Update Serverless + Service Mesh integration documentation

[ReToCode]

For JIRAs:

• https://issues.redhat.com/browse/SRVCOM-2368
• https://issues.redhat.com/browse/SRVCOM-2356
• https://issues.redhat.com/browse/SRVKS-992
• https://issues.redhat.com/browse/SRVKE-1509
• https://issues.redhat.com/browse/SRVKS-1117
• https://issues.redhat.com/browse/SRVKS-984

Changes

• Provide DP docs for Serverless Service Mesh Integration
• Provide DP docs for Multi-tenancy with Service Mesh
• Provide docs for OpenShift ingress sharding with Serverless (related to the MT stuff)

[netlify]

✅ Deploy Preview for jazzy-shortbread-5f62b7 ready!

Name	Link
🔨 Latest commit	7ccf02e
🔍 Latest deploy log	https://app.netlify.com/sites/jazzy-shortbread-5f62b7/deploys/650810555400880009d52c32
😎 Deploy Preview	https://deploy-preview-97--jazzy-shortbread-5f62b7.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[nak3]

A few comments but LGTM overall.

[rhuss]

Thanks a lot, this a is major step forward and a great improvements for the docs. I did an in-depth review with some proposals that might be difficult to imlplement. Let's discuss them on the topic.

One overall comment that might also affects other parts of the documentation: I would prefer to use kn service create instead of adding the plain yaml files because its much shorter and focus on the important parts. See the example that I have added when verifying the mt setup.

A part that might be a bit controversial is how we organise the content in the ToC. Combining Serving and Eventing right now might be the right thing, but will become later difficult in case we want to split Serving and Eventing apart into separatre products. But see my comments above.

[rhuss]

I like the graphic, but I wonder whether this will work in the OpenShift docs with having a lot of blurb around (navigation, headers), so screen real estate might be an issue. I wonder whether we could shorten the text and maybe add some callouts to just the resource type ? Details can then be in the flow text.

[ReToCode]

We are not even sure if we even can add visuals to the official docs as they would need resources to re-draw the visuals themselves (in the OCP docs style). Lets discuss that point with docs first.

[rhuss]

Agreed, but I'm pretty sure that one of the feedback will be that we need to move out the text from the graphics. So we could already do this improvement to ease the discussion with docs.

[ReToCode]

@pierDipi for you.

[pierDipi]

+1, I will work on it

[mgencur]

Nice! Many review comments were already provided. I'm adding a few more.

[mgencur]

Regarding the blue arrows.

• Arrow 1) seems correct to me
• Arrow 2) - I'm missing the number "2)" next to the arrow
• Arrow 3) - the arrow has "3)" next to it but the description for "3)" at the bottom of the picture seems to belong to the blue arrow that doesn't have any number next to it. Just because it speaks about "tenant-2" namespace but the arrow with "3)" comes from "knative-eventing". Not sure if we can make it more clear...

[mgencur]

I was previously asking @pierDipi whether it is possible for the sender to sneak-in the Kn-Namespace header to act like it can communicate with the tenants. The answer was something like "it is only added by Eventing core" so it's not possible to sneak it in.
But here I see "ksvc" in tenant-2 and it looks like this service needs to provide "Kn-Namespace" by itself. Is it true? Is it possible to abuse communication by somebody who is not supposed to belong to the tenants?
Note: We still need to write tests for this. That's TODO

[ReToCode]

@pierDipi can you answer those?

[pierDipi]

@mgencur I think to make 3 more clear I can "slice" sender and receiver with "tenant-1" and "tenant-2"

[mgencur]

OK. I will try to answer it myself. The ksvc is NOT supposed to set Kn-Namespace header and the AuthorizatioPolicy we have is defining the "source" namespace as "knative-eventing" so the Kn-Namespace header is taken into account only when sent by a component from knative-eventing ns:

- from:
        - source:
            namespaces:
              - "knative-eventing"
      when:
        - key: request.headers[Kn-Namespace]
          values:
          - "tenant-1"

[pierDipi]

Yes, @mgencur for the other comment, that's the idea, only when coming from our own namespace it's expected to match the header

[pierDipi]

For 2 and 3, I've updated the diagram and the legend in ReToCode#3

[nak3]

I have reviewed the new commit:

https://deploy-preview-97--jazzy-shortbread-5f62b7.netlify.app/docs/latest/serverless/serving/serving-with-ingress-sharding
e9fd163

LGTM 🎉

[rhuss]

@ReToCode thanks a lot for the refactoring, looks good to me.

[ReToCode]

@rhuss I added the kn verification as a tab, as it is possible here in asciidoc (plugin is there). Let's see/discuss this with the docs team for the official docs.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ReToCode, rhuss

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pierDipi]

@ReToCode ReToCode#3

[ReToCode]

@mgencur PTAL: #97 (comment) . If you are ok with that, I think we can merge this.

[ReToCode]

/unhold

[mgencur]

@mgencur PTAL: #97 (comment) . If you are ok with that, I think we can merge this.

It looks good to me. Thanks!