The Kourier gateway is a lightweight gateway that is based on the Envoy project and is an open-source gateway provided by the Knative community. You can use the Kourier gateway to distribute traffic across Knative revisions and configure gRPC services, timeouts and retries, Transport Layer Security (TLS) certificates, and external authorization services.
Prerequisites
Knative is deployed in your cluster. For more information, see Deploy and manage Knative.
Step 1: Deploy a Kourier gateway
You can configure Knative to use the Kourier gateway either when you first deploy Knative, or by modifying the configuration after deployment is complete.
For a new Knative installation
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left navigation pane, choose .
In the Add-on Component section of the Components tab, find Kourier and click Deploy in the Actions column. In the message that appears, click Confirm.
The Status column of the Kourier component should display Deployed.
For an Existing Knative Installation
Run the following command to open the
config-networkConfigMap in your default editor:kubectl -n knative-serving edit configmap config-networkIn the editor, locate the
ingress.classkey under thedatasection and change its value tokourier.ingress.networking.knative.dev, as shown below:apiVersion: v1 data: ... ingress.class: kourier.ingress.networking.knative.dev # Use the Kourier gateway ... kind: ConfigMap metadata: name: config-network namespace: knative-servingSave and close the file. The changes will be applied automatically by Kubernetes.
You can also refer to the following example to configure an internal-facing Classic Load Balancer (CLB) for the Kourier gateway by adding the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type in the Kourier Service.
By default, the Kourier gateway creates an Internet-facing CLB (annotation value defaults tointernet). To modify the CLB, change the annotation value tointranet.
apiVersion: v1
kind: Service
metadata:
name: kourier
namespace: knative-serving
annotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet" # Set this parameter to intranet to create an internal-facing CLB.
...
spec:
ports:
- name: http2
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
selector:
app: 3scale-kourier-gateway
type: LoadBalancerStep 2: Use the Kourier gateway to access a Service
In this section, a Knative Service named helloworld-go is created to show how to use the Kourier gateway to access a Knative Service over HTTP or HTTPS.
Use the Kourier gateway to access a Knative Service over HTTP
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left navigation pane, choose .
On the Services tab of the Knative page, set Namespace to default, click Create from Template, copy the following YAML content to the template editor, and then click Create.
The template creates a Service named
helloworld-go.apiVersion: serving.knative.dev/v1 kind: Service metadata: name: helloworld-go spec: template: spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 env: - name: TARGET value: "Knative"If the Status column of the Service displays Created, the Service is deployed.
On the Services page, record the domain name and gateway IP address of the
helloworld-goService in the Default Domain and Gateway columns, respectively.Run the following command to access the Service named
helloworld-go:curl -H "Host: helloworld-go.default.example.com" http://8.141.XX.XX # Specify the actual gateway IP address and domain name that you obtained.Expected output:
Hello Knative!The output indicates that the Knative Service can be accessed over HTTP.
Use the Kourier gateway to access the Knative Service over HTTPS
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left navigation pane, choose .
On the Services tab of the Knative page, set Namespace to default, click Create from Template, copy the following YAML content to the template editor, and then click Create.
The template creates a Service named
helloworld-go.apiVersion: serving.knative.dev/v1 kind: Service metadata: name: helloworld-go spec: template: spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 env: - name: TARGET value: "Knative"If the Status column of the Service displays Created, the Service is deployed.
Create a certificate.
Run the following command to generate a TLS certificate:
openssl genrsa -out tls.key 4096 openssl req -subj "/CN=*.example.com/L=*.example.com" -sha256 -new -key tls.key -out tls.csr echo subjectAltName = DNS:helloworld-go.default.example.com,DNS:helloworld-go.default.example.cn > extfile.cnf openssl x509 -req -days 3650 -sha256 -in tls.csr -signkey tls.key -out tls.crt -extfile extfile.cnfRun the following command to create a Secret in the cluster based on the TLS certificate that you generated:
kubectl -n knative-serving create secret tls kourier-cert --key tls.key --cert tls.crt
Run the following command to check whether a Deployment named
net-kourier-controllerexists in theknative-servingnamespace:kubectl get deployments -n knative-servingRun the following command to configure the certificate:
kubectl -n knative-serving edit deployment net-kourier-controllerOn the
net-kourier-controllerconfiguration page, specify the following parameters:CERTS_SECRET_NAMESPACE: Set the value to the namespace to which the Secret that you created belongs.CERTS_SECRET_NAME: Set the value to the name of the Secret that you created.
... spec: containers: - env: - name: CERTS_SECRET_NAMESPACE value: knative-serving - name: CERTS_SECRET_NAME value: kourier-cert ...After the configuration is complete, run the following command to check the status of net-kourier-controller:
kubectl -n knative-serving get poExpected output:
NAME READY STATUS RESTARTS AGE net-kourier-controller-****** 1/1 Running 0 10sRun the following command to access the Knative Service over HTTPS:
curl -H "Host: helloworld-go.default.example.com" -k --cert tls.crt --key tls.key //8.141.XX.XX # Specify the actual gateway IP address and domain name that you obtained.Expected output:
Hello Knative!The output indicates that the Knative Service can be accessed over HTTPS.
(Optional) Step 3: View the Knative monitoring dashboard
Knative provides out-of-the-box monitoring features. On the Knative page, click the Monitoring Dashboards tab to view the monitoring data of the specified Service. For more information about how to enable the Knative monitoring dashboard, see View the Knative monitoring dashboard.
References
You can customize domain names for Knative Services. For more information, see Configure a custom domain name.
You can configure a certificate to access Knative Services over HTTPS. For more information, see Configure a certificate to access Services over HTTPS.
You can deploy a gRPC Service in Knative to improve network efficiency. For more information, see Deploy a gRPC Service in Knative.
You can configure probes to monitor the health status and availability of Knative Services. For more information, see Configure port probing in Knative.
If you want to connect an elastic container instance to the Internet, you must associate an elastic IP address (EIP) with the elastic container instance. For more information, see Associate an EIP with the elastic container instance on which a Knative Service runs.