Skip to content

Commit

Permalink
add docs to tell how to set up gateway
Browse files Browse the repository at this point in the history
  • Loading branch information
@lichuqiang
lichuqiang committed Nov 8, 2018
1 parent dbad964 commit 16500d5
Show file tree
Hide file tree
Showing 2 changed files with 250 additions and 9 deletions.
238 changes: 238 additions & 0 deletions docs/setting-up-custom-ingress-gateway.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,238 @@
# Setting Up Custom Ingress Gateway

Knative uses a shared Gateway to serve all incoming traffic within Knative
service mesh, which is the "knative-shared-gateway" Gateway under
"knative-serving" namespace. By default, we use Istio gateway service `istio-ingressgateway`
under "istio-system" namespace as its underlying service. You can replace the
service with that of your own as follows.

## Step 1: Create Gateway Service and Deployment Instance

You'll need to create the gateway service and deployment instance to handle traffic first.
The simplest way should be making a copy of the Gateway service template in [Istio release](https://github.com/istio/istio/releases).

Here is an example:

```
apiVersion: v1
kind: Service
metadata:
name: custom-ingressgateway
namespace: istio-system
annotations:
labels:
chart: gateways-1.0.1
release: RELEASE-NAME
heritage: Tiller
app: custom-ingressgateway
custom: ingressgateway
spec:
type: LoadBalancer
selector:
app: custom-ingressgateway
custom: ingressgateway
ports:
-
name: http2
nodePort: 32380
port: 80
targetPort: 80
-
name: https
nodePort: 32390
port: 443
-
name: tcp
nodePort: 32400
port: 31400
-
name: tcp-pilot-grpc-tls
port: 15011
targetPort: 15011
-
name: tcp-citadel-grpc-tls
port: 8060
targetPort: 8060
-
name: tcp-dns-tls
port: 853
targetPort: 853
-
name: http2-prometheus
port: 15030
targetPort: 15030
-
name: http2-grafana
port: 15031
targetPort: 15031
---
# This is the corresponding Deployment to backed the aforementioned Service.
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: custom-ingressgateway
namespace: istio-system
labels:
chart: gateways-1.0.1
release: RELEASE-NAME
heritage: Tiller
app: custom-ingressgateway
custom: ingressgateway
spec:
replicas: 1
selector:
matchLabels:
app: custom-ingressgateway
custom: ingressgateway
template:
metadata:
labels:
app: custom-ingressgateway
custom: ingressgateway
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: istio-proxy
image: "docker.io/istio/proxyv2:1.0.2"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 31400
- containerPort: 15011
- containerPort: 8060
- containerPort: 853
- containerPort: 15030
- containerPort: 15031
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- custom-ingressgateway
- --zipkinAddress
- zipkin:9411
- --statsdUdpAddress
- istio-statsd-prom-bridge:9125
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:8080
resources:
requests:
cpu: 10m
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-certs
mountPath: "/etc/istio/ingressgateway-certs"
readOnly: true
- name: ingressgateway-ca-certs
mountPath: "/etc/istio/ingressgateway-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
- name: ingressgateway-certs
secret:
secretName: "istio-ingressgateway-certs"
optional: true
- name: ingressgateway-ca-certs
secret:
secretName: "istio-ingressgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
```


## Step 2: Update Knative Gateway

Update gateway instance `knative-shared-gateway` under `knative-serving` namespace:

```shell
kubectl edit gateway knative-shared-gateway -n knative-serving
```

Replace its label selector with the label of your service:

```
istio: ingressgateway
```

For the service above, it should be updated to

```
custom: ingressgateway
```

If there is a change in service ports (compared with that of `istio-ingressgateway`),
update the port info in gateway accordingly.
21 changes: 12 additions & 9 deletions docs/setting-up-ingress-static-ip.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,13 @@
Knative uses a shared Gateway to serve all incoming traffic within Knative
service mesh, which is the "knative-shared-gateway" Gateway under
"knative-serving" namespace. The IP address to access the gateway is the
external IP address of the "knative-ingressgateway" service under the
external IP address of the "istio-ingressgateway" service under the
"istio-system" namespace. So in order to set static IP for the Knative shared
gateway, you just need to set the external IP address of the
"knative-ingressgateway" service to the static IP you need.
"istio-ingressgateway" service to the static IP you need.
If the gateway service has been replaced to that of other service, you'll
need to replace "istio-ingressgateway" with the service name accordingly.
See [instructions](../setting-up-custom-ingress-gateway.md) for more details.

## Prerequisites

Expand All @@ -30,28 +33,28 @@ gateway.

## Set Up Static IP for Knative Gateway

### Step 1: Update external IP of "knative-ingressgateway" service
### Step 1: Update external IP of "istio-ingressgateway" service

Run following command to reset the external IP for the
"knative-ingressgateway" service to the static IP you reserved.
"istio-ingressgateway" service to the static IP you reserved.

```shell
kubectl patch svc knative-ingressgateway -n istio-system --patch '{"spec": { "loadBalancerIP": "<your-reserved-static-ip>" }}'
kubectl patch svc istio-ingressgateway -n istio-system --patch '{"spec": { "loadBalancerIP": "<your-reserved-static-ip>" }}'
```

### Step 2: Verify static IP address of knative-ingressgateway service
### Step 2: Verify static IP address of istio-ingressgateway service

You can check the external IP of the "knative-ingressgateway" service with:
You can check the external IP of the "istio-ingressgateway" service with:

```shell
kubectl get svc knative-ingressgateway -n istio-system
kubectl get svc istio-ingressgateway -n istio-system
```

The result should be something like

```console
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
knative-ingressgateway LoadBalancer 10.50.250.120 35.210.48.100 80:32380/TCP,443:32390/TCP,32400:32400/TCP 5h
istio-ingressgateway LoadBalancer 10.50.250.120 35.210.48.100 80:31380/TCP,443:31390/TCP,31400:31400/TCP... 5h
```

The external IP will be eventually set to the static IP. This process could
Expand Down

0 comments on commit 16500d5

Please sign in to comment.