Configuring HTTPS with cert-manager and Google Cloud DNS

    The following guide demonstrates how you can setup Knative to handle secure HTTPS requests on Google Cloud Platform, specifically using cert-manager for TLS certificates and Google Cloud DNS as the DNS provider.

    Learn more about using TLS certificates in Knative:

    You must meet the following prerequisites to configure Knative with cert-manager and Cloud DNS:

    • You must have a .
    • Google Cloud DNS must set up and configure for your domain.
    • You must have a Knative cluster with the following requirements:
      • Knative Serving running.
      • The Knative cluster must be running on Google Cloud Platform. For details about installing the Serving component, see the .
      • Your Knative cluster must be configured to use a custom domain.
    • Your DNS provider must be setup and configured to your domain.

    Creating a service account and using a Kubernetes secret

    To allow cert-manager to access and update the DNS record, you must create a service account in GCP, add the key in a Kubernetes secret, and then add that secret to your Knative cluster.

    Note that several example names are used in the following commands, for example secret or file names, which can all be changed to your liking.

    1. Create a service account in GCP with dns.admin project role by running the following commands, where <your-project-id> is the ID of your GCP project:

      1. # Upload that as a secret in your Kubernetes cluster.
      2. kubectl create secret --namespace cert-manager generic cloud-dns-key \
      3.   --from-file=key.json=$KEY_DIRECTORY/cloud-dns-key.json
      5. # Delete the local secret
      6. rm -rf $KEY_DIRECTORY

    Create a ClusterIssuer configuration file to define how cert-manager obtains TLS certificates and how the requests are validated with Cloud DNS.

    1. Run the following command to create the ClusterIssuer configuration. The following creates the letsencrypt-issuer ClusterIssuer, that includes your Let’s Encrypt account info, DNS-01 challenge type, and Cloud DNS provider info, including your service account.

    2. Ensure that letsencrypt-issuer is created successfully by running the following command:

      1. kubectl get clusterissuer --namespace cert-manager letsencrypt-issuer --output yaml

      Result: The Status.Conditions should include Ready=True. For example:

      1. status:
      2.   acme:
      3.   conditions:
      4.     - lastTransitionTime: 2018-08-23T01:44:54Z
      5.       message: The ACME account was registered with the ACME server
      6.       reason: ACMEAccountRegistered
      7.       status: "True"
      8.       type: Ready

    Add letsencrypt-issuer to your ingress secret to configure your certificate

    To configure how Knative uses your TLS certificates, you create a Certificate to add letsencrypt-issuer to the istio-ingressgateway-certs secret.

    Note that istio-ingressgateway-certs will be overridden if the secret already exists.

    1. Run the following commands to create the my-certificate , where <your-domain.com> is your domain:

      1. kubectl get certificate --namespace istio-system my-certificate --output yaml

      Result: The Status.Conditions should include Ready=True. For example:

      1. status:
      2.   acme:
      3.     order:
      4.       url: https://acme-v02.api.letsencrypt.org/acme/order/40759665/45358362
      5.   conditions:
      6.     - lastTransitionTime: 2018-08-23T02:28:44Z
      7.       message: Certificate issued successfully
      8.       reason: CertIssued
      9.       status: "True"

    Note: If Status.Conditions is Ready=False, that indicates a failure to obtain a certificate, which should be explained in the accompanying error message.

    To configure the knative-ingress-gateway to use the TLS certificate that you created, append the tls: section to the end of your HTTPS port configuration.

    Run the following commands to configure Knative to use HTTPS connections and send a redirect response for all HTTP requests:

    Congratulations, you can now access your Knative services with secure HTTPS connections. Your Knative cluster is configured to use cert-manager to manually obtain TLS certificates but see the following section about automating that process.

    Configure Knative for automatic certificate provisioning

    You can update your Knative configuration to automatically obtain and renew TLS certificates before they expire. To learn more about automatic certificates, see .

    Was this page helpful?

    Sorry to hear that. Please tell us how we can improve.