-manager.md). - Your Knative cluster must be configured to use a [custom domain](./using-a-custom-domain.md). - Your DNS provider must be setup and configured to your domain. From 5dd1cce26a8b463e6f3cd5c5f06f6da26734eae5 Mon Sep 17 00:00:00 2001 From: Zhimin Xiang Date: Sat, 4 Jan 2020 07:36:28 +0000 Subject: [PATCH 2/5] Update auto-tls doc to mention namespace cert feature and http01 challenge feature --- docs/serving/using-auto-tls.md | 397 +++++++++++++++++++-------------- 1 file changed, 224 insertions(+), 173 deletions(-) diff --git a/docs/serving/using-auto-tls.md b/docs/serving/using-auto-tls.md index 78703de5b38..99bfcf7bc1e 100644 --- a/docs/serving/using-auto-tls.md +++ b/docs/serving/using-auto-tls.md @@ -6,15 +6,34 @@ type: "docs" --- If you install and configure cert-manager, you can configure Knative to -automatically obtain new TLS certificates and renew existing ones. To learn more -about using secure connections in Knative, see +automatically obtain new TLS certificates and renew existing ones for Knative +Service. +To learn more about using secure connections in Knative, see [Configuring HTTPS with TLS certificates](./using-a-tls-cert.md). -## Auto TLS types -In Knative, we support 3 types of Auto TLS: -1. Certificate per Knative Service using HTTP01 challenge -2. Certificate per namespace using DNS challenge -3. Certificate per Knative Service using DNS challenge +## Automatic TLS provision mode + +In Knative, we support the following modes of Auto TLS: + +1. Using DNS01 challenge + + In this mode, your cluster needs to be able to talk to your DNS server to verify the ownership of your domain. + Specifically, when using DNS challenge, we support: + - **Provision Certificate per namespace:** + - In this mode, a single Certificate will be provisioned per namespace and be reused across the Knative + Services within the same namespace if possible. + - If you want to have a fast certificate provision process, this way is + recommended. + + - **Provision Certificate per Knative Service:** + - In this mode, a Certificate will be provisioned for each Knative Service. + - If you want to have better certificate isolation between each Knative Service, you can choose this way. + - The TLS effective time is longer as it needs Certificate provision for each Knative Service creation. + +1. Using HTTP01 challenge + + - In this type, your cluster does not need to be able to talk to your DNS server. You just need to map your domain to the IP of the cluser ingress. + - When using HTTP01 challenge, **Certificate will be provisioned per Knative Service.** Certificate provision per namespace is not supported when using HTTP01 challenge. ## Before you begin @@ -29,37 +48,27 @@ provisioning: - Your Knative cluster must be configured to use a [custom domain](./using-a-custom-domain.md). - Your DNS provider must be setup and configured to your domain. +- If you want to use HTTP01 challenge, you need to configure your custom +domain to map to the IP of ingress. ## Enabling automatic certificate provisioning To enable support for automatic TLS certificate provisioning in Knative: -1. Determine if `networking-certmanager` is already installed by running the  - following command: - - ```shell - kubectl get deployment networking-certmanager -n knative-serving - ``` - -1. If `networking-certmanager` is not found, run the following command: - - ```shell - kubectl apply --filename https://github.com/knative/serving/releases/download/{{< version >}}/serving-cert-manager.yaml - ``` - -1. Create and add the `ClusterIssuer` configuration file to your Knative cluster - to define who issues the TLS certificates, how requests are validated - (`DNS-01`), and which DNS provider validates those requests. +### Step 1: Create cert-manager ClusterIssuer - 1. Create the `ClusterIssuer` file: +Create and add the `ClusterIssuer` configuration file to your Knative cluster +to define who issues the TLS certificates, how requests are validated, +and which DNS provider validates those requests. - Use the cert-manager reference to determine how to configure your - `ClusterIssuer` file: +1. ClusterIssuer for DNS01 challenge - - See the generic - [`ClusterIssuer` example](https://docs.cert-manager.io/en/latest/tasks/issuers/setup-acme.html#creating-a-basic-acme-issuer) - - Also