apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
annotations:
serving.knative.openshift.io/disableRoute: "true"
spec:
template:
spec:
containers:
- image: <image>
...
If you want to configure a Knative service to use your TLS certificate on OpenShift Container Platform, you must disable the automatic creation of a route for the service by the OpenShift Serverless Operator and instead manually create a route for the service.
When you complete the following procedure, the default OpenShift Container Platform route in the |
The OpenShift Serverless Operator and Knative Serving component must be installed on your OpenShift Container Platform cluster.
Install the OpenShift CLI (oc
).
Create a Knative service that includes the serving.knative.openshift.io/disableRoute=true
annotation:
The |
Create a Knative Service
resource:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
annotations:
serving.knative.openshift.io/disableRoute: "true"
spec:
template:
spec:
containers:
- image: <image>
...
Apply the Service
resource:
$ oc apply -f <filename>
Optional. Create a Knative service by using the kn service create
command:
kn
command$ kn service create <service_name> \
--image=gcr.io/knative-samples/helloworld-go \
--annotation serving.knative.openshift.io/disableRoute=true
Verify that no OpenShift Container Platform route has been created for the service:
$ $ oc get routes.route.openshift.io \
-l serving.knative.openshift.io/ingressName=$KSERVICE_NAME \
-l serving.knative.openshift.io/ingressNamespace=$KSERVICE_NAMESPACE \
-n knative-serving-ingress
You will see the following output:
No resources found in knative-serving-ingress namespace.
Create a Route
resource in the knative-serving-ingress
namespace:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/timeout: 600s (1)
name: <route_name> (2)
namespace: knative-serving-ingress (3)
spec:
host: <service_host> (4)
port:
targetPort: http2
to:
kind: Service
name: kourier
weight: 100
tls:
insecureEdgeTerminationPolicy: Allow
termination: edge (5)
key: |-
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
certificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
caCertificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE----
wildcardPolicy: None
1 | The timeout value for the OpenShift Container Platform route. You must set the same value as the max-revision-timeout-seconds setting (600s by default). |
2 | The name of the OpenShift Container Platform route. |
3 | The namespace for the OpenShift Container Platform route. This must be knative-serving-ingress . |
4 | The hostname for external access. You can set this to <service_name>-<service_namespace>.<domain> . |
5 | The certificates you want to use. Currently, only edge termination is supported. |
Apply the Route
resource:
$ oc apply -f <filename>