Kourier

Kourier is an Ingress for Knative Serving. Kourier is a lightweight alternative for the Istio ingress as its deployment consists only of an Envoy proxy and a control plane for it.

Kourier is passing the knative serving e2e and conformance tests: Kourier Testgrid.

• Getting started
• Features
• Deployment
• Development
• License

Getting started

• Install Knative Serving, ideally without Istio:

kubectl apply -f https://github.com/knative/serving/releases/download/v0.17.0/serving-crds.yaml
kubectl apply -f https://github.com/knative/serving/releases/download/v0.17.0/serving-core.yaml

• Then install Kourier:

kubectl apply -f https://github.com/knative/net-kourier/releases/download/v0.17.0/kourier.yaml

• Configure Knative Serving to use the proper "ingress.class":

kubectl patch configmap/config-network \
  -n knative-serving \
  --type merge \
  -p '{"data":{"ingress.class":"kourier.ingress.networking.knative.dev"}}'

• (OPTIONAL) Set your desired domain (replace 127.0.0.1.nip.io to your preferred domain):

kubectl patch configmap/config-domain \
  -n knative-serving \
  --type merge \
  -p '{"data":{"127.0.0.1.nip.io":""}}'

• (OPTIONAL) Deploy a sample hello world app:

cat <<-EOF | kubectl apply -f -
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
spec:
  template:
    spec:
      containers:
      - image: gcr.io/knative-samples/helloworld-go
        env:
        - name: TARGET
          value: Go Sample v1
EOF

• (OPTIONAL) For testing purposes, you can use port-forwarding to make requests to Kourier from your machine:

kubectl port-forward --namespace kourier-system $(kubectl get pod -n kourier-system -l "app=3scale-kourier-gateway" --output=jsonpath="{.items[0].metadata.name}") 8080:8080 19000:19000 8443:8443

curl -v -H "Host: helloworld-go.default.127.0.0.1.nip.io" http://localhost:8080

Deployment

By default, the deployment of the Kourier components is split between two different namespaces:

• Kourier control is deployed in the knative-serving namespace
• The kourier gateways are deployed in the kourier-system namespace

To change the Kourier gateway namespace, you will need to:

• Modify the files in config/ and replace all the namespaces fields that have kourier-system with the desired namespace.
• Set the KOURIER_GATEWAY_NAMESPACE env var in the kourier-control deployment to the new namespace.

Features

• Traffic splitting between Knative revisions.
• Automatic update of endpoints as they are scaled.
• Support for gRPC services.
• Timeouts and retries.
• TLS
• External Authorization support.

Setup TLS certificate

Create a secret containing your TLS certificate and Private key:

kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}

Add the following env vars to 3scale-Kourier in the "kourier" container :

CERTS_SECRET_NAMESPACE: ${NAMESPACES_WHERE_THE_SECRET_HAS_BEEN_CREATED}
CERTS_SECRET_NAME: ${CERT_NAME}

External Authorization Configuration

If you want to enable the external authorization support you can set these ENV vars in the 3scale-kourier-control deployment:

• KOURIER_EXTAUTHZ_HOST*: The external authorization service and port, my-auth:2222
• KOURIER_EXTAUTHZ_FAILUREMODEALLOW*: Allow traffic to go through if the ext auth service is down. Accepts true/false
• KOURIER_EXTAUTHZ_MAXREQUESTBYTES: Max request bytes, if not set, defaults to 8192 Bytes. More info Envoy Docs
• KOURIER_EXTAUTHZ_TIMEOUT: Max time in ms to wait for the ext authz service. Defaults to 2s.

* Required

Development

• Run the test suite:

make test

• Run only the unit or the integration tests:

make test-unit
make test-integration

• Set up a local environment with Knative running on top of kind (needs both kind and ko installed):

make local-setup

• Run make help for the complete list of make targets available.

License

Apache 2.0 License