Multiple Domains with Wildcard Certs

[devgrry]

In what area(s)?

Remove the '> ' to select:
/area networking

Hi!

This question is about the usage of multiple domains with Wildcard Certs.

Setup

• Knative Serving
• CertManager
  • Cluster Issuer abc-issuer
• Domains:
  • a.com
  • b.com
  • c.com

config-domain

So, I have the following configuration. There is one domain set as default a.com and the other domains needs to be specified in the service.

...
data:
  # default is a
  a.com: ""
  b.com: |
    selector:
      hub: b
  c.com: |
    selector:
      hub: c
...

config-network

The next is the config for network. It is properly setup to support TLS. I configured it in a way, that a wildcard cert is only created for some namespaces, on that we have the specific label set to true. this works fine.

There is some different behavior for wildcard certs: When I create just a list of domains without a selector, then it will create automatically the specific wildcard certs. But when I have a selector, then it does not create a wildcard certificate.
My expectation is: Create Wildcard Certificates for all domains, no matter of the selector definition. Got I something wrong here?

...
data:
  default-external-scheme: https
  external-domain-tls: Enabled
  http-protocol: Redirected
  ingress-class: kourier.ingress.networking.knative.dev
  namespace-wildcard-cert-selector: |-
    matchExpressions:
    - key: "networking.knative.dev/enableWildcardCert"
      operator: "In"
      values: ["true"]
...

What I can not do is a plain list of my domains, because I do not want to create a custom Route or some Domain Mapping. I think it should be possible to do what I want to do.

Usage

Lets say, that I want to create a service on default domain, then I go with:
kn service create hello --image ghcr.io/knative/helloworld-go:latest --port 8080 --env TARGET=World Now I want to create this service just for a different domain. I go with my selector definition:
kn service create hello --image ghcr.io/knative/helloworld-go:latest --port 8080 --env TARGET=World --label hub=b. This creates a service for the exact domain, so the matching works here, BUT it creates a custom route certificate while it should use a wildcard cert (not created, see as described in 'config network'

Best!

[dprotaso]

Multiple wildcard domains were added in v1.14 via this PR - #14543

There is some different behavior for wildcard certs: When I create just a list of domains without a selector, then it will create automatically the specific wildcard certs. But when I have a selector, then it does not create a wildcard certificate.

Yeah you'll want to update your config to include the type - see below. The empty selector "" is a special case and we know it's wildcard

data:
  # default is a
  a.com: ""
  b.com: |
    type: wildcard
    selector:
      hub: b
  c.com: |
    type: wildcard
    selector:
      hub: c

Try that and let us know

[devgrry]

Thank you for the fast reply! I have updated my config with the type and it is working fine: creates like expected the required wildcard certificates for the domains. Thank you!

I have some different topic, kinda related to this one too: We currently have a option to configure one IssuerRef, is this correct? At the moment, in my setup, I have one IssuerRef (ClusterIssuer by CertManager) and this one includes multiple solvers with dnsZones; this works very well and is also a good way to implement this. I have wondered if there is not a way to set multiple IssuerRefs to the appropriate domain configuration, like we did here with the type.

Best!

[dprotaso]

Multiple issuer is an open issue - knative-extensions/net-certmanager#353

Though that issue needs to be copied into this repo - (we merged the component into the serving controller and have since archived that repo)

[dprotaso]

Made a copy - #15305

Going to close this issue out since it seems like all the questions have been answered.