Using Kourier With Knative

Table of Contents

Using Kourier with KNative

The 3Scale Kourier is an Ingress for Knative. A deployment of Kourier consists of an Envoy proxy and a control plane for it. Kourier is meant to be a lightweight replacement for the Istio ingress. They say in the future it will provide API managemetn capabilities.

Motivation

I was reading the release notes for Knative 0.11.1 and saw this mentioned as a native knative ingress controller and knew I'd have to change all my terraform code for installing Istio anyway. (Istio has moved from using Helm which just did a major change to 3.0 - to using the istioctl cli for instalation.) This seemed a bit cleaner and easier and likely to be more maintainable. (For the record - I do actually like using stable tools, if I could find them.)

Installing & Configuring

The Kourier instructions in thier README are great, I just thend to do things a bit differently. When in doubt, use thiers.

305-config-network ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving
data:
  domainTemplate: "{{.Name}}.{{.Domain}}"
  clusteringress.class: "kourier.ingress.networking.knative.dev"
  ingress.class: "kourier.ingress.networking.knative.dev"

You'll note that I change my domainTemplate in a way that works for my application of just using the appName and not the namespace. (I run almost every app in a unique namespace that is the same as the app.)

Next you'll find the kourier changes.

kubectl apply -f 305-config-network.yaml

Install

kubectl apply -f https://raw.githubusercontent.com/3scale/kourier/${kourier_version}/deploy/kourier-knative.yaml

Setup a custom domain

This is just patching the knative config-domain ConfigMap in the standard way.

kubectl patch configmap/config-domain -n knative-serving --type merge -p '{"data":{"${domain}":""}}'

Setup the TLS certificate

I found the description in the docs to be a bit of a handwave, so I'm a bit more explicit here.

kubectl create secret tls ingressgateway-certs --key ${KEY_FILE} --cert ${CERT_FILE} -n kourier-system
kubectl patch deployment 3scale-kourier-control -n kourier-system  --type json \
  -p '[{"op": "replace", "path":"/spec/template/spec/containers/0/env/0/value", "value":"kourier-system"}, {"op":"replace","path":"/spec/template/spec/containers/0/env/1/value","value":"ingressgateway-certs"}]'

Conclusions

It was fairly easy, I found the folks at 3Scale to be very responsive to questions and comments. I really like the simplicity of it all - compared to installing Istio. I did notice that http appeared to remain open (I need to test this again)

I did run into some trouble installing Knative monitoring w/o Istio, I had to create the istio-system namespace to get that to work.

Next Steps

First off, I want to do a bit more testing, I should be ready for that tomorrow. Then I'll take a look at Contour another gateway. Lasty, I need to quickly decide if I want to pick Istio with all it's complexity or risk using one of these lightweight ingress controlers.

Les Vogel avatar
Les Vogel
Les Vogel works as a Staff Engineer in developer relations for Google Cloud.
comments powered by Disqus