Configure custom domains to use for accessing your Knative serving
services. You can map one or more custom domain to an individual service, or you
can map a single domain to your cluster that all services use. Your custom
domain mapping can be the base domain like your-domain.com
, or a subdomain,
such as your-subdomain.your-domain.com
.
By default, the services that you deploy to your Knative serving clusters are
set to the nip.io
base domain. This allows you to immediately test your
services at a URL like:
http://{SERVICE_NAME}.{NAMESPACE}.kuberun.{EXTERNAL_IP}.nip.io
Learn more about test domains.
Before you begin
You must have or purchase the domain that you want to map to your services. You can use any domain name registrar, but if you use Cloud Domains, the domain is automatically verified for Knative serving, so you won't have to go through the domain verification process.
If you want to register a domain with Cloud Domains, see Registering a domain with Cloud Domains within the Knative serving console.
You must have at least the Kubernetes Engine Developer Identity and Access Management role or equivalent permissions.
To enable HTTPS with your custom domain mappings, you must either set up managed TLS certificates or configure your own certificates.
To map a custom domain to your cluster or services in a private, internal network, you must disable managed TLS certificates.
Mapping a custom domain
You can use the Google Cloud console or the command-line tools to map your custom domain.
Generally, to configure a custom domain:
- Optional: Reserve the IP address of your load balancer.
- Map your services or the cluster to the custom domain in Knative serving.
- Update your DNS records in your domain registrar.
Reserve the load balancer IP address
When Knative serving is installed, the Istio ingress controller creates a load balancer with an available IP address.
Depending on your GKE cluster, you might need to reserve the IP address of the load balancer for the Istio ingress controller:
- Outside Google Cloud
- Refer to the documentation for the environment where you run your GKE cluster to determine how IP addresses are managed and if your load balancer's IP address is static. Also see the configuration pages for your GKE cluster. For example, depending on how you configured load balancing for Google Distributed Cloud, you might have already reserved those IP addresses.
- On Google Cloud
You must reserve the external IP address of the load balancer to ensure it remains the same if your ingress service is ever deleted. Depending on your cluster configuration, the IP address is either externally available or internal only, for example, private clusters.
- Internal load balancers on Google Cloud
- See the following page for details about how to reserve the IP address of your internal load balancer: Reserving a static internal IP address
- External load balancers on Google Cloud
- To reserve the IP address of your external load balancer:
Obtain the IP address of the load balancer:
Console
To get the load balancer's external IP address from the Google Cloud console:- Go to the GKE page in the Google Cloud console:
Go to GKE - Click Services and ingress.
- Identify the service that is your cluster's Istio
ingress. The service's Type will be External load
balancer, and the Name will be
istio-ingressgateway
. - Once you've found your cluster's Istio ingress service, copy its
Endpoint. This will be the IP address without the port
number. For example, you might see
00.000.000.000:11
listed as an endpoint, but you only need to copy00.000.000.000
.
kubectl
To obtain the external IP for the Load Balancer, run the following command:
kubectl get svc istio-ingressgateway -n ASM-INGRESS-NAMESPACE
Replace ASM-INGRESS-NAMESPACE with the namespace where your Cloud Service Mesh ingress is located. Specify
istio-system
if you installed Cloud Service Mesh using its default configuration.The resulting output looks similar to the following:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) istio-ingressgateway LoadBalancer XX.XX.XXX.XX pending 80:32380/TCP,443:32390/TCP,32400:32400/TCP
where the EXTERNAL-IP value is your external IP address of the Load Balancer.
- Go to the GKE page in the Google Cloud console:
Reserve the IP address as a static IP:
gcloud compute addresses create ADDRESS-NAME --addresses EXTERNAL-IP --region REGION
Replace:
- ADDRESS-NAME with the name you want to give your static IP.
- EXTERNAL-IP with the external IP address of the load balancer that you obtained in the previous step.
- REGION with the region where your cluster is located.
After you obtain the IP address of your load balancer, you can use it to map your custom domain:
Mapping services
Choose one of the following methods to map your custom domain to a Knative serving service. Each individual service can be mapped to multiple domains.
