From fa64dbe7c1e7e11e59b27212e0b750b8a1184468 Mon Sep 17 00:00:00 2001 From: Kalyani Desai Date: Tue, 4 Nov 2025 15:55:56 +0530 Subject: [PATCH 1/7] SRVCOM-3999-Integrating-OSSM-3.x: Added and updated a new integrating ossm with serverless 3.x section the serverless docs --- _topic_maps/_topic_map.yml | 2 + ...serverless-integrating-ossm-3-x-setup.adoc | 61 ++++ ...rless-ossm-disabling-network-policies.adoc | 3 +- ...-and-configuring-openshift-serverless.adoc | 3 +- ...onfiguring-openshift-service-mesh-3-x.adoc | 283 ++++++++++++++++++ ...-verifying-installation-prerequisites.adoc | 3 +- ...erless-ossm-verifying-the-integration.adoc | 3 +- ...sm-verifying-the-ossm-3-x-integration.adoc | 120 ++++++++ 8 files changed, 474 insertions(+), 4 deletions(-) create mode 100644 integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc create mode 100644 modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc create mode 100644 modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index d59c7028b251..afd93009c1e8 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -511,6 +511,8 @@ Topics: File: serverless-ossm-setup - Name: Using Service Mesh 2.x to isolate network traffic with OpenShift Serverless File: serverless-ossm-traffic-isolation + - Name: Integrating Service Mesh 3.x with OpenShift Serverless + File: serverless-integrating-ossm-3-x-setup - Name: Integrating OpenShift Serverless with the cost management service File: serverless-cost-management-integration - Name: Integrating OpenShift Serverless with OpenShift Pipelines diff --git a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc new file mode 100644 index 000000000000..4b7a5e8b19c4 --- /dev/null +++ b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc @@ -0,0 +1,61 @@ +:_mod-docs-content-type: ASSEMBLY +[id="serverless-integrating-ossm-3-x-setup"] += Integrating Service Mesh 3.x with OpenShift Serverless +include::_attributes/common-attributes.adoc[] +:context: serverless-ossm-setup + +toc::[] + +[role="_abstract"] +The {ServerlessOperatorName} provides Kourier as the default ingress for Knative. However, you can use {SMProductShortName} with {ServerlessProductName} whether Kourier is enabled or not. Integrating with Kourier disabled allows you to configure additional networking and routing options that the Kourier ingress does not support, such as mTLS functionality. + +Note the following assumptions and limitations: + +* All Knative internal components, as well as Knative Services, are part of the {SMProductShortName} and have sidecars injection enabled. This means that strict mTLS is enforced within the whole mesh. All requests to Knative Services require an mTLS connection, with the client having to send its certificate, except calls coming from OpenShift Routing. + +* {ServerlessProductName} with {SMProductShortName} integration can only target *one* service mesh. Multiple meshes can be present in the cluster, but {ServerlessProductName} is only available on one of them. + +* Changing the target `ServiceMeshMemberRoll` that {ServerlessProductName} is part of, meaning moving {ServerlessProductName} to another mesh, is not supported. The only way to change the targeted Service mesh is to uninstall and reinstall {ServerlessProductName}. + +[id="prerequisites_serverless-ossm-setup"] +== Prerequisites + +* You have access to an {product-title} account with cluster administrator access. + +* You have installed the OpenShift CLI (`oc`). + +* You have installed the {ServerlessProductShortName} Operator. + +* You have installed the {SMProductName} 3.x Operator. + +* The examples in the following procedures use the domain `example.com`. The example certificate for this domain is used as a certificate authority (CA) that signs the subdomain certificate. ++ +To complete and verify these procedures in your deployment, you need either a certificate signed by a widely trusted public CA or a CA provided by your organization. Example commands must be adjusted according to your domain, subdomain, and CA. + +* You must configure the wildcard certificate to match the domain of your {ocp-product-title} cluster. For example, if your {ocp-product-title} console address is `https://console-openshift-console.apps.openshift.example.com`, you must configure the wildcard certificate so that the domain is `*.apps.openshift.example.com`. For more information about configuring wildcard certificates, see the following topic about _Creating