Knative: Operator’s Handbook

TLS (HTTPS) Termination

Knative’s default ingress controller does not let you configure HTTPS for your external-facing apps.

So by default, when you expose a Knative service, it's HTTP-only, and therefore insecure. But you have several options.

Automatic TLS

Follow this guide to install cert-manager, which is a Kubernetes operator that gets/renews TLS certificates for your public domains automatically from Let's Encrypt certificate authority.

Manual TLS

Knative currently does not support using your own TLS certificate/key pair to terminate public HTTPS traffic on the gateway1. This is simply because:

  1. Knative does not yet support mapping custom domains on the gateway.

  2. Not all Knative users use the default gateway (Istio), and there are other ingress controllers

In this case, you will have to configure your ingress controller directly with your own certificates. Most ingress controllers let you do that when you import your TLS cert/key pair to Kubernetes as Secret, however, you need to understand their implications and production-readiness.

Warning: Recommendations below are mostly hacky and may not be production ready.


  1. Follow this issue for progress. ↩︎