Setting up custom ingress gateway

Knative uses a shared ingress Gateway to serve all incoming traffic within Knative service mesh, which is the knative-ingress-gateway Gateway under knative-serving namespace. By default, we use Istio gateway service istio-ingressgateway under istio-system namespace as its underlying service. You can replace the service with that of your own as follows.

Step 1: Create Gateway Service and Deployment Instance

You’ll need to create the gateway service and deployment instance to handle traffic first. The simplest way should be making a copy of the Gateway service template in Istio release.

Here is an example:

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4.   name: custom-ingressgateway
  5.   namespace: istio-system
  6.   annotations:
  7.   labels:
  8.     chart: gateways-1.0.1
  9.     release: RELEASE-NAME
  10.     heritage: Tiller
  11.     app: custom-ingressgateway
  12.     custom: ingressgateway
  13. spec:
  14.   type: LoadBalancer
  15.   selector:
  16.     app: custom-ingressgateway
  17.     custom: ingressgateway
  18.   ports:
  19.     - name: http2
  20.       nodePort: 32380
  21.       port: 80
  22.       targetPort: 80
  23.     - name: https
  24.       nodePort: 32390
  25.       port: 443
  26.     - name: tcp
  27.       nodePort: 32400
  28.       port: 31400
  29.     - name: tcp-pilot-grpc-tls
  30.       port: 15011
  31.       targetPort: 15011
  32.     - name: tcp-citadel-grpc-tls
  33.       port: 8060
  34.       targetPort: 8060
  35.     - name: tcp-dns-tls
  36.       port: 853
  37.       targetPort: 853
  38.     - name: http2-prometheus
  39.       port: 15030
  40.       targetPort: 15030
  41.     - name: http2-grafana
  42.       port: 15031
  43.       targetPort: 15031
  44. ---
  45. # This is the corresponding deployment to back the gateway service
  46. apiVersion: extensions/v1beta1
  47. kind: Deployment
  48. metadata:
  49.   name: custom-ingressgateway
  50.   namespace: istio-system
  51.   labels:
  52.     chart: gateways-1.0.1
  53.     release: RELEASE-NAME
  54.     heritage: Tiller
  55.     app: custom-ingressgateway
  56.     custom: ingressgateway
  57. spec:
  58.   replicas: 1
  59.   selector:
  60.     matchLabels:
  61.       app: custom-ingressgateway
  62.       custom: ingressgateway
  63.   template:
  64.     metadata:
  65.       labels:
  66.         app: custom-ingressgateway
  67.         custom: ingressgateway
  68.       annotations:
  69.         sidecar.istio.io/inject: "false"
  70.         scheduler.alpha.kubernetes.io/critical-pod: ""
  71.     spec:
  72.       serviceAccountName: istio-ingressgateway-service-account
  73.       containers:
  74.         - name: istio-proxy
  75.           image: "docker.io/istio/proxyv2:1.0.2"
  76.           imagePullPolicy: IfNotPresent
  77.           ports:
  78.             - containerPort: 80
  79.             - containerPort: 443
  80.             - containerPort: 31400
  81.             - containerPort: 15011
  82.             - containerPort: 8060
  83.             - containerPort: 853
  84.             - containerPort: 15030
  85.             - containerPort: 15031
  86.           args:
  87.             - proxy
  88.             - router
  89.             - -v
  90.             - "2"
  91.             - --discoveryRefreshDelay
  92.             - "1s" #discoveryRefreshDelay
  93.             - --drainDuration
  94.             - "45s" #drainDuration
  95.             - --parentShutdownDuration
  96.             - "1m0s" #parentShutdownDuration
  97.             - --connectTimeout
  98.             - "10s" #connectTimeout
  99.             - --serviceCluster
  100.             - custom-ingressgateway
  101.             - --zipkinAddress
  102.             - zipkin:9411
  103.             - --statsdUdpAddress
  104.             - istio-statsd-prom-bridge:9125
  105.             - --proxyAdminPort
  106.             - "15000"
  107.             - --controlPlaneAuthPolicy
  108.             - NONE
  109.             - --discoveryAddress
  110.             - istio-pilot:8080
  111.           resources:
  112.             requests:
  113.               cpu: 10m
  114.           env:
  115.             - name: POD_NAME
  116.               valueFrom:
  117.                 fieldRef:
  118.                   apiVersion: v1
  119.                   fieldPath: metadata.name
  120.             - name: POD_NAMESPACE
  121.               valueFrom:
  122.                 fieldRef:
  123.                   apiVersion: v1
  124.                   fieldPath: metadata.namespace
  125.             - name: INSTANCE_IP
  126.               valueFrom:
  127.                 fieldRef:
  128.                   apiVersion: v1
  129.                   fieldPath: status.podIP
  130.             - name: ISTIO_META_POD_NAME
  131.               valueFrom:
  132.                 fieldRef:
  133.                   fieldPath: metadata.name
  134.           volumeMounts:
  135.             - name: istio-certs
  136.               mountPath: /etc/certs
  137.               readOnly: true
  138.             - name: ingressgateway-certs
  139.               mountPath: "/etc/istio/ingressgateway-certs"
  140.               readOnly: true
  141.             - name: ingressgateway-ca-certs
  142.               mountPath: "/etc/istio/ingressgateway-ca-certs"
  143.               readOnly: true
  144.       volumes:
  145.         - name: istio-certs
  146.           secret:
  147.             secretName: istio.istio-ingressgateway-service-account
  148.             optional: true
  149.         - name: ingressgateway-certs
  150.           secret:
  151.             secretName: "istio-ingressgateway-certs"
  152.             optional: true
  153.         - name: ingressgateway-ca-certs
  154.           secret:
  155.             secretName: "istio-ingressgateway-ca-certs"
  156.             optional: true
  157.       affinity:
  158.         nodeAffinity:
  159.           requiredDuringSchedulingIgnoredDuringExecution:
  160.             nodeSelectorTerms:
  161.               - matchExpressions:
  162.                   - key: beta.kubernetes.io/arch
  163.                     operator: In
  164.                     values:
  165.                       - amd64
  166.                       - ppc64le
  167.                       - s390x
  168.           preferredDuringSchedulingIgnoredDuringExecution:
  169.             - weight: 2
  170.               preference:
  171.                 matchExpressions:
  172.                   - key: beta.kubernetes.io/arch
  173.                     operator: In
  174.                     values:
  175.                       - amd64
  176.             - weight: 2
  177.               preference:
  178.                 matchExpressions:
  179.                   - key: beta.kubernetes.io/arch
  180.                     operator: In
  181.                     values:
  182.                       - ppc64le
  183.             - weight: 2
  184.               preference:
  185.                 matchExpressions:
  186.                   - key: beta.kubernetes.io/arch
  187.                     operator: In
  188.                     values:
  189.                       - s390x

Step 2: Update Knative Gateway

Update gateway instance knative-ingress-gateway under knative-serving namespace:

  1. kubectl edit gateway knative-ingress-gateway -n knative-serving

Replace the label selector with the label of your service:

  1. istio: ingressgateway

For the service above, it should be updated to:

  1. custom: ingressgateway

If there is a change in service ports (compared with that of istio-ingressgateway), update the port info in the gateway accordingly.

Step 3: Update Gateway Configmap

Update gateway configmap config-istio under knative-serving namespace:

  1. kubectl edit configmap config-istio -n knative-serving

Replace the ingress-gateway field with the fully qualified url of your service. For the service above, it should be updated to:

  1. custom-ingressgateway.istio-system.svc.cluster.local