a certificate to encrypt incoming external traffic_. + +* If you want to use any domain name, including those which are not subdomains of the default {ocp-product-title} cluster domain, you must set up domain mapping for those domains. For more information, see the {ServerlessProductName} documentation about xref:../../knative-serving/config-custom-domains/create-domain-mapping.adoc#serverless-create-domain-mapping_create-domain-mapping[Creating a custom domain mapping]. + +include::modules/serverless-ossm-external-certs.adoc[leveloffset=+1] + +// without kourier +[id="serverless-ossm-setup_integrating-ossm-with-serverless"] +== Integrating {SMProductShortName} with {ServerlessProductName} + +You can integrate {SMProductShortName} 3.x with {ServerlessProductName} to enable advanced traffic management, security, and observability for your serverless applications. This section provides the steps to verify prerequisites, install and configure both components, and confirm that the integration is functioning as expected. + +include::modules/serverless-ossm-verifying-installation-prerequisites.adoc[leveloffset=+2] + +include::modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc[leveloffset=+2] + +include::modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc[leveloffset=+2] + +include::modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc[leveloffset=+2] + +include::modules/serverless-ossm-disabling-network-policies.adoc[leveloffset=+1] + +[id="additional-resources_serverless-ossm-setup"] +[role="_additional-resources"] +== Additional resources +* link:https://access.redhat.com/articles/4912821[Red Hat OpenShift Serverless Supported Configurations] +* xref:../../knative-serving/kourier-and-istio-ingresses.adoc#kourier-and-istio-ingresses[Kourier and Istio ingresses] diff --git a/modules/serverless-ossm-disabling-network-policies.adoc b/modules/serverless-ossm-disabling-network-policies.adoc index aa984110a434..27037c93434c 100644 --- a/modules/serverless-ossm-disabling-network-policies.adoc +++ b/modules/serverless-ossm-disabling-network-policies.adoc @@ -2,10 +2,11 @@ // // * /serverless/integrations/serverless-ossm-setup.adoc -:_content-type: PROCEDURE +:_mod-docs-content-type: PROCEDURE [id="serverless-ossm-disabling-network-policies_{context}"] = Disabling the default network policies +[role="_abstract"] The {ServerlessOperatorName} generates the network policies by default. To disable the default network policy generation, you can add the `serverless.openshift.io/disable-istio-net-policies-generation` annotation in the `KnativeEventing` and `KnativeServing` custom resources (CRs). .Prerequisites diff --git a/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc b/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc index c3895c00c203..0f76a1d8a2cc 100644 --- a/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc +++ b/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc @@ -1,7 +1,8 @@ -:_content-type: PROCEDURE +:_mod-docs-content-type: PROCEDURE [id="serverless-ossm-installing-and-configuring-openshift-serverless_{context}"] = Installing and configuring {ServerlessProductShortName} +[role="_abstract"] After installing {SMProductShortName}, you need to install {ServerlessProductShortName} with a specific configuration. .Procedure diff --git a/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc b/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc new file mode 100644 index 000000000000..d3a6ab086a3e --- /dev/null +++ b/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc @@ -0,0 +1,283 @@ +:_mod-docs-content-type: PROCEDURE +[id="serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x_{context}"] += Installing and configuring {SMProductShortName} 3.x + +[role="_abstract"] +You can integrate {SMProductShortName} 3.x with {ServerlessProductShortName} by installing and configuring the required Istio components, gateways, and Knative Serving resources. Once these resources are configured, you can deploy the Knative Serving instance with Istio enabled to ensure that your serverless workloads run within the {SMProductShortName} environment. + +.Procedure + +. Create an `Istio` resource in the `istio-system` namespace with the following configuration: ++ +[source,yaml] +---- +apiVersion: sailoperator.io/v1 +kind: Istio +metadata: + name: default +spec: + values: + meshConfig: + defaultConfig: + terminationDrainDuration: 35s # needed to make QP stop hook