Knative leverages OpenShift Container Platform TLS termination to provide routing for Knative services. When a Knative service is created, a OpenShift Container Platform route is automatically created for the service. This route is managed by the OpenShift Serverless Operator. The OpenShift Container Platform route exposes the Knative service through the same domain as the OpenShift Container Platform cluster.

You can disable Operator control of OpenShift Container Platform routing so that you can configure a Knative route to directly use your TLS certificates instead.

Knative routes can also be used alongside the OpenShift Container Platform route to provide additional fine-grained routing capabilities, such as traffic splitting.

Configuring OpenShift Container Platform routes for Knative services

If you want to configure a Knative service to use your TLS certificate on OpenShift Container Platform, you must disable the automatic creation of a route for the service by the OpenShift Serverless Operator, and instead manually create a Route resource for the service.

Prerequisites
  • The OpenShift Serverless Operator and Knative Serving component must be installed on your OpenShift Container Platform cluster.

Procedure
  1. Create a Knative service that includes the serving.knative.openshift.io/disableRoute=true annotation:

    Example YAML
    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      name: <service_name>
      annotations:
        serving.knative.openshift.io/disableRoute: true
    spec:
      template:
        spec:
          containers:
          - image: <image>
    Example kn command
    $ kn service create hello-example \
      --image=gcr.io/knative-samples/helloworld-go \
      --annotation serving.knative.openshift.io/disableRoute=true
  2. Verify that no OpenShift Container Platform route has been created for the service:

    Example command
    $ oc get routes.route.openshift.io -l serving.knative.openshift.io/ingressName=$KSERVICE_NAME -l serving.knative.openshift.io/ingressNamespace=$KSERVICE_NAMESPACE -n knative-serving-ingress

    You should see the following output:

    No resources found in knative-serving-ingress namespace.
  3. Create a Route object in the knative-serving-ingress namespace by copying the following sample YAML and modifying the replaceable values:

    apiVersion: route.openshift.io/v1
    kind: Route
    metadata:
      annotations:
        haproxy.router.openshift.io/timeout: 600s (1)
      name: <route_name> (2)
      namespace: knative-serving-ingress (3)
    spec:
      host: <service_host> (4)
      port:
        targetPort: http2
      to:
        kind: Service
        name: kourier
        weight: 100
      tls:
        insecureEdgeTerminationPolicy: Allow
        termination: edge (5)
        key: |-
          -----BEGIN PRIVATE KEY-----
          [...]
          -----END PRIVATE KEY-----
        certificate: |-
          -----BEGIN CERTIFICATE-----
          [...]
          -----END CERTIFICATE-----
        caCertificate: |-
          -----BEGIN CERTIFICATE-----
          [...]
          -----END CERTIFICATE----
      wildcardPolicy: None
    1 The timeout value for the OpenShift Container Platform route. You must set the same value as the max-revision-timeout-seconds setting (600s by default).
    2 The name of the OpenShift Container Platform route.
    3 The namespace for the OpenShift Container Platform route. This must be knative-serving-ingress.
    4 The hostname for external access. You can set this to <service_name>-<service_namespace>.<domain>.
    5 The certificates you want to use. Currently, only edge termination is supported.