配置 Knative 系统内部加密¶
警告
Knative Serving 加密功能 cluster-local-domain-tls 和 system-internal-tls 处于实验阶段。请谨慎使用!
开始之前¶
您必须满足以下要求才能启用安全的 HTTPS 连接
- 必须安装 Knative Serving。有关安装 Serving 组件的详细信息,请参阅 Knative 安装指南.
警告
此功能目前仅支持 Kourier 作为网络层。
安装和配置 cert-manager 及其集成¶
首先,您需要安装和配置 cert-manager 和 Knative cert-manager 集成。有关详细信息,请参阅 配置 Knative cert-manager 集成.
启用 system-internal-tls¶
要启用 system-internal-tls,请更新 knative-serving 命名空间中的 config-network ConfigMap
-
运行以下命令以编辑您的
config-networkConfigMapkubectl edit configmap config-network -n knative-serving -
在
data部分下添加system-internal-tls: Enabled属性apiVersion: v1 kind: ConfigMap metadata: name: config-network namespace: knative-serving data: ... system-internal-tls: Enabled ... -
重新启动 Knative activator 和控制器组件以启动 Knative cert-manager 集成
kubectl rollout restart deploy/activator -n knative-serving kubectl rollout restart deploy/controller -n knative-serving
恭喜!Knative 现在将在其内部系统组件(Ingress-Controller、Activator 和 Queue-Proxy)之间使用 TLS。
验证¶
-
部署 Knative 服务
-
使用
kubectl get kcert -n <your-knative-service-namespace>检查证书是否已创建并准备就绪 -
检查 Queue-Proxy 容器在启动时是否读取证书
kubectl logs your-pod -n your-knative-service-namespace -c queue-proxy | grep -E 'certDir|Certificate|tls'它应该如下所示
{"severity":"INFO","timestamp":"2024-01-03T07:07:32.892810888Z","logger":"queueproxy","caller":"certificate/watcher.go:62","message":"Starting to watch the following directories for changes{certDir 15 0 /var/lib/knative/certs <nil>} {keyDir 15 0 /var/lib/knative/certs <nil>}","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"} {"severity":"INFO","timestamp":"2024-01-03T07:07:32.89397512Z","logger":"queueproxy","caller":"certificate/watcher.go:131","message":"Certificate and/or key have changed on disk and were reloaded.","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"} {"severity":"INFO","timestamp":"2024-01-03T07:07:32.894232939Z","logger":"queueproxy","caller":"sharedmain/main.go:282","message":"Starting tls server admin:8022","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"} {"severity":"INFO","timestamp":"2024-01-03T07:07:32.894268548Z","logger":"queueproxy","caller":"sharedmain/main.go:282","message":"Starting tls server main:8112","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"}
信任¶
警告
关于信任的快速说明,如果 cert-manager 发行者允许将 CA 直接放入证书 Secret 的 ca.crt 字段中,则 Knative 将自动信任签署证书的 CA。无论如何,集群管理员**应该始终**提供一个信任捆绑包,如 配置 Knative cert-manager 集成 中所述。这在 cert-manager 文档 中也强烈建议这样做,以避免出现与轮换相关的问题。