$ oc create secret tls <tls_secret_name> --cert=<path_to_certificate_file> --key=<path_to_key_file>- Documentation
- OpenShift Dedicated
- Serverless
- Knative Serving
- Configuring custom domains for Knative services
- Securing a mapped service using a TLS certificate history bug_report picture_as_pdf
- About
- Introduction to OpenShift Dedicated
- Red Hat OpenShift Cluster Manager
- Planning your environment
- Getting started
- Installing, accessing, and deleting OpenShift Dedicated clusters
- Cluster administration
- Security and compliance
- Authentication and authorization
- Upgrading
- CI/CD
- Add-on services
- Storage
- Registry
- Networking
- Applications
-
Logging
- Release notes
- About Logging
- Installing Logging
- Accessing the service logs
-
Configuring your Logging deployment
- About the Cluster Logging custom resource
- Configuring the logging collector
- Configuring the log store
- Configuring the log visualizer
- Configuring Logging storage
- Configuring CPU and memory limits for Logging components
- Using tolerations to control Logging pod placement
- Moving the Logging resources with node selectors
- Maintenance and support
- Logging with the LokiStack
- Viewing logs for a specific resource
- Viewing cluster logs in Kibana
- Forwarding logs to third party systems
- Enabling JSON logging
- Collecting and storing Kubernetes events
- Updating Logging
- Viewing cluster dashboards
- Troubleshooting Logging
- Uninstalling Logging
- Exported fields
- Monitoring user-defined projects
-
Serverless
- Release notes
- About Serverless
- Installing Serverless
- Knative Serving
-
Eventing
- Knative Eventing
- Event sources
- Event sinks
- Brokers
-
Triggers
- Triggers overview
- Creating triggers from the web console
- Creating triggers from the command line
- Creating a trigger from the Administrator perspective
- List triggers from the command line
- Describe triggers from the command line
- Connecting a trigger to a sink
- Filtering triggers from the command line
- Updating triggers from the command line
- Deleting triggers from the command line
- Channels
- Subscriptions
- Event discovery
- Tuning eventing configuration
- kn-event plugin
-
Functions
- Setting up OpenShift Serverless Functions
- Getting started with functions
- Developing Quarkus functions
- Developing Node.js functions
- Developing TypeScript functions
- Using functions with Knative Eventing
- Function project configuration in func.yaml
- Accessing secrets and config maps from functions
- Adding annotations to functions
- Functions development reference guide
- Knative CLI
- Administer
- Security
- Observability
- Removing Serverless
- Serverless support
- Troubleshooting
×
Securing a mapped service using a TLS certificate
Securing a service with a custom domain by using a TLS certificate
After you have configured a custom domain for a Knative service, you can use a TLS certificate to secure the mapped service. To do this, you must create a Kubernetes TLS secret, and then update the DomainMapping CR to use the TLS secret that you
have created.
|
If you use To work around this issue, enable mTLS by deploying |
Prerequisites
-
You configured a custom domain for a Knative service and have a working
DomainMappingCR. -
You have a TLS certificate from your Certificate Authority provider or a self-signed certificate.
-
You have obtained the
certandkeyfiles from your Certificate Authority provider, or a self-signed certificate. -
Install the OpenShift CLI (
oc).
Procedure
-
Create a Kubernetes TLS secret:
-
If you are using Red Hat OpenShift Service Mesh as the ingress for your OpenShift Serverless installation, label the Kubernetes TLS secret with the following:
“networking.internal.knative.dev/certificate-uid": “<value>”If you are using a third-party secret provider such as cert-manager, you can configure your secret manager to label the Kubernetes TLS secret automatically. Cert-manager users can use the secret template offered to automatically generate secrets with the correct label. In this case, secret filtering is done based on the key only, but this value can carry useful information such as the certificate ID that the secret contains.
The cert-manager Operator for Red Hat OpenShift is a Technology Preview feature. For more information, see the Installing the cert-manager Operator for Red Hat OpenShift documentation.
-
Update the
DomainMappingCR to use the TLS secret that you have created:apiVersion: serving.knative.dev/v1alpha1 kind: DomainMapping metadata: name: <domain_name> namespace: <namespace> spec: ref: name: <service_name> kind: Service apiVersion: serving.knative.dev/v1 # TLS block specifies the secret to be used tls: secretName: <tls_secret_name>
Verification
-
Verify that the
DomainMappingCR status isTrue, and that theURLcolumn of the output shows the mapped domain with the schemehttps:$ oc get domainmapping <domain_name>Example outputNAME URL READY REASON example.com https://example.com True -
Optional: If the service is exposed publicly, verify that it is available by running the following command:
$ curl https://<domain_name>If the certificate is self-signed, skip verification by adding the
-kflag to thecurlcommand.