see the - [`DNS-01` example](https://docs.cert-manager.io/en/latest/tasks/acme/configuring-dns01/index.html) + Use the cert-manager reference to determine how to configure your + `ClusterIssuer` file: + - See the generic + [`ClusterIssuer` example](https://docs.cert-manager.io/en/latest/tasks/issuers/setup-acme.html#creating-a-basic-acme-issuer) + - Also see the + [`DNS01` example](https://docs.cert-manager.io/en/latest/tasks/acme/configuring-dns01/index.html) **Example**: Cloud DNS `ClusterIssuer` configuration file: @@ -71,11 +80,10 @@ To enable support for automatic TLS certificate provisioning in Knative: [Configuring HTTPS with cert-manager and Google Cloud DNS](./using-cert-manager-on-gcp.md). ```shell - apiVersion: certmanager.k8s.io/v1alpha1 + apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: - name: letsencrypt-issuer - namespace: cert-manager + name: letsencrypt-dns-issuer spec: acme: server: https://acme-v02.api.letsencrypt.org/directory @@ -84,170 +92,213 @@ To enable support for automatic TLS certificate provisioning in Knative: email: myemail@gmail.com privateKeySecretRef: # Set privateKeySecretRef to any unused secret name. - name: letsencrypt-issuer - dns01: - providers: - - name: cloud-dns-provider - clouddns: - # Set this to your GCP project-id - project: $PROJECT_ID - # Set this to the secret that we publish our service account key - # in the previous step. - serviceAccountSecretRef: - name: cloud-dns-key - key: key.json + name: letsencrypt-dns-issuer + solvers: + - dns01: + clouddns: + # Set this to your GCP project-id + project: $PROJECT_ID + # Set this to the secret that we publish our service account key + # in the previous step. + serviceAccountSecretRef: + name: cloud-dns-key + key: key.json ``` - 1. Add your `ClusterIssuer` configuration to your Knative cluster by running - the following commands, where `` is the name of the file that - you created: +1. ClusterIssuer for HTTP01 challenge - 1. Add the configuration file to Knative: + Run the following command to apply the ClusterIssuer for HTT01 challenge: + ```shell + kubectl apply -f - <.yaml - ``` +Ensure that the ClusterIssuer is created successfully: - 1. Ensure that the file is created successfully: +```shell +kubectl get clusterissuer --output yaml +``` - ```shell - kubectl get clusterissuer --namespace cert-manager letsencrypt-issuer --output yaml - ``` +Result: The `Status.Conditions` should include `Ready=True`. - Result: The `Status.Conditions` should include `Ready=True`. -1. Update your - [`config-certmanager` ConfigMap](https://github.com/knative/serving/blob/master/config/config-certmanager.yaml) - in the `knative-serving` namespace to define your new `ClusterIssuer` - configuration and your your DNS provider. +### Step 2: Install networking-certmanager deployment - 1. Run the following command to edit your `config-certmanager` ConfigMap: +1. Determine if `networking-certmanager` is already installed by running the + following command: - ```shell - kubectl edit configmap config-certmanager --namespace knative-serving - ``` + ```shell + kubectl get deployment networking-certmanager -n knative-serving + ``` - 1. Add the `issuerRef` and `solverConfig` sections within the `data` section: +1. If `networking-certmanager` is not found, run the following command: - ```shell - ... - data: - ... - issuerRef: | - kind: ClusterIssuer - name: letsencrypt-issuer - - solverConfig: | - dns01: - provider: cloud-dns-provider - ``` + ```shell + kubectl apply --filename https://github.com/knative/serving/releases/download/v{{< version >}}/serving-cert-manager.yaml + ``` - Example: +### Step 3: Install networking-ns-cert component - ```shell - apiVersion: v1 - kind: ConfigMap - metadata: - name: config-certmanager - namespace: knative-serving - labels: - networking.knative.dev/certificate-provider: cert-manager - data: - issuerRef: | - kind: ClusterIssuer - name: letsencrypt-issuer - solverConfig: | - dns01: - provider: cloud-dns-provider - ``` +If you choose to use the mode of provisioning certificate per namespace, you need to install `networking-ns-cert` components. - 1. Ensure that the file was updated successfully: +1. Determine if `networking-ns-cert` deployment is