Question with Knative Auto TLS via HTTP01 and Redirect to HTTPS

[Minh Chương Phạm Huỳnh]

Hi all,

I'm using a K8S cluster on premise (MetalLB , ingress-nginx , cert-manager , clusterissuer type nginx installed ) , I want to convert my K8S deployment to Knative service to take advantage of "scale down to zero / up to infinity" , but keep the choice of http or https without being forced to only https.

Let me explain more

My App manifest in K8S used to be like:

---
kind: Deployment

...

---

kind: Service

...

---

kind: Ingress

  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: letsencrypt-production-nginx
    cert-manager.io/acme-challenge-type: http01
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
      - app.mydomain.com
    secretName: app-tls

  rules:

...

---

Then ingress-nginx will help me get a let's encrypt certificate automatically, right ?

If I want my app to keep using http only , I can remove yellow, blue, red part.

If I want my app use both http & https , I can remove red part

If I want my app to use https with custom certificate I can remove yellow part , keep blue & red part.

With Knative , I get confused , I installed Knative Serving with YAML , network layer is Kourier , Magic DNS serving-default-domain.yaml

I want Knative do the same as K8S, keep accepting both http & https , let me decide if I want to force it using https only.

this is my Knative configuration

---

configmap/config-network

data:

  ingress-class: kourier.ingress.networking.knative.dev
  autocreate-cluster-domain-claims: "true"
  certificate-class: net-http01.certificate.networking.knative.dev
  auto-tls: "Enabled"
  http-protocol: "Enabled"

---

configmap/config-certmanager

data:

  issuerRef: |
    kind: ClusterIssuer
    name: letsencrypt-http01-issuer-knative

---

I create a clusterissuer like instruction Enabling auto-TLS certs

---

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-http01-issuer-knative
spec:
  acme:
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
       ingress:
         class: istio

---

This is my app manifest when converting to Knative

---

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: my-app
  namespace: default
  annotations:
    networking.knative.dev/http-protocol: "redirected"
spec:
  template:
    spec:
      containers:
      - image: my image
...
        ports:
        - containerPort: 80

---

apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
  name: app.mydomain.com
  namespace: default
spec:
  ref:
    name: my-app
    kind: Service
    apiVersion: serving.knative.dev/v1

---

I want to force my app to use https only with red part in manifest as you can see above

When I access to http://app.mydomain.com , it does not redirect to https.

Please give me some advice, thank you very much.

[Minh Chương Phạm Huỳnh]

If I add annotations into domain mapping manifest I can make it works , like this

---

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: my-app
  namespace: default
  annotations:
    networking.knative.dev/http-protocol: "redirected"
spec:
  template:
    spec:
      containers:
      - image: my image
...
        ports:
        - containerPort: 80

---

apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
  name: app.mydomain.com
  namespace: default

  annotations:
    networking.knative.dev/http-protocol: "redirected"

spec:
  ref:
    name: my-app
    kind: Service
    apiVersion: serving.knative.dev/v1

---

So networking.knative.dev/http-protocol: "redirected" at Service is not necessary ?