How to create a custom domain for a workload when cnrs.default_tls_secret is being set in the TAP(Tanzu Application Platform) profile
search cancel

How to create a custom domain for a workload when cnrs.default_tls_secret is being set in the TAP(Tanzu Application Platform) profile

book

Article ID: 297908

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

As explained in Configure Knative Service Domain Template : Knative uses domain template which specifies the golang text template string to use when constructing the Knative service’s DNS name. The default value is {{.Name}}.{{.Namespace}}.{{.Domain}}. 
cnrs:
  domain_template: "{{.Name}}.{{.Namespace}}.{{.Domain}}"
Which means if your domain is abc.com and you created a workload named tanzu-java-web-app in namespace dev, then you will get a url https://tanzu-java-web-app.dev.abc.com for this workload. 
$ kubectl -n dev get ksvc
NAME                  URL                                             LATESTCREATED                     LATESTREADY                       READY   REASON
tanzu-java-web-app    https://tanzu-java-web-app.dev.abc.com          tanzu-java-web-app-00008          tanzu-java-web-app-00008          True
However, sometimes users may would like to create a custom URL, which not follows the rule of cnrs.domain_template. In this case, users can reference Configuring custom domains to create a DomainMapping object. But if you are setting cnrs.default_tls_secret in the TAP(Tanzu Application Platform) profile, you may need to add an additional step of creating a SecretExport/SecretImport resource pair as Knative expects the secret to be in the same namespaces as the DomainMapping when custom TLS is in use. See the Instructions section. 
profile: full

cnrs:
  domain_template: "{{.Name}}-{{.Namespace}}.{{.Domain}}"
  default_tls_secret: tanzu-system-ingress/cnrs-default-tls


Environment

Product Version: 1.5

Resolution

Apply below file to create a SecretExport/SecretImport resource pair.  
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: cnrs-default-tls
  namespace: tanzu-system-ingress
spec:
  toNamespace: dev

#! allow user-password to be created in user2 namespace
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretImport
metadata:
  name: cnrs-default-tls
  namespace: dev
spec:
  fromNamespace: tanzu-system-ingress
Update DomainMapping with spec.tls.secretName = cnrs-default-tls. 
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
  name: custom-wld.abc.com
  namespace: dev
spec:
  ref:
    name: tanzu-java-web-app
    kind: Service
    apiVersion: serving.knative.dev/v1
  tls:
    secretName: cnrs-default-tls
Confirm the DomainMapping status by running: 
$ kubectl -n dev get DomainMapping
NAME                      URL                               READY   REASON
custom-wld.abc.com        https://custom-wld.abc.com        True


Powered by Wolken Software