Console
Open the domain mappings page in the Google Cloud console:
Note that if your display window is too small, the Mapping Custom Domains button isn't displayed and you must click the 3-dot vertical ellipse icon at the right corner of the page.
Click Add Mapping, and select Add service domain mapping to map a domain to an individual service. You can map multiple domains to each service.
From the dropdown list in the Add Mapping form, select the service to which you want to mapping your custom domain:
Enter the domain name. For example,
your-domain.com
orsubdomain.your-domain.com
. Domain requirements:- Base path mapping is not supported. The term base path
refers to the URL path name that is after the domain name. For example,
users
is the base path ofyour-domain.com/users
. Knative serving only allows you to map a domain to/
, not to a specific base path. So any path routing has to be handled by using a router inside the service's container or by using Firebase Hosting. -
You cannot map your domain to a subdomain that matches the URL of
your services. URLs to a service are defined as
http://{service}.{namespace}.{your-domain.com}
, therefore if you have a service attest.default.your-domain.com
, you must not create a domain mapping to the same subdomaintest.default.
your-domain.com
.
- Base path mapping is not supported. The term base path
refers to the URL path name that is after the domain name. For example,
Click Continue.
Update your DNS records at your domain registrar web site using the DNS records displayed in the last step. You can display the records at any time by clicking DNS Records in the "..." action menu for a domain mapping.
Click Done.
gcloud
Map your service to the custom domain:
gcloud run domain-mappings create --service SERVICE --domain DOMAIN
Replace:
- SERVICE with your service name.
- DOMAIN with your custom domain. For example,
your-domain.com
orsubdomain.your-domain.com
. Domain requirements:- Base path mapping is not supported. The term base path
refers to the URL path name that is after the domain name. For example,
users
is the base path ofyour-domain.com/users
. Knative serving only allows you to map a domain to/
, not to a specific base path. So any path routing has to be handled by using a router inside the service's container or by using Firebase Hosting. -
You cannot map your domain to a subdomain that matches the URL of
your services. URLs to a service are defined as
http://{service}.{namespace}.{your-domain.com}
, therefore if you have a service attest.default.your-domain.com
, you must not create a domain mapping to the same subdomaintest.default.
your-domain.com
.
- Base path mapping is not supported. The term base path
refers to the URL path name that is after the domain name. For example,
Now that your custom domain is mapped to Knative serving, you must add DNS records at your domain registrar.
Mapping clusters
Choose one of the following methods to map your custom domain to your cluster:
Console
Open the domain mappings page in the Google Cloud console:
Note that if your display window is too small, the Mapping Custom Domains button isn't displayed and you must click the 3-dot vertical ellipse icon at the right corner of the page.
Click Add Mapping, and select Add default domain to map a domain to all services in your cluster. By default, new services that you deploy use the mapped domain.
Click the checkbox to apply your new domain mapping to all the existing services in your cluster.
From the dropdown list in the Add Mapping form, select the cluster to which you want to mapping your custom domain:
Enter the domain name. For example,
your-domain.com
orsubdomain.your-domain.com
. Domain requirements:- Base path mapping is not supported. The term base path
refers to the URL path name that is after the domain name. For example,
users
is the base path ofyour-domain.com/users
. Knative serving only allows you to map a domain to/
, not to a specific base path. So any path routing has to be handled by using a router inside the service's container or by using Firebase Hosting. -
You cannot map your domain to a subdomain that matches the URL of
your services. URLs to a service are defined as
http://{service}.{namespace}.{your-domain.com}
, therefore if you have a service attest.default.your-domain.com
, you must not create a domain mapping to the same subdomaintest.default.
your-domain.com
.
- Base path mapping is not supported. The term base path
refers to the URL path name that is after the domain name. For example,
Click Continue.
Update your DNS records at your domain registrar web site using the DNS records displayed in the last step. You can display the records at any time by clicking DNS Records in the "..." action menu for a domain mapping.
