knative
/
docs
mirror of https://github.com/knative/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update Setting up custom ingress gateway section (#2505) 

This patch updates [Setting up custom ingress gateway](https://knative.dev/docs/serving/setting-up-custom-ingress-gateway/) section.

It changeed to:
- use istio operator example for custom gateway deploy. (Note, `istioctl` cannot install standalone ingress gateway.)
- update config in `config-istio` to `+gateway.knative-serving.knative-ingress-gateway`.
This commit is contained in:
Kenjiro Nakayama 2020-06-11 14:22:22 +09:00 committed by GitHub
parent 5cf0b90cd1
commit d5a57b5f1c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 51 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

247
docs/serving/setting-up-custom-ingress-gateway.md
View File

@ -14,201 +14,50 @@ You can replace the service with that of your own as follows.
## Step 1: Create Gateway Service and Deployment Instance ## Step 1: Create Gateway Service and Deployment Instance
You'll need to create the gateway service and deployment instance to handle You'll need to create the gateway service and deployment instance to handle
traffic first. The simplest way should be making a copy of the Gateway service traffic first. Let's say you customized the default `istio-ingressgateway` to
template in [Istio release](https://github.com/istio/istio/releases). `custom-ingressgateway` as follows.
Here is an example:
```yaml ```yaml
apiVersion: v1 apiVersion: install.istio.io/v1alpha1
kind: Service kind: IstioOperator
metadata:
name: custom-ingressgateway
namespace: istio-system
annotations:
labels:
chart: gateways-1.0.1
release: RELEASE-NAME
heritage: Tiller
app: custom-ingressgateway
custom: ingressgateway
spec: spec:
type: LoadBalancer values:
selector: global:
app: custom-ingressgateway proxy:
custom: ingressgateway autoInject: disabled
ports: useMCP: false
- name: http2 # The third-party-jwt is not enabled on all k8s.
nodePort: 32380 # See: https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
port: 80 jwtPolicy: first-party-jwt
targetPort: 80
- name: https addonComponents:
nodePort: 32390 pilot:
port: 443 enabled: true
- name: tcp prometheus:
nodePort: 32400 enabled: false
port: 31400
- name: tcp-pilot-grpc-tls components:
port: 15011 ingressGateways:
targetPort: 15011 - name: custom-ingressgateway
- name: tcp-citadel-grpc-tls enabled: true
port: 8060 namespace: custom-ns
targetPort: 8060 label:
- name: tcp-dns-tls istio: custom-gateway
port: 853 - name: cluster-local-gateway
targetPort: 853 enabled: true
- name: http2-prometheus label:
port: 15030 istio: cluster-local-gateway
targetPort: 15030 app: cluster-local-gateway
- name: http2-grafana k8s:
port: 15031 service:
targetPort: 15031 type: ClusterIP
--- ports:
# This is the corresponding deployment to back the gateway service - port: 15020
apiVersion: extensions/v1beta1 name: status-port
kind: Deployment - port: 80
metadata: name: http2
name: custom-ingressgateway - port: 443
namespace: istio-system name: https
labels:
chart: gateways-1.0.1
release: RELEASE-NAME
heritage: Tiller
app: custom-ingressgateway
custom: ingressgateway
spec:
replicas: 1
selector:
matchLabels:
app: custom-ingressgateway
custom: ingressgateway
template:
metadata:
labels:
app: custom-ingressgateway
custom: ingressgateway
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: istio-proxy
image: "docker.io/istio/proxyv2:1.0.2"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 31400
- containerPort: 15011
- containerPort: 8060
- containerPort: 853
- containerPort: 15030
- containerPort: 15031
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- "1s" #discoveryRefreshDelay
- --drainDuration
- "45s" #drainDuration
- --parentShutdownDuration
- "1m0s" #parentShutdownDuration
- --connectTimeout
- "10s" #connectTimeout
- --serviceCluster
- custom-ingressgateway
- --zipkinAddress
- zipkin:9411
- --statsdUdpAddress
- istio-statsd-prom-bridge:9125
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:8080
resources:
requests:
cpu: 10m
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-certs
mountPath: "/etc/istio/ingressgateway-certs"
readOnly: true
- name: ingressgateway-ca-certs
mountPath: "/etc/istio/ingressgateway-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
- name: ingressgateway-certs
secret:
secretName: "istio-ingressgateway-certs"
optional: true
- name: ingressgateway-ca-certs
secret:
secretName: "istio-ingressgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
``` ```
## Step 2: Update Knative Gateway ## Step 2: Update Knative Gateway
@ -229,7 +78,7 @@ istio: ingressgateway
For the service above, it should be updated to: For the service above, it should be updated to:
``` ```
custom: ingressgateway istio: custom-gateway
``` ```
If there is a change in service ports (compared with that of If there is a change in service ports (compared with that of
@ -244,9 +93,15 @@ namespace:
kubectl edit configmap config-istio -n knative-serving kubectl edit configmap config-istio -n knative-serving
``` ```
Replace the `ingress-gateway` field with the fully qualified url of your Replace the `istio-ingressgateway.istio-system.svc.cluster.local` field with
service. For the service above, it should be updated to: the fully qualified url of your service.
``` ```
custom-ingressgateway.istio-system.svc.cluster.local gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local"
```
For the service above, it should be updated to:
```
gateway.knative-serving.knative-ingress-gateway: custom-ingressgateway.custom-ns.svc.cluster.local
``` ```