×

You can use an existing TLS certificate with a DomainMapping custom resource (CR) to secure the mapped service.

Prerequisites
  • You have completed the steps in Configuring a custom domain for a Knative service, and have a working DomainMapping CR.

  • You have a TLS certificate from your Certificate Authority provider, or a self-signed certificate.

  • You have obtained the cert and key files from your Certificate Authority provider, or a self-signed certificate.

Procedure
  1. Create a Kubernetes TLS secret:

    $ oc create secret tls <tls_secret_name> --cert=<path_to_certificate_file> --key=<path_to_key_file>
  2. Update the DomainMapping CR to use the TLS secret you have created:

    apiVersion: serving.knative.dev/v1alpha1
    kind: DomainMapping
    metadata:
      name: <domain_name>
      namespace: <namespace>
    spec:
      ref:
        name: <service_name>
        kind: Service
        apiVersion: serving.knative.dev/v1
    # TLS block specifies the secret to be used
      tls:
        secretName: <tls_secret_name>
Verification
  1. Verify that the DomainMapping CR status is True, and that the URL column of the output shows the mapped domain with the scheme https:

    $ oc get domainmapping <domain_name>
    Example output
    NAME                      URL                               READY   REASON
    example.com               https://example.com               True
  2. Optional: If the service is exposed publicly, verify that it is available by running the following command:

    $ curl https://<domain_name>

    If the certificate is self-signed, skip verification by adding the -k flag to the curl command.