Click Done.
kubectl
Run the following command to remove the existing base domain from the
config-domain
ConfigMap and replace it with your custom domain:kubectl patch configmap config-domain --namespace knative-serving --patch \ '{"data": {"nip.io": null, "DOMAIN": ""}}'
Replace DOMAIN with your custom domain. For example,
your-domain.com
orsubdomain.your-domain.com
. Domain requirements:- Base path mapping is not supported. The term base path
refers to the URL path name that is after the domain name. For example,
users
is the base path ofyour-domain.com/users
. Knative serving only allows you to map a domain to/
, not to a specific base path. So any path routing has to be handled by using a router inside the service's container or by using Firebase Hosting. -
You cannot map your domain to a subdomain that matches the URL of
your services. URLs to a service are defined as
http://{service}.{namespace}.{your-domain.com}
, therefore if you have a service attest.default.your-domain.com
, you must not create a domain mapping to the same subdomaintest.default.
your-domain.com
.
- Base path mapping is not supported. The term base path
refers to the URL path name that is after the domain name. For example,
Now that your custom domain is mapped to Knative serving, you must add DNS records at your domain registrar.
Add your DNS records at your domain registrar
After you've mapped your service to a custom domain in Knative serving, you need to update your DNS records at your domain registrar. As a convenience, Knative serving generates and displays the DNS records you need to enter. You must add these records that point to the Knative serving service at your domain registrar for the mapping to go into effect.
If you're using Cloud DNS as your DNS provider, see Adding a record.
Retrieve the DNS record information for your domain mappings using:
Console
Go to the Knative serving domain mappings page:
Click the 3-dot vertical ellipse icon to the right of your service, then click DNS RECORDS to display all the DNS records:
gcloud
gcloud run domain-mappings describe --domain DOMAIN
Replace DOMAIN with your custom domain. For example,
your-domain.com
orsubdomain.your-domain.com
.You need all of the records returned under the heading
resourceRecords
.Log in to your account at your domain registrar and then open the DNS configuration page.
Locate the host records section of your domain's configuration page and then add each of the resource records that you received when you mapped your domain to your Knative serving service.
When you add each of the above DNS records to the account at the DNS provider:
- Select the type returned in the DNS record in the previous step:
A
, orAAAA
, orCNAME
. - Use the name
www
to map towww.your-domain.com
. - Use the name
@
to mapyour-domain.com
. - Use the
wildcard
*
to map to*.your-domain.com
.
- Select the type returned in the DNS record in the previous step:
Save your changes in the DNS configuration page of your domain's account. In most cases, it takes only a few minutes for these changes to take effect, but in some cases it can take up to several hours, depending on the registrar and the Time-To-Live (TTL) of any previous DNS records for your domain. You can use a
dig
tool, such as this onlinedig
version, to confirm the DNS records have been successfully updated.Test for success by browsing to your service at its new URL, for example
https://www.your-domain.com
. Note that it can take several minutes for the managed SSL/TLS certificate to be issued.
Adding verified domain owners to other users or service accounts
When a user verifies a domain, that domain is only verified to that user's account. This means that only that user can add more domain mappings that use that domain. So, to enable other users to add mappings that use that domain, you must add them as verified owners.
If you need to add verified owners of your domain to other users or service accounts, you can add permission through the Search Console page:
Navigate to this address in your web browser:
https://search.google.com/search-console/welcome
Under Properties, click the domain for which you want to add a user or service account.
Scroll down to the Verified owners list, click Add an owner, and then enter a Google Account email address or service account ID.
To view a list of your service accounts, open the Service Accounts page in the Google Cloud console:
Registering a domain with Cloud Domains within the Knative serving console
To register a domain with Cloud Domains from within the Knative serving console:
Go to the Knative serving domain mappings page:
Click Register domain.
Complete the registration process following the instructions for Registering a domain.
Complete the steps earlier in this page to Map your domain to Knative serving and then add DNS records at your domain registrar.
Troubleshooting
View the common issues in Troubleshooting custom domains and managed TLS.