Using Kourier With Knative
Using Kourier with KNative
The 3Scale Kourier is an Ingress for Knative. A deployment of Kourier consists of an Envoy proxy and a control plane for it. Kourier is meant to be a lightweight replacement for the Istio ingress. They say in the future it will provide API managemetn capabilities.
Motivation
I was reading the release notes for Knative 0.11.1 and saw this mentioned as a native knative ingress controller and knew I’d have to change all my terraform code for installing Istio anyway. (Istio has moved from using Helm which just did a major change to 3.0 - to using the istioctl cli for instalation.) This seemed a bit cleaner and easier and likely to be more maintainable. (For the record - I do actually like using stable tools, if I could find them.)
Installing & Configuring
The Kourier instructions in thier README are great, I just thend to do things a bit differently. When in doubt, use thiers.
305-config-network ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: config-network
namespace: knative-serving
data:
domainTemplate: "{{.Name}}.{{.Domain}}"
clusteringress.class: "kourier.ingress.networking.knative.dev"
ingress.class: "kourier.ingress.networking.knative.dev"
You’ll note that I change my domainTemplate
in a way that works for my application of just using the
appName and not the namespace. (I run almost every app in a unique namespace that is the same as the
app.)
Next you’ll find the kourier changes.
kubectl apply -f 305-config-network.yaml
Install
kubectl apply -f https://raw.githubusercontent.com/3scale/kourier/${kourier_version}/deploy/kourier-knative.yaml
Setup a custom domain
This is just patching the knative config-domain
ConfigMap in the standard way.
kubectl patch configmap/config-domain -n knative-serving --type merge -p '{"data":{"${domain}":""}}'
Setup the TLS certificate
I found the description in the docs to be a bit of a handwave, so I’m a bit more explicit here.
kubectl create secret tls ingressgateway-certs --key ${KEY_FILE} --cert ${CERT_FILE} -n kourier-system
kubectl patch deployment 3scale-kourier-control -n kourier-system --type json \
-p '[{"op": "replace", "path":"/spec/template/spec/containers/0/env/0/value", "value":"kourier-system"}, {"op":"replace","path":"/spec/template/spec/containers/0/env/1/value","value":"ingressgateway-certs"}]'
Conclusions
It was fairly easy, I found the folks at 3Scale to be very responsive to questions and comments. I really like the simplicity of it all - compared to installing Istio. I did notice that http appeared to remain open (I need to test this again)
I did run into some trouble installing Knative monitoring w/o Istio, I had to create the istio-system namespace to get that to work.
Next Steps
First off, I want to do a bit more testing, I should be ready for that tomorrow. Then I’ll take a look at Contour another gateway. Lasty, I need to quickly decide if I want to pick Istio with all it’s complexity or risk using one of these lightweight ingress controlers.