work + updateStrategy: + inactiveRevisionDeletionGracePeriodSeconds: 30 + type: InPlace + namespace: istio-system + version: v1.26-latest # this version value should param as it will depend on testing matrix of supported versions +---- + +. Apply the resource by running the following commands: ++ +[source,terminal] +---- +$ oc new-project istio-system +---- ++ +[source,terminal] +---- +$ oc apply -f istio.yaml +---- + +. Create an `IstioCNI` resource in the `istio-cni` namespace with the following configuration: ++ +[source,yaml] +---- +apiVersion: sailoperator.io/v1 +kind: IstioCNI +metadata: + name: default +spec: + namespace: istio-cni + version: v1.26-latest # Same version parameter as the Istio resource +---- + +. Apply the resource by running the following commands: ++ +[source,terminal] +---- +$ oc new-project istio-cni +---- ++ +[source,terminal] +---- +$ oc apply -f istio-cni.yaml +---- + +. Create a `Gateway Deployment` resource in the `knative-serving-ingress` namespace with the following configuration: ++ +[NOTE] +==== +The `knative-serving-ingress` namespace is created automatically when the Serverless Operator is installed. +You can manually create it if necessary. +==== ++ +[source,terminal] +---- +$ oc new-project knative-serving-ingress +---- + +. Create a file named `gateway-deploy.yaml` with the following configuration: ++ +[source,yaml] +---- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: knative-istio-ingressgateway + namespace: knative-serving-ingress +spec: + selector: + matchLabels: + knative: ingressgateway + template: + metadata: + annotations: + inject.istio.io/templates: gateway # Select the gateway injection template (rather than the default sidecar template) + labels: + knative: ingressgateway # Set a unique label for the gateway. This is required to ensure Gateways can select this workload + sidecar.istio.io/inject: "true" # Enable gateway injection. + spec: + containers: + - name: istio-proxy + image: auto # The image will automatically update each time the pod starts. + +--- +# Set up roles to allow reading credentials for TLS +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds + namespace: knative-serving-ingress +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds + namespace: knative-serving-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: + - kind: ServiceAccount + name: default +---- + +. Apply the resource by running the following commands: ++ +[source,terminal] +---- +$ oc apply -f gateway-deploy.yaml +---- + +. Create gateway resources for the Knative Serving component by creating a file named `serving-gateways.yaml` with the following configuration: ++ +[source,yaml] +---- +########################################################### +# cluster external +########################################################### +apiVersion: v1 +kind: Service +metadata: + name: knative-istio-ingressgateway + namespace: knative-serving-ingress +spec: + type: ClusterIP + selector: + knative: ingressgateway + ports: + - name: http2 + port: 80 + targetPort: 8080 + - name: https + port: 443 + targetPort: 8443 +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: knative-ingress-gateway + namespace: knative-serving +spec: + selector: + knative: ingressgateway + servers: + - hosts: + - '*' + port: + name: https + number: 443 + protocol: HTTPS + tls: + credentialName: wildcard-certs + mode: SIMPLE +--- +########################################################### +# cluster local +########################################################### +apiVersion: v1 +kind: Service +metadata: + labels: + experimental.istio.io/disable-gateway-port-translation: "true" + name: knative-local-gateway + namespace: knative-serving-ingress +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8081 + selector: + knative: ingressgateway + type: ClusterIP +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: knative-local-gateway + namespace: knative-serving +spec: + selector: + knative: ingressgateway + servers: + - hosts: + - '*' + port: + name: http + number: 8081 + protocol: HTTP +---- + +. Apply the resource by running the following commands: ++ +[source,terminal] +---- +$ oc apply -f serving-gateways.yaml +---- + +. Create a `PeerAuthentication` resource in the `istio-system` namespace to enforce mTLS across the mesh with the following configuration: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1 +kind: PeerAuthentication +metadata: + name: mesh-mtls + namespace: istio-system +spec: + mtls: + mode: STRICT +---- + +. Apply the resource by running the following commands: ++ +[source,terminal] +---- +$ oc apply -f peerauth.yaml +---- + +. Create a `KnativeServing` resource in the `knative-serving` namespace configured for {SMProductShortName} 3.x integration with the following configuration: ++ +[source,yaml] +---- +apiVersion: operator.knative.dev/v1beta1 +kind: KnativeServing +metadata: + name: knative-serving + namespace: knative-serving + annotations: + serverless.openshift.io/disable-istio-net-policies-generation: "true" +spec: + config: + istio: # point these to our own specific gateways now + gateway.knative-serving.knative-ingress-gateway: knative-istio-ingressgateway.knative-serving-ingress.svc.cluster.local + local-gateway.knative-serving.knative-local-gateway: knative-local-gateway.knative-serving-ingress.svc.cluster.local + deployments: + - name: activator + labels: + sidecar.istio.io/inject: "true" + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + - name: autoscaler + labels: + sidecar.istio.io/inject: "true" + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + ingress: + istio: + enabled: true +---- + +. Apply the resource by running the following commands: ++ +[source,terminal] +---- +$ oc apply -f knativeserving.yaml +---- \ No newline at end of file diff --git a/modules/serverless-ossm-verifying-installation-prerequisites.adoc b/modules/serverless-ossm-verifying-installation-prerequisites.adoc index 600fe896268a..9b03b0c5b4b1 100644 --- a/modules/serverless-ossm-verifying-installation-prerequisites.adoc +++ b/modules/serverless-ossm-verifying-installation-prerequisites.adoc @@ -1,7 +1,8 @@ -:_content-type: PROCEDURE +:_mod-docs-content-type: PROCEDURE [id="serverless-ossm-verifying-installation-prerequisites_{context}"] = Verifying installation prerequisites +[role="_abstract"] Before installing and configuring the {SMProductShortName} integration with {ServerlessProductShortName}, verify that the prerequisites have been met. .Procedure diff --git a/modules/serverless-ossm-verifying-the-integration.adoc b/modules/serverless-ossm-verifying-the-integration.adoc index 03f5ea1bf21b..1dfda0822c89 100644 --- a/modules/serverless-ossm-verifying-the-integration.adoc +++ b/modules/serverless-ossm-verifying-the-integration.adoc @@ -1,7 +1,8 @@ -:_content-type: PROCEDURE +:_mod-docs-content-type: PROCEDURE [id="serverless-ossm-verifying-the-integration_{context}"] = Verifying the integration +[role="_abstract"] After installing {SMProductShortName} and {ServerlessProductShortName} with Istio enabled, you can verify that the integration works. .Procedure diff --git a/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc b/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc new file mode 100644 index 000000000000..d7c31b283c15 --- /dev/null +++ b/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc @@ -0,0 +1,120 @@ +:_mod-docs-content-type: PROCEDURE +[id="serverless-ossm-verifying-the-ossm-3-x-integration_{context}"] += Verifying the integration setup for {SMProductShortName} 3.x + +[role="_abstract"] +After installing and configuring {SMProductShortName} 3.x with {ServerlessProductShortName}, you can verify that the integration is working correctly. This verification ensures that the Service Mesh components, gateways, and Knative Serving configuration are properly set up and that serverless workloads can communicate securely within the mesh. + +The folloiwng test deploys a simple Knative Service and verifies sidecar injection, mTLS compatibility, and passthrough via the ingress gateway. + +.Procedure + +. Verify Istio, Istio CNI, and Knative components are running, by entering the following commands: ++ +[source,terminal] +---- +$ oc get pods -n istio-system +---- ++ +[source,terminal] +---- +$ oc get pods -n istio-cni +---- ++ +[source,terminal] +---- +$ oc get pods -n knative-serving +---- + +. Verify gateway services exist by entering the following command: ++ +[source,terminal] +---- +$ oc get svc -n knative-serving-ingress +---- + +. Create a test namespace by entering the following command: ++ +[source,terminal] +---- +$ oc new-project demo +---- + +. Create the sample Knative Service manifest and Save as `hello-service.yaml` with the following configuration: ++ +[source,yaml] +---- +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + annotations: + serving.knative.openshift.io/enablePassthrough: "true" <1> + name: hello-service + namespace: demo +spec: + template: + metadata: + labels: + sidecar.istio.io/inject: "true" <2> + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" <3> + spec: + containers: + - env: + - name: RESPONSE + value: Hello Serverless! + image: docker.io/openshift/hello-openshift +---- + +<1> `serving.knative.openshift.io/enablePassthrough: "true"` configures the ingress to allow TLS passthrough via the Istio gateway. +<2> `sidecar.istio.io/inject: "true"` ensures the Istio proxy is injected. +<3> `sidecar.istio.io/rewriteAppHTTPProbers: "true"` makes Knative health probes work with mTLS. + +. Apply the Knative Service by entering the following command: ++ +[source,terminal] +---- +$ oc apply -f hello-service.yaml +---- + +. Confirm sidecar injection and pod readiness by entering the following commands: ++ +[source,terminal] +---- +$ oc get pods -n demo +---- ++ +[source,terminal] +---- +$ oc get pod -n demo -l serving.knative.dev/service=hello-service -o jsonpath='{.items[0].spec.containers[*].name}{"\n"}' +---- + +. Fetch the service URL by entering the following commands: ++ +[source,terminal] +---- +$ oc get ksvc hello-service -n demo -o jsonpath='{.status.url}{"\n"}' +---- + +. Call the service by entering any one of the following commands: + +* Option A: If you have a trusted certificate set on the ingress domain, enter the folloing command: ++ +[source,terminal] +---- +$ curl https://$(oc get ksvc hello-service -n demo -o jsonpath='{.status.url}' | sed 's#https://##') +---- + +* Option B: If you are using a custom or self-signed certificate, use -k or provide your CA file with --cacert by entering the following command ++ +[source,terminal] +---- +$ curl https://$(oc get ksvc hello-service -n demo -o jsonpath='{.status.url}' | sed 's#https://##') +---- ++ +You should see an output similar to the following example: ++ +[source,terminal] +---- +Hello Serverless! +---- From ba79c03ef969eb6445b69c177a645c1cda5c6cc3 Mon Sep 17 00:00:00 2001 From: Kalyani Desai Date: Tue, 4 Nov 2025 15:59:39 +0530 Subject: [PATCH 2/7] SRVCOM-3999-Integrating-OSSM-3.x: Fixed a syntax issue --- modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc b/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc index d7c31b283c15..e6b615471411 100644 --- a/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc +++ b/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc @@ -65,7 +65,7 @@ spec: value: Hello Serverless! image: docker.io/openshift/hello-openshift ---- - ++ <1> `serving.knative.openshift.io/enablePassthrough: "true"` configures the ingress to allow TLS passthrough via the Istio gateway. <2> `sidecar.istio.io/inject: "true"` ensures the Istio proxy is injected. <3> `sidecar.istio.io/rewriteAppHTTPProbers: "true"` makes Knative health probes work with mTLS. From cff105552774e836e752116cfe431b6081a59375 Mon Sep 17 00:00:00 2001 From: Kalyani Desai Date: Tue, 4 Nov 2025 16:02:57 +0530 Subject: [PATCH 3/7] SRVCOM-3999-Integrating-OSSM-3.x: Fixed a context --- .../serverless-integrating-ossm-3-x-setup.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc index 4b7a5e8b19c4..f8e7f93cfe1f 100644 --- a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc +++ b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc @@ -2,7 +2,7 @@ [id="serverless-integrating-ossm-3-x-setup"] = Integrating Service Mesh 3.x with OpenShift Serverless include::_attributes/common-attributes.adoc[] -:context: serverless-ossm-setup +:context: serverless-integrating-ossm-3-x-setup toc::[] From 924db530ab93b523afd81e61171141e8048f6297 Mon Sep 17 00:00:00 2001 From: Kalyani Desai Date: Tue, 4 Nov 2025 16:17:18 +0530 Subject: [PATCH 4/7] SRVCOM-3999-Integrating-OSSM-3.x: fixed some build issues --- .../serverless-integrating-ossm-3-x-setup.adoc | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc index f8e7f93cfe1f..9f51b12eb303 100644 --- a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc +++ b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc @@ -38,10 +38,9 @@ To complete and verify these procedures in your deployment, you need either a ce include::modules/serverless-ossm-external-certs.adoc[leveloffset=+1] -// without kourier -[id="serverless-ossm-setup_integrating-ossm-with-serverless"] -== Integrating {SMProductShortName} with {ServerlessProductName} - +[id="configuring-verifying-ossm-3-x-integration-with-serverless"] +== Configuring and verifying {SMProductShortName} 3.x