Question with Knative Auto TLS via HTTP01 and Redirect to HTTPS

76 views
Skip to first unread message

Minh Chương Phạm Huỳnh

unread,
Apr 6, 2023, 12:38:35 AM4/6/23
to Knative Users
Hi all,
I'm using a K8S cluster on premise (MetalLB , ingress-nginx , cert-manager , clusterissuer type nginx installed ) , I want to convert my K8S deployment to Knative service to take advantage of "scale down to zero / up to infinity" , but keep the choice of http or https without being forced to only https.
Let me explain more

My App manifest in K8S used to be like:
---
kind: Deployment
...
---
kind: Service
...
---
kind: Ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: letsencrypt-production-nginx
    cert-manager.io/acme-challenge-type: http01
   
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
      - app.mydomain.com
    secretName: app-tls
  rules:
...
---
Then ingress-nginx will help me get a let's encrypt certificate automatically, right ?
If I want my app to keep using http only , I can remove yellow, blue, red part.
If I want my app use both http & https , I can remove red part
If I want my app to use https with custom certificate I can remove yellow part , keep blue & red part.

With Knative , I get confused , I installed Knative Serving with YAML , network layer is Kourier , Magic DNS serving-default-domain.yaml
I want Knative do the same as K8S, keep accepting both http & https , let me decide if I want to force it using https only.
this is my Knative configuration
---
configmap/config-network
data:
  ingress-class: kourier.ingress.networking.knative.dev
  autocreate-cluster-domain-claims: "true"
  certificate-class: net-http01.certificate.networking.knative.dev
  auto-tls: "Enabled"
  http-protocol: "Enabled"
---
configmap/config-certmanager
data:
  issuerRef: |
    kind: ClusterIssuer
    name: letsencrypt-http01-issuer-knative
---

I create a clusterissuer like instruction Enabling auto-TLS certs
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-http01-issuer-knative
spec:
  acme:
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
       ingress:
         class: istio
---

This is my app manifest when converting to Knative
---
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: my-app
  namespace: default
  annotations:
    networking.knative.dev/http-protocol: "redirected"
spec:
  template:
    spec:
      containers:
      - image: my image
...
        ports:
        - containerPort: 80
---
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
  name: app.mydomain.com
  namespace: default
spec:
  ref:
    name: my-app
    kind: Service
    apiVersion: serving.knative.dev/v1
---

I want to force my app to use https only with red part in manifest as you can see above
When I access to http://app.mydomain.com , it does not redirect to https.
Please give me some advice, thank you very much.

Minh Chương Phạm Huỳnh

unread,
Apr 6, 2023, 1:09:35 AM4/6/23
to Knative Users
If I add annotations into domain mapping manifest I can make it works , like this

---
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: my-app
  namespace: default
  annotations:
    networking.knative.dev/http-protocol: "redirected"
spec:
  template:
    spec:
      containers:
      - image: my image
...
        ports:
        - containerPort: 80
---
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
  name: app.mydomain.com
  namespace: default
  annotations:
    networking.knative.dev/http-protocol: "redirected"
spec:
  ref:
    name: my-app
    kind: Service
    apiVersion: serving.knative.dev/v1
---
So networking.knative.dev/http-protocol: "redirected" at Service is not necessary ?
Reply all
Reply to author
Forward
0 new messages