Setting up custom ingress gateway

Knative uses a shared ingress Gateway to serve all incoming traffic within Knative service mesh, which is the knative-ingress-gateway Gateway under the knative-serving namespace. By default, we use Istio gateway service istio-ingressgateway under istio-system namespace as its underlying service. You can replace the service with that of your own as follows.

Step 1: Create Gateway Service and Deployment Instance

You’ll need to create the gateway service and deployment instance to handle traffic first. Let’s say you customized the default istio-ingressgateway to custom-ingressgateway as follows.

  1. apiVersion: install.istio.io/v1alpha1
  2. kind: IstioOperator
  3. spec:
  4.   values:
  5.     global:
  6.       proxy:
  7.         autoInject: disabled
  8.       useMCP: false
  9.       # The third-party-jwt is not enabled on all k8s.
  10.       # See: https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
  11.       jwtPolicy: first-party-jwt
  13.   addonComponents:
  14.     pilot:
  15.       enabled: true
  16.     prometheus:
  17.       enabled: false
  19.   components:
  20.     ingressGateways:
  21.       - name: custom-ingressgateway
  22.         enabled: true
  23.         namespace: custom-ns
  24.         label:
  25.           istio: custom-gateway

Step 2: Update Knative Gateway

Update gateway instance knative-ingress-gateway under knative-serving namespace:

  1. kubectl edit gateway knative-ingress-gateway -n knative-serving

Replace the label selector with the label of your service:

  1. istio: ingressgateway

For the service above, it should be updated to:

  1. istio: custom-gateway

If there is a change in service ports (compared with that of istio-ingressgateway), update the port info in the gateway accordingly.

Step 3: Update Gateway Configmap

Update gateway configmap config-istio under knative-serving namespace:

  1. kubectl edit configmap config-istio -n knative-serving

Replace the istio-ingressgateway.istio-system.svc.cluster.local field with the fully qualified url of your service.

  1. gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local"

For the service above, it should be updated to:

  1. gateway.knative-serving.knative-ingress-gateway: custom-ingressgateway.custom-ns.svc.cluster.local