apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
name: <domain_name> (1)
namespace: <namespace> (2)
spec:
ref:
name: <target_name> (3)
kind: <target_type> (4)
apiVersion: serving.knative.dev/v1
Knative services are automatically assigned a default domain name based on your cluster configuration. For example, <service_name>-<namespace>.example.com
. You can customize the domain for your Knative service by mapping a custom domain name that you own to a Knative service.
You can do this by creating a DomainMapping
resource for the service. You can also create multiple DomainMapping
resources to map multiple domains and subdomains to a single service.
You can customize the domain for your Knative service by mapping a custom domain name that you own to a Knative service. To map a custom domain name to a custom resource (CR), you must create a DomainMapping
CR that maps to an Addressable target CR, such as a Knative service or a Knative route.
The OpenShift Serverless Operator and Knative Serving are installed on your cluster.
Install the OpenShift cli (oc
).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.
You have created a Knative service and control a custom domain that you want to map to that service.
Your custom domain must point to the IP address of the OpenShift Container Platform cluster. |
Create a YAML file containing the DomainMapping
CR in the same namespace as the target CR you want to map to:
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
name: <domain_name> (1)
namespace: <namespace> (2)
spec:
ref:
name: <target_name> (3)
kind: <target_type> (4)
apiVersion: serving.knative.dev/v1
1 | The custom domain name that you want to map to the target CR. |
2 | The namespace of both the DomainMapping CR and the target CR. |
3 | The name of the target CR to map to the custom domain. |
4 | The type of CR being mapped to the custom domain. |
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
name: example.com
namespace: default
spec:
ref:
name: example-service
kind: Service
apiVersion: serving.knative.dev/v1
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
name: example.com
namespace: default
spec:
ref:
name: example-route
kind: Route
apiVersion: serving.knative.dev/v1
Apply the DomainMapping
CR as a YAML file:
$ oc apply -f <filename>
You can customize the domain for your Knative service by mapping a custom domain name that you own to a Knative service. You can use the Knative (kn
) cli to create a DomainMapping
custom resource (CR) that maps to an Addressable target CR, such as a Knative service or a Knative route.
The OpenShift Serverless Operator and Knative Serving are installed on your cluster.
You have created a Knative service or route, and control a custom domain that you want to map to that CR.
Your custom domain must point to the DNS of the OpenShift Container Platform cluster. |
You have installed the Knative (kn
) cli.
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.
Map a domain to a CR in the current namespace:
$ kn domain create <domain_mapping_name> --ref <target_name>
$ kn domain create example.com --ref example-service
The --ref
flag specifies an Addressable target CR for domain mapping.
If a prefix is not provided when using the --ref
flag, it is assumed that the target is a Knative service in the current namespace.
Map a domain to a Knative service in a specified namespace:
$ kn domain create <domain_mapping_name> --ref <ksvc:service_name:service_namespace>
$ kn domain create example.com --ref ksvc:example-service:example-namespace
Map a domain to a Knative route:
$ kn domain create <domain_mapping_name> --ref <kroute:route_name>
$ kn domain create example.com --ref kroute:example-route
After you have configured a custom domain for a Knative service, you can use a TLS certificate to secure the mapped service. To do this, you must create a Kubernetes TLS secret, and then update the DomainMapping
CR to use the TLS secret that you have created.
You configured a custom domain for a Knative service and have a working DomainMapping
CR.
You have a TLS certificate from your Certificate Authority provider or a self-signed certificate.
You have obtained the cert
and key
files from your Certificate Authority provider, or a self-signed certificate.
Install the OpenShift cli (oc
).
Create a Kubernetes TLS secret:
$ oc create secret tls <tls_secret_name> --cert=<path_to_certificate_file> --key=<path_to_key_file>
If you are using Red Hat OpenShift Service Mesh as the ingress for your OpenShift Serverless installation, label the Kubernetes TLS secret with the following:
“networking.internal.knative.dev/certificate-uid": “<value>”
If you are using a third-party secret provider such as cert-manager, you can configure your secret manager to label the Kubernetes TLS secret automatically. Cert-manager users can use the secret template offered to automatically generate secrets with the correct label. In this case, secret filtering is done based on the key only, but this value can carry useful information such as the certificate ID that the secret contains.
The {cert-manager-operator} is a Technology Preview feature. For more information, see the Installing the {cert-manager-operator} documentation. |
Update the DomainMapping
CR to use the TLS secret that you have created:
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
name: <domain_name>
namespace: <namespace>
spec:
ref:
name: <service_name>
kind: Service
apiVersion: serving.knative.dev/v1
# TLS block specifies the secret to be used
tls:
secretName: <tls_secret_name>
Verify that the DomainMapping
CR status is True
, and that the URL
column of the output shows the mapped domain with the scheme https
:
$ oc get domainmapping <domain_name>
NAME URL READY REASON
example.com https://example.com True
Optional: If the service is exposed publicly, verify that it is available by running the following command:
$ curl https://<domain_name>
If the certificate is self-signed, skip verification by adding the -k
flag to the curl
command.