Knative 使用共享的 Ingress 网关为 Knative 服务网格内的所有传入流量提供服务,该服务网格是knative-serving 命名空间下的 knative-ingress-gateway 网关。默认情况下,我们在 istio-system 名称空间下使用 Istio 网关服务 istio-ingressgateway 作为其基础服务。可以按以下方式用自己的服务替换该服务。
步骤1:创建网关服务和部署实例
需要首先创建网关服务和部署实例来处理流量。最简单的方式应该在模板中,Istio release。
这里是一个例子:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
apiVersion: v1
kind: Service
metadata:
name: custom-ingressgateway
namespace: istio-system
annotations:
labels:
chart: gateways-1.0.1
release: RELEASE-NAME
heritage: Tiller
app: custom-ingressgateway
custom: ingressgateway
spec:
type: LoadBalancer
selector:
app: custom-ingressgateway
custom: ingressgateway
ports:
- name: http2
nodePort: 32380
port: 80
targetPort: 80
- name: https
nodePort: 32390
port: 443
- name: tcp
nodePort: 32400
port: 31400
- name: tcp-pilot-grpc-tls
port: 15011
targetPort: 15011
- name: tcp-citadel-grpc-tls
port: 8060
targetPort: 8060
- name: tcp-dns-tls
port: 853
targetPort: 853
- name: http2-prometheus
port: 15030
targetPort: 15030
- name: http2-grafana
port: 15031
targetPort: 15031
---
# This is the corresponding deployment to back the gateway service
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: custom-ingressgateway
namespace: istio-system
labels:
chart: gateways-1.0.1
release: RELEASE-NAME
heritage: Tiller
app: custom-ingressgateway
custom: ingressgateway
spec:
replicas: 1
selector:
matchLabels:
app: custom-ingressgateway
custom: ingressgateway
template:
metadata:
labels:
app: custom-ingressgateway
custom: ingressgateway
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: istio-proxy
image: "docker.io/istio/proxyv2:1.0.2"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 31400
- containerPort: 15011
- containerPort: 8060
- containerPort: 853
- containerPort: 15030
- containerPort: 15031
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- "1s" #discoveryRefreshDelay
- --drainDuration
- "45s" #drainDuration
- --parentShutdownDuration
- "1m0s" #parentShutdownDuration
- --connectTimeout
- "10s" #connectTimeout
- --serviceCluster
- custom-ingressgateway
- --zipkinAddress
- zipkin:9411
- --statsdUdpAddress
- istio-statsd-prom-bridge:9125
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:8080
resources:
requests:
cpu: 10m
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-certs
mountPath: "/etc/istio/ingressgateway-certs"
readOnly: true
- name: ingressgateway-ca-certs
mountPath: "/etc/istio/ingressgateway-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
- name: ingressgateway-certs
secret:
secretName: "istio-ingressgateway-certs"
optional: true
- name: ingressgateway-ca-certs
secret:
secretName: "istio-ingressgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
|
步骤2:更新 Knative Gateway
在 knative-serving namespace 下更新网关实例 knative-ingress-gateway:
1
|
kubectl edit gateway knative-ingress-gateway -n knative-serving
|
用你的服务 label 替换 label selector:
对于上述服务,应当更新如下:
如果服务端口发生了变化(与 istio-ingressgateway 相比),请相应地更新网关中的端口信息。
步骤3:更新 Gateway Configmap
在 knative-serving namespace 下更新网关 configmap config-istio:
1
|
kubectl edit configmap config-istio -n knative-serving
|
将 ingress-gateway 字段替换为服务的标准网址。对于上述服务,应当更新如下:
1
|
custom-ingressgateway.istio-system.svc.cluster.local
|