From 8fd3dc1bc8ea2dedc340c95b91cd0a30464a79ef Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 19 Mar 2024 10:20:16 +0100 Subject: [PATCH] Add activator restart and fix CM label --- .../encryption/install-and-configure-net-certmanager.md | 4 ++-- docs/serving/encryption/system-internal-tls.md | 9 +++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/serving/encryption/install-and-configure-net-certmanager.md b/docs/serving/encryption/install-and-configure-net-certmanager.md index df55a09a8b0..62b9258f9d5 100644 --- a/docs/serving/encryption/install-and-configure-net-certmanager.md +++ b/docs/serving/encryption/install-and-configure-net-certmanager.md @@ -168,7 +168,7 @@ in the namespace where the component runs, e.g: * kourier-system (when using net-kourier) * Each namespace where a Knative Service runs -Knative looks for a `ConfigMap` with the label `knative-ca-trust-bundle="true"` and will read all `data` keys (regardless of the name). +Knative looks for a `ConfigMap` with the label `networking.knative.dev/trust-bundle: "true"` and will read all `data` keys (regardless of the name). One key can contain one or multiple CAs/Intermediates. If they are valid, they will be added to the trust store of the Knative components. Here is an example of how `ConfigMap` could look like: @@ -199,7 +199,7 @@ data: kind: ConfigMap metadata: labels: - knative-ca-trust-bundle: "true" + networking.knative.dev/trust-bundle: "true" name: knative-bundle namespace: knative-serving ``` diff --git a/docs/serving/encryption/system-internal-tls.md b/docs/serving/encryption/system-internal-tls.md index 37f69a1ec81..98b5bb35057 100644 --- a/docs/serving/encryption/system-internal-tls.md +++ b/docs/serving/encryption/system-internal-tls.md @@ -38,6 +38,15 @@ Then, update the [`config-network` ConfigMap](https://github.com/knative/serving ... ``` +1. Restart the Activator component + + !!! warning + When the `system-internal-tls` feature is activated, the Activator component needs to be restarted to reconfigure its internal web server, as this is not possible during runtime. + + ```bash + kubectl rollout restart deploy/activator -n knative-serving + ``` + Congratulations! Knative will now use TLS between its internal system components (Ingress-Controller, Activator and Queue-Proxy).