integration with {ServerlessProductName} + You can integrate {SMProductShortName} 3.x with {ServerlessProductName} to enable advanced traffic management, security, and observability for your serverless applications. This section provides the steps to verify prerequisites, install and configure both components, and confirm that the integration is functioning as expected. include::modules/serverless-ossm-verifying-installation-prerequisites.adoc[leveloffset=+2] @@ -52,10 +51,4 @@ include::modules/serverless-ossm-installing-and-configuring-openshift-serverless include::modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc[leveloffset=+2] -include::modules/serverless-ossm-disabling-network-policies.adoc[leveloffset=+1] - -[id="additional-resources_serverless-ossm-setup"] -[role="_additional-resources"] -== Additional resources -* link:https://access.redhat.com/articles/4912821[Red Hat OpenShift Serverless Supported Configurations] -* xref:../../knative-serving/kourier-and-istio-ingresses.adoc#kourier-and-istio-ingresses[Kourier and Istio ingresses] +include::modules/serverless-ossm-disabling-network-policies.adoc[leveloffset=+1] \ No newline at end of file From 9dd69e049b68e84c925eb9ae7fd4118e46cbb51f Mon Sep 17 00:00:00 2001 From: Kalyani Desai Date: Tue, 4 Nov 2025 16:26:57 +0530 Subject: [PATCH 5/7] SRVCOM-3999-Integrating-OSSM-3.x: fixed some build issues part 1 --- .../serverless-integrating-ossm-3-x-setup.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc index 9f51b12eb303..637eb3205eac 100644 --- a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc +++ b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc @@ -17,7 +17,7 @@ Note the following assumptions and limitations: * Changing the target `ServiceMeshMemberRoll` that {ServerlessProductName} is part of, meaning moving {ServerlessProductName} to another mesh, is not supported. The only way to change the targeted Service mesh is to uninstall and reinstall {ServerlessProductName}. -[id="prerequisites_serverless-ossm-setup"] +[id="prerequisites_serverless-integrating-ossm-3-x-setup"] == Prerequisites * You have access to an {product-title} account with cluster administrator access. From 979a97cf931981a6989e1aca81b7ac8389c6d52f Mon Sep 17 00:00:00 2001 From: Kalyani Desai Date: Tue, 18 Nov 2025 12:43:00 +0530 Subject: [PATCH 6/7] SRVCOM-3999-Integrating-OSSM-3.x: Incorporated SME and QE review feedbacks --- ...serverless-integrating-ossm-3-x-setup.adoc | 4 +- ...-and-configuring-openshift-serverless.adoc | 55 +++++++++------- ...onfiguring-openshift-service-mesh-3-x.adoc | 64 ++++--------------- ...sm-verifying-the-ossm-3-x-integration.adoc | 15 ++--- 4 files changed, 53 insertions(+), 85 deletions(-) diff --git a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc index 637eb3205eac..5099a5bf04cf 100644 --- a/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc +++ b/integrations/serverless-integrating-service-mesh/serverless-integrating-ossm-3-x-setup.adoc @@ -15,8 +15,6 @@ Note the following assumptions and limitations: * {ServerlessProductName} with {SMProductShortName} integration can only target *one* service mesh. Multiple meshes can be present in the cluster, but {ServerlessProductName} is only available on one of them. -* Changing the target `ServiceMeshMemberRoll` that {ServerlessProductName} is part of, meaning moving {ServerlessProductName} to another mesh, is not supported. The only way to change the targeted Service mesh is to uninstall and reinstall {ServerlessProductName}. - [id="prerequisites_serverless-integrating-ossm-3-x-setup"] == Prerequisites @@ -51,4 +49,4 @@ include::modules/serverless-ossm-installing-and-configuring-openshift-serverless include::modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc[leveloffset=+2] -include::modules/serverless-ossm-disabling-network-policies.adoc[leveloffset=+1] \ No newline at end of file +include::modules/serverless-ossm-disabling-network-policies.adoc[leveloffset=+1] diff --git a/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc b/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc index 0f76a1d8a2cc..8604c198e167 100644 --- a/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc +++ b/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc @@ -17,6 +17,8 @@ kind: KnativeServing metadata: name: knative-serving namespace: knative-serving + annotations: + serverless.openshift.io/disable-istio-net-policies-generation: "true" spec: ingress: