search

knative / serving

Kubernetes-based, scale-to-zero, request-driven compute
https://knative.dev/docs/serving/
Apache License 2.0
5.53k stars 1.15k forks source link

DomainMapping BYO TLS Support #10951

Closed julz closed 3 years ago

julz commented 3 years ago

/area API

Describe the feature

Following on from https://github.com/knative/serving/issues/10247, we should also support bring-your-own TLS certificates for DomainMappings so that users can explicitly provide the TLS certificate to use. In the original DomainMapping proposal we envisaged this being achieved via spec.tls.

markusthoemmes commented 3 years ago

Please forgive my ignorance, btu do we have BYO TLS for "normal" Services? :thinking:

julz commented 3 years ago

I think for normal services they're all vended from the same shared domain so it makes less sense to let users override it but.... I dont really know :) cc @nak3 @ZhiminXiang @tcnghia

julz commented 3 years ago

actually I clearly should have done

/area networking

on this

tcnghia commented 3 years ago

There is already an issue here https://github.com/knative/serving/issues/10530

ZhiminXiang commented 3 years ago

We don't support BYO TLS for normal services through an API because

  1. the domain of a ksvc is referenced from a shared suffix and DomainTemplate which could be changed globally. So the TLS certs could be ineffective if the cluster operator updates those values.
  2. Users may want to configure TLS certs in different ways: per cert per ksvc or per cert per namespace. Considering this, we don't provide an API for TLS configuration for normal service.

For DomainMapping, it does not have above issues.

markusthoemmes commented 3 years ago

Thanks for the clarification @ZhiminXiang, those points do make sense.

julz commented 3 years ago

Oops, thanks @tcnghia - I searched but didn't find it

Closing in favour of https://github.com/knative/serving/issues/10530

/close

knative-prow-robot commented 3 years ago

@julz: Closing this issue.

In response to [this](https://github.com/knative/serving/issues/10951#issuecomment-799614631): >Oops, thanks @tcnghia - I searched but didn't find it > >Closing in favour of https://github.com/knative/serving/issues/10530 > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.