The Kourier gateway is a lightweight gateway that is based on the Envoy project. You can use the Kourier gateway to distribute traffic across Knative revisions and configure gRPC services, timeouts and retries, Transport Layer Security (TLS) certificates, and external authorization services. This topic describes how to use the Kourier gateway in Knative.
Prerequisites
An ACK Serverless cluster or ACK managed cluster is created. For more information, see Create an ACK Serverless cluster and Create an ACK managed cluster.
PrivateZone is enabled for the ACK Serverless cluster. For more information, see DNS for Service discovery.
Knative is deployed in your cluster. For more information, see Manage Knative.
Step 1: Deploy a Kourier gateway
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
In the Add-on Component section of the Components tab, find Kourier and click Deploy in the Actions column. In the message that appears, click Confirm.
If the Status column of the Kourier component displays Deployed, the component is deployed.
Step 2: Use the Kourier gateway to access a Service
In this example, a Knative Service named helloworld-go is used.
Scenario 1: Use the Kourier gateway to access a Knative Service over HTTP
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Services tab of the Knative page, set Namespace to default, click Create from Template, copy the following YAML content to the template editor, and then click Create.
The template creates a Service named
helloworld-go
.apiVersion: serving.knative.dev/v1 kind: Service metadata: name: helloworld-go spec: template: spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 env: - name: TARGET value: "Knative"
If the Status column of the Service displays Created, the Service is deployed.
On the Services page, record the domain name and gateway IP address of the
helloworld-go
Service in the Default Domain and Gateway columns, respectively.Run the following command to access the
helloworld-go
Service:curl -H "host: helloworld-go.default.example.com" http://8.141.XX.XX # Specify the actual gateway IP address and domain name that you obtained.
Expected output:
Hello Knative!
The output indicates that the Knative Service can be accessed over HTTP.
Scenario 2: Use the Kourier gateway to access the Knative Service over HTTPS
The template creates a Service named
helloworld-go
.For more information, see Step 3.
Generate a TLS certificate.
Run the following command to generate a TLS certificate:
openssl genrsa -out tls.key 4096 openssl req -subj "/CN=*.example.com/L=*.example.com" -sha256 -new -key tls.key -out tls.csr echo subjectAltName = DNS:helloworld-go.default.example.com,DNS:helloworld-go.default.example.cn > extfile.cnf openssl x509 -req -days 3650 -sha256 -in tls.csr -signkey tls.key -out tls.crt -extfile extfile.cnf
Run the following command to create a Secret in the cluster based on the TLS certificate that you generated:
kubectl -n knative-serving create secret tls kourier-cert --key tls.key --cert tls.crt
Run the following command to check whether a Deployment named
net-kourier-controller
exists in theknative-serving
namespace:kubectl get deployments -n knative-serving
Run the following command to configure the certificate:
kubectl -n knative-serving edit deployment net-kourier-controller
On the
net-kourier-controller
configuration page, specify the following parameters:CERTS_SECRET_NAMESPACE
: Set the value to the namespace to which the Secret that you created belongs.CERTS_SECRET_NAME
: Set the value to the name of the Secret that you created.
... spec: containers: - env: - name: CERTS_SECRET_NAMESPACE value: knative-serving - name: CERTS_SECRET_NAME value: kourier-cert ...
Run the following command to check the status of net-kourier-controller:
kubectl -n knative-serving get po
Expected output:
NAME READY STATUS RESTARTS AGE net-kourier-controller-****** 1/1 Running 0 10s
Run the following command to access the Knative Service over HTTPS:
curl -H "host: helloworld-go.default.example.com" -k --cert tls.crt --key tls.key //8.141.XX.XX # Specify the actual gateway IP address and domain name that you obtained.
Expected output:
Hello Knative!
The output indicates that the Knative Service can be accessed over HTTPS.