already installed by +running the following command: - ```shell - kubectl get configmap config-certmanager --namespace knative-serving --output yaml - ``` + ```shell + kubectl get deployment networking-ns-cert -n knative-serving + ``` -1. Update the - [`config-network` ConfigMap](https://github.com/knative/serving/blob/master/config/config-network.yaml) - in the `knative-serving` namespace to enable `autoTLS`and specify how HTTP - requests are handled: +1. If `networking-ns-cert` deployment is not found, run the following command: - 1. Run the following command to edit your `config-network` ConfigMap: + ```shell + kubectl apply --filename https://github.com/knative/serving/releases/download/v{{< version >}}/serving-nscert.yaml + ``` - ```shell - kubectl edit configmap config-network --namespace knative-serving - ``` +### Step 4: Configure config-certmanager ConfigMap - 1. Add the `autoTLS: Enabled` attribute under the `data` section: +Update your [`config-certmanager` ConfigMap](https://github.com/knative/serving/blob/master/config/config-certmanager.yaml) +in the `knative-serving` namespace to reference your new `ClusterIssuer`. - ```shell - ... - data: - ... - autoTLS: Enabled - ... - ``` +1. Run the following command to edit your `config-certmanager` ConfigMap: + + ```shell + kubectl edit configmap config-certmanager --namespace knative-serving + ``` - Example: +1. Add the `issuerRef` within the `data` section: - ```shell - apiVersion: v1 - kind: ConfigMap - metadata: - name: config-network - namespace: knative-serving - data: - ... - autoTLS: Enabled - ... - ``` + ```shell + ... + data: + ... + issuerRef: | + kind: ClusterIssuer + name: letsencrypt-issuer + ``` + + Example: + + ```shell + apiVersion: v1 + kind: ConfigMap + metadata: + name: config-certmanager + namespace: knative-serving + labels: + networking.knative.dev/certificate-provider: cert-manager + data: + issuerRef: | + kind: ClusterIssuer + name: letsencrypt-http01-issuer + ``` + + `issueRef` defines which `ClusterIssuer` will be used by Knative to issue + certificates. + +1. Ensure that the file was updated successfully: + + ```shell + kubectl get configmap config-certmanager --namespace knative-serving --output yaml + ``` + +### Step 5: Turn on Auto TLS + +Update the +[`config-network` ConfigMap](https://github.com/knative/serving/blob/master/config/config-network.yaml) +in the `knative-serving` namespace to enable `autoTLS`and specify how HTTP +requests are handled: + +1. Run the following command to edit your `config-network` ConfigMap: - 1. Configure how HTTP and HTTPS requests are handled in the - [`httpProtocol`](https://github.com/knative/serving/blob/master/config/config-network.yaml#L110) - attribute. - - By default, Knative ingress is configured to serve HTTP traffic - (`httpProtocol: Enabled`). Now that your cluster is configured to use TLS - certificates and handle HTTPS traffic, you can specify whether or not any - HTTP traffic is allowed. - - Supported `httpProtocol` values: - - - `Enabled`: Serve HTTP traffic. - - `Disabled`: Rejects all HTTP traffic. - - `Redirected`: Responds to HTTP request with a `302` redirect to ask the - clients to use HTTPS. - - - ```shell - ... - data: - ... - autoTLS: Enabled - ... - ``` - - Example: - - ```shell - apiVersion: v1 - kind: ConfigMap - metadata: - name: config-network - namespace: knative-serving - data: - ... - autoTLS: Enabled - ... - httpProtocol: Redirected - ... - ``` - - 1. Ensure that the file was updated successfully: - - ```shell - kubectl get configmap config-network --namespace knative-serving --output yaml - ``` + ```shell + kubectl edit configmap config-network --namespace knative-serving + ``` + +1. Add the `autoTLS: Enabled` attribute under the `data` section: + + ```shell + ... + data: + ... + autoTLS: Enabled + ... + ``` + + Example: + + ```shell + apiVersion: v1 + kind: ConfigMap + metadata: + name: config-network + namespace: knative-serving + data: + ... + autoTLS: Enabled + ... + ``` + +1. Configure how HTTP and HTTPS requests are handled in the + [`httpProtocol`](https://github.com/knative/serving/blob/master/config/config-network.yaml#L110) + attribute. + + By default, Knative ingress is configured to serve HTTP traffic + (`httpProtocol: Enabled`). Now