istio: @@ -61,28 +63,37 @@ metadata: spec: config: features: - istio: enabled <1> - workloads: <2> - - name: pingsource-mt-adapter - labels: - "sidecar.istio.io/inject": "true" - annotations: - "sidecar.istio.io/rewriteAppHTTPProbers": "true" - - name: imc-dispatcher - labels: - "sidecar.istio.io/inject": "true" - annotations: - "sidecar.istio.io/rewriteAppHTTPProbers": "true" - - name: mt-broker-ingress - labels: - "sidecar.istio.io/inject": "true" - annotations: - "sidecar.istio.io/rewriteAppHTTPProbers": "true" - - name: mt-broker-filter - labels: - "sidecar.istio.io/inject": "true" - annotations: - "sidecar.istio.io/rewriteAppHTTPProbers": "true" + istio: enabled # <1> + workloads: # <2> + - name: pingsource-mt-adapter + labels: + sidecar.istio.io/inject: "true" + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + + - name: imc-dispatcher + labels: + sidecar.istio.io/inject: "true" + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + + - name: mt-broker-ingress + labels: + sidecar.istio.io/inject: "true" + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + + - name: mt-broker-filter + labels: + sidecar.istio.io/inject: "true" + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + + - name: job-sink + labels: + sidecar.istio.io/inject: "true" + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" ---- <1> Enable Eventing Istio controller to create a `DestinationRule` for each `InMemoryChannel` or `KafkaChannel` service. <2> Enable sidecar injection for Knative Eventing pods. diff --git a/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc b/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc index d3a6ab086a3e..2c08d23e7e87 100644 --- a/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc +++ b/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc @@ -19,12 +19,12 @@ spec: values: meshConfig: defaultConfig: - terminationDrainDuration: 35s # needed to make QP stop hook work + terminationDrainDuration: 35s updateStrategy: inactiveRevisionDeletionGracePeriodSeconds: 30 type: InPlace namespace: istio-system - version: v1.26-latest # this version value should param as it will depend on testing matrix of supported versions + version: v1.26-latest ---- . Apply the resource by running the following commands: @@ -49,7 +49,7 @@ metadata: name: default spec: namespace: istio-cni - version: v1.26-latest # Same version parameter as the Istio resource + version: v1.26-latest ---- . Apply the resource by running the following commands: @@ -66,12 +66,6 @@ $ oc apply -f istio-cni.yaml . Create a `Gateway Deployment` resource in the `knative-serving-ingress` namespace with the following configuration: + -[NOTE] -==== -The `knative-serving-ingress` namespace is created automatically when the Serverless Operator is installed. -You can manually create it if necessary. -==== -+ [source,terminal] ---- $ oc new-project knative-serving-ingress @@ -93,14 +87,14 @@ spec: template: metadata: annotations: - inject.istio.io/templates: gateway # Select the gateway injection template (rather than the default sidecar template) + inject.istio.io/templates: gateway <1> labels: - knative: ingressgateway # Set a unique label for the gateway. This is required to ensure Gateways can select this workload - sidecar.istio.io/inject: "true" # Enable gateway injection. + knative: ingressgateway <2> + sidecar.istio.io/inject: "true" <3> spec: containers: - name: istio-proxy - image: auto # The image will automatically update each time the pod starts. + image: auto <4> --- # Set up roles to allow reading credentials for TLS @@ -127,6 +121,11 @@ subjects: - kind: ServiceAccount name: default ---- ++ +<1> Select the gateway injection template rather than the default sidecar template. +<2> Set a unique label for the gateway. This is required to ensure Gateways can select this workload. +<3> Enable gateway injection. +<4> The image will automatically update each time the pod starts. . Apply the resource by running the following commands: + @@ -242,42 +241,3 @@ spec: ---- $ oc apply -f peerauth.yaml ---- - -. Create a `KnativeServing` resource in the `knative-serving` namespace configured for {SMProductShortName} 3.x integration with the following configuration: -+ -[source,yaml] ----- -apiVersion: operator.knative.dev/v1beta1 -kind: KnativeServing -metadata: - name: knative-serving - namespace: knative-serving - annotations: - serverless.openshift.io/disable-istio-net-policies-generation: "true" -spec: - config: - istio: # point these to our own specific gateways now - gateway.knative-serving.knative-ingress-gateway: knative-istio-ingressgateway.knative-serving-ingress.svc.cluster.local - local-gateway.knative-serving.knative-local-gateway: knative-local-gateway.knative-serving-ingress.svc.cluster.local - deployments: - - name: activator - labels: - sidecar.istio.io/inject: "true" - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - - name: autoscaler - labels: - sidecar.istio.io/inject: "true" - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - ingress: - istio: - enabled: true ----- - -. Apply the resource by running the following commands: -+ -[source,terminal] ----- -$ oc apply -f knativeserving.yaml ----- \ No newline at end of file diff --git a/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc b/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc index e6b615471411..751047585333 100644 --- a/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc +++ b/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc @@ -48,22 +48,19 @@ apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: - serving.knative.openshift.io/enablePassthrough: "true" <1> + serving.knative.openshift.io/enablePassthrough: "true" # <1> name: hello-service namespace: demo spec: template: metadata: labels: - sidecar.istio.io/inject: "true" <2> + sidecar.istio.io/inject: "true" # <2> annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" <3> + sidecar.istio.io/rewriteAppHTTPProbers: "true" # <3> spec: containers: - - env: - - name: RESPONSE - value: Hello Serverless! - image: docker.io/openshift/hello-openshift + - image: quay.io/openshift-knative/showcase ---- + <1> `serving.knative.openshift.io/enablePassthrough: "true"` configures the ingress to allow TLS passthrough via the Istio gateway. @@ -116,5 +113,7 @@ You should see an output similar to the following example: + [source,terminal] ---- -Hello Serverless! +{"artifact":"knative-showcase","greeting":"Welcome"} ---- ++ +The exact JSON values might vary, but the response should indicate that the `knative-showcase` application is running successfully. From 1cb9c236044685d618fcc0fefce9dc4278878374 Mon Sep 17 00:00:00 2001 From: Kalyani Desai Date: Tue, 18 Nov 2025 22:03:29 +0530 Subject: [PATCH 7/7] SRVCOM-3999-Integrating-OSSM-3.x: Incorporated SME and QE review feedbacks part 2 --- ...sm-installing-and-configuring-openshift-serverless.adoc | 2 ++ ...talling-and-configuring-openshift-service-mesh-3-x.adoc | 7 ------- ...serverless-ossm-verifying-the-ossm-3-x-integration.adoc | 2 +- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc b/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc index 8604c198e167..f788b69f70ce 100644 --- a/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc +++ b/modules/serverless-ossm-installing-and-configuring-openshift-serverless.adoc @@ -60,6 +60,8 @@ kind: KnativeEventing metadata: name: knative-eventing namespace: knative-eventing + annotations: + serverless.openshift.io/disable-istio-net-policies-generation: "true" spec: config: features: diff --git a/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc b/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc index 2c08d23e7e87..2630df846a0f 100644 --- a/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc +++ b/modules/serverless-ossm-installing-and-configuring-openshift-service-mesh-3-x.adoc @@ -64,13 +64,6 @@ $ oc new-project istio-cni $ oc apply -f istio-cni.yaml ---- -. Create a `Gateway Deployment` resource in the `knative-serving-ingress` namespace with the following configuration: -+ -[source,terminal] ----- -$ oc new-project knative-serving-ingress ----- - . Create a file named `gateway-deploy.yaml` with the following configuration: + [source,yaml] diff --git a/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc b/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc index 751047585333..db15d1df0750 100644 --- a/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc +++ b/modules/serverless-ossm-verifying-the-ossm-3-x-integration.adoc @@ -106,7 +106,7 @@ $ curl https://$(oc get ksvc hello-service -n demo -o jsonpath='{.status.url}' | + [source,terminal] ---- -$ curl https://$(oc get ksvc hello-service -n demo -o jsonpath='{.status.url}' | sed 's#https://##') +$ curl --cacert https://$(oc get ksvc hello-service -n demo -o jsonpath='{.status.url}' | sed 's#https://##') ---- + You should see an output similar to the following example: