/net-kourier

Primary LanguageGoApache License 2.0Apache-2.0

Kourier

CircleCI Docker Repository on Quay

Kourier is an Ingress for Knative. A deployment of Kourier consists of an Envoy proxy and a control plane for it. Kourier is meant to be a lightweight replacement for the Istio ingress. In the future, it will provide API management capabilities.

Kourier is passing the knative serving e2e and conformance tests: Kourier Testgrid.

Getting started

  • Install Knative Serving, ideally without Istio by using the "serving-core.yaml":
kubectl apply -f https://github.com/knative/serving/releases/download/v0.9.0/serving-core.yaml
  • Then install Kourier:
kubectl apply -f deploy/kourier-knative.yaml
  • Configure Knative Serving to use the proper "ingress.class":
kubectl patch configmap/config-network \
  -n knative-serving \
  --type merge \
  -p '{"data":{"clusteringress.class":"kourier.ingress.networking.knative.dev",
               "ingress.class":"kourier.ingress.networking.knative.dev"}}'
  • (OPTIONAL) Set your desired domain (replace 127.0.0.1.nip.io to your prefered domain):
 kubectl patch configmap/config-domain \
  -n knative-serving \
  --type merge \
  -p '{"data":{"127.0.0.1.nip.io":""}}'
  • (OPTIONAL) Deploy a sample hello world app:
kubectl apply -f ./samples/helloworld-go.yaml
  • (OPTIONAL) For testing purposes, you can use port-forwarding to make requests to Kourier from your machine:
kubectl port-forward --namespace kourier-system $(kubectl get pod -n kourier-system -l "app=3scale-kourier-gateway" --output=jsonpath="{.items[0].metadata.name}") 8080:8080 19000:19000 8443:8443

curl -v -H "Host: helloworld-go.default.127.0.0.1.nip.io" http://localhost:8080

Features

  • Traffic splitting between Knative revisions.
  • Automatic update of endpoints as they are scaled.
  • Support for gRPC services.
  • Timeouts and retries.
  • TLS
  • External Authorization support.

Setup TLS certificate

Create a secret containing your TLS certificate and Private key:

kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}

Add the following env vars to 3scale-Kourier in the "kourier" container :

CERTS_SECRET_NAMESPACE: ${NAMESPACES_WHERE_THE_SECRET_HAS_BEEN_CREATED}
CERTS_SECRET_NAME: ${CERT_NAME}

External Authorization Configuration

If you want to enable the external authorization support you can set these ENV vars in the 3scale-kourier-control deployment:

  • KOURIER_EXTAUTHZ_HOST*: The external authorization service and port, my-auth:2222
  • KOURIER_EXTAUTHZ_FAILUREMODEALLOW*: Allow traffic to go through if the ext auth service is down. Accepts true/false
  • KOURIER_EXTAUTHZ_MAXREQUESTBYTES: Max request bytes, if not set, defaults to 8192 Bytes. More info Envoy Docs
  • KOURIER_EXTAUTHZ_TIMEOUT: Max time in ms to wait for the ext authz service. Defaults to 2s.

* Required

Development

  • Run the test suite:
make test
  • Run only the unit or the integration tests:
make test-unit
make test-integration
  • Set up a local environment with Knative running on top of k3s:
make local-setup
  • Run make help for the complete list of make targets available.

License

Apache 2.0 License