that your cluster is configured to use TLS + certificates and handle HTTPS traffic, you can specify whether or not any + HTTP traffic is allowed. + + Supported `httpProtocol` values: + + - `Enabled`: Serve HTTP traffic. + - `Disabled`: Rejects all HTTP traffic. + - `Redirected`: Responds to HTTP request with a `302` redirect to ask the + clients to use HTTPS. + + ```shell + ... + data: + ... + autoTLS: Enabled + ... + ``` + + Example: + + ```shell + apiVersion: v1 + kind: ConfigMap + metadata: + name: config-network + namespace: knative-serving + data: + ... + autoTLS: Enabled + ... + httpProtocol: Redirected + ... + ``` + + **Note:** + When using HTTP01 challenge, `httpProtocol` field has to be set to `Enabled` to make sure HTTP01 challenge requests can be accepted by the cluster. + +1. Ensure that the file was updated successfully: + + ```shell + kubectl get configmap config-network --namespace knative-serving --output yaml + ``` Congratulations! Knative is now configured to obtain and renew TLS certificates. When your TLS certificate is active on your cluster, your Knative services will From 3e728525ad24f35d282bad9f023ee8b5caffaab0 Mon Sep 17 00:00:00 2001 From: Zhimin Xiang Date: Mon, 13 Jan 2020 23:55:49 +0000 Subject: [PATCH 3/5] address comments --- docs/serving/using-auto-tls.md | 74 ++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 30 deletions(-) diff --git a/docs/serving/using-auto-tls.md b/docs/serving/using-auto-tls.md index 99bfcf7bc1e..f5eaf7870e4 100644 --- a/docs/serving/using-auto-tls.md +++ b/docs/serving/using-auto-tls.md @@ -7,61 +7,60 @@ type: "docs" If you install and configure cert-manager, you can configure Knative to automatically obtain new TLS certificates and renew existing ones for Knative -Service. +Services. To learn more about using secure connections in Knative, see [Configuring HTTPS with TLS certificates](./using-a-tls-cert.md). ## Automatic TLS provision mode -In Knative, we support the following modes of Auto TLS: +Knative supports the following Auto TLS modes: -1. Using DNS01 challenge +1. Using DNS-01 challenge In this mode, your cluster needs to be able to talk to your DNS server to verify the ownership of your domain. - Specifically, when using DNS challenge, we support: - - **Provision Certificate per namespace:** - - In this mode, a single Certificate will be provisioned per namespace and be reused across the Knative - Services within the same namespace if possible. - - If you want to have a fast certificate provision process, this way is - recommended. - - - **Provision Certificate per Knative Service:** + - **Provision Certificate per namespace is supported when using DNS-01 challenge mode.** + - This is the recommended mode for faster certificate provision. + - In this mode, a single Certificate will be provisioned per namespace and is reused across the Knative Services within the same namespace. + + - **Provision Certificate per namespace is supported when using DNS-01 challenge mode.** + - This is the recommended mode for better certificate islation between Knative Services. - In this mode, a Certificate will be provisioned for each Knative Service. - - If you want to have better certificate isolation between each Knative Service, you can choose this way. - The TLS effective time is longer as it needs Certificate provision for each Knative Service creation. -1. Using HTTP01 challenge +1. Using HTTP-01 challenge - - In this type, your cluster does not need to be able to talk to your DNS server. You just need to map your domain to the IP of the cluser ingress. - - When using HTTP01 challenge, **Certificate will be provisioned per Knative Service.** Certificate provision per namespace is not supported when using HTTP01 challenge. + - In this type, your cluster does not need to be able to talk to your DNS server. You just + need to map your domain to the IP of the cluser ingress. You can achieve this by adding a + DNS A record to map the domain to the IP according to the instructions of your DNS + provider. + - When using HTTP-01 challenge, **a certificate will be provisioned per Knative Service.