add docs to tell how to set up gateway

knative · Nov 12, 2018 · ef0e6a7 · ef0e6a7
1 parent e0e0ee4
commit ef0e6a7
Show file tree

Hide file tree

Showing 2 changed files with 266 additions and 9 deletions.
diff --git a/docs/setting-up-custom-ingress-gateway.md b/docs/setting-up-custom-ingress-gateway.md
@@ -0,0 +1,254 @@
+# Setting Up Custom Ingress Gateway
+
+Knative uses a shared Gateway to serve all incoming traffic within Knative
+service mesh, which is the "knative-shared-gateway" Gateway under
+"knative-serving" namespace. By default, we use Istio gateway service `istio-ingressgateway`
+under "istio-system" namespace as its underlying service. You can replace the
+service with that of your own as follows.
+
+## Step 1: Create Gateway Service and Deployment Instance
+
+You'll need to create the gateway service and deployment instance to handle traffic first.
+The simplest way should be making a copy of the Gateway service template in [Istio release](https://github.com/istio/istio/releases).
+
+Here is an example:
+
+```
+apiVersion: v1
+kind: Service
+metadata:
+  name: custom-ingressgateway
+  namespace: istio-system
+  annotations:
+  labels:
+    chart: gateways-1.0.1
+    release: RELEASE-NAME
+    heritage: Tiller
+    app: custom-ingressgateway
+    custom: ingressgateway
+spec:
+  type: LoadBalancer
+  selector:
+    app: custom-ingressgateway
+    custom: ingressgateway
+  ports:
+    -
+      name: http2
+      nodePort: 32380
+      port: 80
+      targetPort: 80
+    -
+      name: https
+      nodePort: 32390
+      port: 443
+    -
+      name: tcp
+      nodePort: 32400
+      port: 31400
+    -
+      name: tcp-pilot-grpc-tls
+      port: 15011
+      targetPort: 15011
+    -
+      name: tcp-citadel-grpc-tls
+      port: 8060
+      targetPort: 8060
+    -
+      name: tcp-dns-tls
+      port: 853
+      targetPort: 853
+    -
+      name: http2-prometheus
+      port: 15030
+      targetPort: 15030
+    -
+      name: http2-grafana
+      port: 15031
+      targetPort: 15031
+---
+# This is the corresponding Deployment to backed the aforementioned Service.
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: custom-ingressgateway
+  namespace: istio-system
+  labels:
+    chart: gateways-1.0.1
+    release: RELEASE-NAME
+    heritage: Tiller
+    app: custom-ingressgateway
+    custom: ingressgateway
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: custom-ingressgateway
+      custom: ingressgateway
+  template:
+    metadata:
+      labels:
+        app: custom-ingressgateway
+        custom: ingressgateway
+      annotations:
+        sidecar.istio.io/inject: "false"
+        scheduler.alpha.kubernetes.io/critical-pod: ""
+    spec:
+      serviceAccountName: istio-ingressgateway-service-account
+      containers:
+        - name: istio-proxy
+          image: "docker.io/istio/proxyv2:1.0.2"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+            - containerPort: 443
+            - containerPort: 31400
+            - containerPort: 15011
+            - containerPort: 8060
+            - containerPort: 853
+            - containerPort: 15030
+            - containerPort: 15031
+          args:
+          - proxy
+          - router
+          - -v
+          - "2"
+          - --discoveryRefreshDelay
+          - '1s' #discoveryRefreshDelay
+          - --drainDuration
+          - '45s' #drainDuration
+          - --parentShutdownDuration
+          - '1m0s' #parentShutdownDuration
+          - --connectTimeout
+          - '10s' #connectTimeout
+          - --serviceCluster
+          - custom-ingressgateway
+          - --zipkinAddress
+          - zipkin:9411
+          - --statsdUdpAddress
+          - istio-statsd-prom-bridge:9125
+          - --proxyAdminPort
+          - "15000"
+          - --controlPlaneAuthPolicy
+          - NONE
+          - --discoveryAddress
+          - istio-pilot:8080
+          resources:
+            requests:
+              cpu: 10m
+          env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: INSTANCE_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.podIP
+          - name: ISTIO_META_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          volumeMounts:
+          - name: istio-certs
+            mountPath: /etc/certs
+            readOnly: true
+          - name: ingressgateway-certs
+            mountPath: "/etc/istio/ingressgateway-certs"
+            readOnly: true
+          - name: ingressgateway-ca-certs
+            mountPath: "/etc/istio/ingressgateway-ca-certs"
+            readOnly: true
+      volumes:
+      - name: istio-certs
+        secret:
+          secretName: istio.istio-ingressgateway-service-account
+          optional: true
+      - name: ingressgateway-certs
+        secret:
+          secretName: "istio-ingressgateway-certs"
+          optional: true
+      - name: ingressgateway-ca-certs
+        secret:
+          secretName: "istio-ingressgateway-ca-certs"
+          optional: true
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+                - ppc64le
+                - s390x
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 2
+            preference:
+              matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+          - weight: 2
+            preference:
+              matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - ppc64le
+          - weight: 2
+            preference:
+              matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - s390x
+```
+
+
+## Step 2: Update Knative Gateway
+
+Update gateway instance `knative-shared-gateway` under `knative-serving` namespace:
+
+```shell
+kubectl edit gateway knative-shared-gateway -n knative-serving
+```
+
+Replace its label selector with the label of your service:
+
+```
+istio: ingressgateway
+```
+
+For the service above, it should be updated to
+
+```
+custom: ingressgateway
+```
+
+If there is a change in service ports (compared with that of `istio-ingressgateway`),
+update the port info in gateway accordingly.
+
+## Step 3: Update Gateway Configmap
+
+Update gateway configmap `config-ingressgateway` under `knative-serving` namespace:
+
+```shell
+kubectl edit configmap config-ingressgateway -n knative-serving
+```
+
+Replace the `ingress-gateway` field with fully qualified url of your service:
+
+For the service above, it should be updated to
+
+```
+custom-ingressgateway.istio-system.svc.cluster.local
+```
diff --git a/docs/setting-up-ingress-static-ip.md b/docs/setting-up-ingress-static-ip.md
@@ -3,10 +3,13 @@
 Knative uses a shared Gateway to serve all incoming traffic within Knative
 service mesh, which is the "knative-shared-gateway" Gateway under
 "knative-serving" namespace. The IP address to access the gateway is the
-external IP address of the "knative-ingressgateway" service under the
+external IP address of the "istio-ingressgateway" service under the
 "istio-system" namespace. So in order to set static IP for the Knative shared
 gateway, you just need to set the external IP address of the
-"knative-ingressgateway" service to the static IP you need.
+"istio-ingressgateway" service to the static IP you need.
+If the gateway service has been replaced to that of other service, you'll
+need to replace "istio-ingressgateway" with the service name accordingly.
+See [instructions](../setting-up-custom-ingress-gateway.md) for more details.
 
 ## Prerequisites
 
@@ -30,28 +33,28 @@ gateway.
 
 ## Set Up Static IP for Knative Gateway
 
-### Step 1: Update external IP of "knative-ingressgateway" service
+### Step 1: Update external IP of "istio-ingressgateway" service
 
 Run following command to reset the external IP for the
-"knative-ingressgateway" service to the static IP you reserved.
+"istio-ingressgateway" service to the static IP you reserved.
 
 ```shell
-kubectl patch svc knative-ingressgateway -n istio-system --patch '{"spec": { "loadBalancerIP": "<your-reserved-static-ip>" }}'
+kubectl patch svc istio-ingressgateway -n istio-system --patch '{"spec": { "loadBalancerIP": "<your-reserved-static-ip>" }}'
 ```
 
-### Step 2: Verify static IP address of knative-ingressgateway service
+### Step 2: Verify static IP address of istio-ingressgateway service
 
-You can check the external IP of the "knative-ingressgateway" service with:
+You can check the external IP of the "istio-ingressgateway" service with:
 
 ```shell
-kubectl get svc knative-ingressgateway -n istio-system
+kubectl get svc istio-ingressgateway -n istio-system
 ```
 
 The result should be something like
 
 ```console
 NAME                     TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                                      AGE
-knative-ingressgateway   LoadBalancer   10.50.250.120   35.210.48.100   80:32380/TCP,443:32390/TCP,32400:32400/TCP   5h
+istio-ingressgateway   LoadBalancer   10.50.250.120   35.210.48.100   80:31380/TCP,443:31390/TCP,31400:31400/TCP...   5h
 ```
 
 The external IP will be eventually set to the static IP. This process could