** Certificate provision per namespace is not supported when using HTTP-01 challenge. ## Before you begin -You must meet the following prerequisites to enable automatic certificate -provisioning: +You must meet the following prerequisites to enable auto TLS: - The following must be installed on your Knative cluter: - [Knative Serving](../install/). - - [Istio with SDS, version 1.1 or higher](../install/installing-istio.md#installing-istio-with-SDS-to-secure-the-ingress-gateway) or [Gloo, version 0.18.16 or higher](../install/Knative-with-Gloo.md). + - [Istio with SDS, version 1.3 or higher](../install/installing-istio.md#installing-istio-with-SDS-to-secure-the-ingress-gateway) or [Gloo, version 0.18.16 or higher](../install/Knative-with-Gloo.md). Note: Currently, [Ambassador](https://github.com/datawire/ambassador) is unsupported. - [cert-manager version `0.12.0` or higher](./installing-cert-manager.md). - Your Knative cluster must be configured to use a [custom domain](./using-a-custom-domain.md). - Your DNS provider must be setup and configured to your domain. -- If you want to use HTTP01 challenge, you need to configure your custom +- If you want to use HTTP-01 challenge, you need to configure your custom domain to map to the IP of ingress. -## Enabling automatic certificate provisioning +## Enabling Auto TLS -To enable support for automatic TLS certificate provisioning in Knative: +To enable support for Auto TLS in Knative: ### Step 1: Create cert-manager ClusterIssuer -Create and add the `ClusterIssuer` configuration file to your Knative cluster +1. Create and add the `ClusterIssuer` configuration file to your Knative cluster to define who issues the TLS certificates, how requests are validated, and which DNS provider validates those requests. -1. ClusterIssuer for DNS01 challenge + #### ClusterIssuer for DNS-01 challenge Use the cert-manager reference to determine how to configure your `ClusterIssuer` file: @@ -105,7 +104,7 @@ and which DNS provider validates those requests. key: key.json ``` -1. ClusterIssuer for HTTP01 challenge + #### ClusterIssuer for HTTP-01 challenge Run the following command to apply the ClusterIssuer for HTT01 challenge: ```shell @@ -126,13 +125,13 @@ and which DNS provider validates those requests. EOF ``` -Ensure that the ClusterIssuer is created successfully: +1. Ensure that the ClusterIssuer is created successfully: -```shell -kubectl get clusterissuer --output yaml -``` + ```shell + kubectl get clusterissuer --output yaml + ``` -Result: The `Status.Conditions` should include `Ready=True`. + Result: The `Status.Conditions` should include `Ready=True`. ### Step 2: Install networking-certmanager deployment @@ -292,7 +291,7 @@ requests are handled: ``` **Note:** - When using HTTP01 challenge, `httpProtocol` field has to be set to `Enabled` to make sure HTTP01 challenge requests can be accepted by the cluster. + When using HTTP-01 challenge, `httpProtocol` field has to be set to `Enabled` to make sure HTTP-01 challenge requests can be accepted by the cluster. 1. Ensure that the file was updated successfully: @@ -303,3 +302,18 @@ requests are handled: Congratulations! Knative is now configured to obtain and renew TLS certificates. When your TLS certificate is active on your cluster, your Knative services will be able to handle HTTPS traffic. + +### Step 6: Verify Auto TLS + +1. Run the following comand to create a Knative Service: + ```shell + kubectl apply -f https://raw.githubusercontent.com/knative/docs/master/docs/serving/samples/autoscale-go/service.yaml + ``` + +1. When the certificate is provisioned (which could take up to several minutes depending on + the challenge type), you should see something like: + ``` + NAME URL LATESTCREATED LATESTREADY READY REASON + autoscale-go https://autoscale-go.default.{custom-domain} autoscale-go-6jf85 autoscale-go-6jf85 True + + Note that the URL will be **https** in this case. \ No newline at end of file From 526d2e4febb7310fdc77e576cbebdddb35869bee Mon Sep 17 00:00:00 2001 From: Zhimin Xiang Date: Tue, 14 Jan 2020 00:05:04 +0000 Subject: [PATCH 4/5] fix format --- docs/serving/using-auto-tls.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/serving/using-auto-tls.md b/docs/serving/using-auto-tls.md index f5eaf7870e4..f424543a8f1 100644 --- a/docs/serving/using-auto-tls.md +++ b/docs/serving/using-auto-tls.md @@ -30,9 +30,7 @@ Knative supports the following Auto TLS modes: 1. Using HTTP-01 challenge - In this type, your cluster does not need to be able to talk to your DNS server. You just - need to map your domain to the IP of the cluser ingress. You can achieve this by adding a - DNS A record to map the domain to the IP according to the instructions of your DNS - provider. + need to map your domain to the IP of the cluser ingress. - When using HTTP-01 challenge, **a certificate will be provisioned per Knative Service.** Certificate provision per namespace is not supported when using HTTP-01 challenge. ## Before you begin @@ -48,7 +46,7 @@ You must meet the following prerequisites to enable auto TLS: [custom domain](./using-a-custom-domain.md). - Your DNS provider must be setup and configured to your domain. - If you want to use HTTP-01 challenge, you need to configure your custom -domain to map to the IP of ingress. +domain to map to the IP of ingress. You can achieve this by adding a DNS A record to map the domain to the IP according to the instructions of your DNS provider. ## Enabling Auto TLS @@ -60,7 +58,7 @@ To enable support for Auto TLS in Knative: to define who issues the TLS certificates, how requests are validated, and which DNS provider validates those requests. - #### ClusterIssuer for DNS-01 challenge + #### ClusterIssuer for DNS-01 challenge Use the cert-manager reference to determine how to configure your `ClusterIssuer` file: @@ -104,9 +102,10 @@ and which DNS provider validates those requests. key: key.json ``` - #### ClusterIssuer for HTTP-01 challenge + #### ClusterIssuer for HTTP-01 challenge Run the following command to apply the ClusterIssuer for HTT01 challenge: + ```shell kubectl apply -f - < Date: Wed, 22 Jan 2020 21:35:32 +0000 Subject: [PATCH 5/5] address comments --- docs/serving/using-auto-tls.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/serving/using-auto-tls.md b/docs/serving/using-auto-tls.md index f424543a8f1..24af2d84211 100644 --- a/docs/serving/using-auto-tls.md +++ b/docs/serving/using-auto-tls.md @@ -52,7 +52,7 @@ domain to map to the IP of ingress. You can achieve this by adding a DNS A recor To enable support for Auto TLS in Knative: -### Step 1: Create cert-manager ClusterIssuer +### Create cert-manager ClusterIssuer 1. Create and add the `ClusterIssuer` configuration file to your Knative cluster to define who issues the TLS certificates, how requests are validated, @@ -133,7 +133,7 @@ and which DNS provider validates those requests. Result: The `Status.Conditions` should include `Ready=True`. -### Step 2: Install networking-certmanager deployment +### Install networking-certmanager deployment 1. Determine if `networking-certmanager` is already installed by running the following command: @@ -148,7 +148,7 @@ and which DNS provider validates those requests. kubectl apply --filename https://github.com/knative/serving/releases/download/v{{< version >}}/serving-cert-manager.yaml ``` -### Step 3: Install networking-ns-cert component +### Install networking-ns-cert component If you choose to use the mode of provisioning certificate per namespace, you need to install `networking-ns-cert` components. @@ -165,7 +165,7 @@ running the following command: kubectl apply --filename https://github.com/knative/serving/releases/download/v{{< version >}}/serving-nscert.yaml ``` -### Step 4: Configure config-certmanager ConfigMap +### Configure config-certmanager ConfigMap Update your [`config-certmanager` ConfigMap](https://github.com/knative/serving/blob/master/config/config-certmanager.yaml) in the `knative-serving` namespace to reference your new `ClusterIssuer`. @@ -212,7 +212,7 @@ in the `knative-serving` namespace to reference your new `ClusterIssuer`. kubectl get configmap config-certmanager --namespace knative-serving --output yaml ``` -### Step 5: Turn on Auto TLS +### Turn on Auto TLS Update the [`config-network` ConfigMap](https://github.com/knative/serving/blob/master/config/config-network.yaml) @@ -302,7 +302,7 @@ Congratulations! Knative is now configured to obtain and renew TLS certificates. When your TLS certificate is active on your cluster, your Knative services will be able to handle HTTPS traffic. -### Step 6: Verify Auto TLS +### Verify Auto TLS 1. Run the following comand to create a Knative Service: ```shell