├── LICENSE ├── README.md ├── assets ├── README.md ├── knative-gloo-fargate-first-batch.yaml └── knative-gloo-fargate-second-batch.yaml └── images ├── knative-on-fargate.png └── knative-on-fargate.pptx /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### Background 2 | 3 | The industry of OSS projects that abstract a container orchestrator interface and provide the illusion of a FaaS (Function as a Service) experience flourishing. 4 | 5 | A good example of this is [OpenFaaS](https://www.openfaas.com/). As of late OpenFaaS has evolved to support AWS Fargate as a polyglot and orchestrator-agnostic serverless platform to run containers at scale. Today you can run OpenFaaS on [EKS/Fargate](https://blog.alexellis.io/nodeless-openfaas-with-aws-eks-and-fargate/) as well as [ECS/Fargate](https://www.openfaas.com/blog/openfaas-on-fargate/). If you are not familiar with AWS Fargate [this blog post about its role in the container world](https://aws.amazon.com/blogs/containers/the-role-of-aws-fargate-in-the-container-world/) may be helpful. 6 | 7 | This repo will outline the instructions on how to setup a similar experience using [Knative](https://knative.dev/) (a Google owned OSS project) on top of EKS/Fargate. Given Knative is limited in scope to abstract Kubernetes only clusters, it cannot be used with other container orchestrators. 8 | 9 | ### High level architecture 10 | 11 | This repo allows the reader to setup the following architecture: 12 | 13 | ![knative-on-fargate](./images/knative-on-fargate.png) 14 | 15 | ### Why EKS/Fargate? 16 | 17 | Since Amazon EKS is built on the premise of using standard upstream Kubernetes, setting up Knative on EKS/EC2 is trivial. If a user was to setup Knative with Gloo on an EKS cluster with EC2 worker nodes [these instructions](https://knative.dev/docs/install/knative-with-gloo/) would suffice. 18 | 19 | However, a solution that provides a FaaS orchestration abstraction that doesn't involve dealing with virtual machines is appealing for a set of users aiming to a full serverless experience. If you want more background about what problems EKS/Fargate can solve [this re:Invent session](https://www.youtube.com/watch?v=m-3tMXmWWQw) is a good start. 20 | 21 | In addition to not managing an infrastructure, AWS Fargate provides the foundational building blocks for a `scale to zero` experience. Knative is one of the tools that can enable that on top of Fargate. 22 | 23 | ### Getting started 24 | 25 | #### Getting ready and pre-requisites 26 | 27 | The procedure below will setup Knative with Gloo support on an EKS control plane enabled to deploy on AWS Fargate (with no EC2 worker nodes). A fully serverless setup. 28 | 29 | Because Fargate introduces some peculariaties there is a need to shadow [these instructions](https://knative.dev/docs/install/knative-with-gloo/) while adapting them to the environment. 30 | 31 | As a prerequisite, you need to have an AWS account and a client environment with a series of tools (e.g. proper AWS credentials, the AWS CLI, kubectl, eksctl, etc.). The instructions below assume the usage of [eksutils](https://github.com/mreferre/eksutils) albeit you can achieve the same result using any environment with the proper tools installed. 32 | 33 | The starting point for us is a Cloud9 instance with proper administrative IAM credentials configured. At the prompt launch: 34 | ``` 35 | docker run -it --rm --network host -v $HOME/.aws:/root/.aws -v $HOME/.kube:/root/.kube -v $HOME/environment:/environment -v /var/run/docker.sock:/var/run/docker.sock mreferre/eksutils:latest 36 | ``` 37 | 38 | #### Creating and configuring the EKS cluster 39 | 40 | Inside the `eksutils` shell, we will set up a few variables we will need later: 41 | ``` 42 | export REGION=eu-west-1 43 | export CLUSTERNAME=eksfargate 44 | ``` 45 | 46 | Now we will create an EKS cluster with some default Fargate profiles activated. This will take a few minutes: 47 | ``` 48 | eksctl create cluster --name=$CLUSTERNAME --region=$REGION --fargate 49 | ``` 50 | 51 | Because Knative and Gloo will deploy into specific namespaces (namely `gloo-system` and `knative-serving`) we need to explicitly setup a Fargate profile that matches them and allow the setup to start pods on Fargate: 52 | ``` 53 | eksctl create fargateprofile --namespace gloo-system --cluster $CLUSTERNAME --region=$REGION --name fp-gloo-system 54 | eksctl create fargateprofile --namespace knative-serving --cluster $CLUSTERNAME --region=$REGION --name fp-knative-serving 55 | ``` 56 | 57 | #### Creating and configuring the ALB ingress 58 | 59 | The Knative with Gloo support setup routines deploy a Classic Load Balancer on a traditional EKS deployment. Because EKS/Fargate can't work with the CLB (because there are no EC2 instances) we need to modify the setup to leverage the Application Load Balancer. 60 | 61 | First we need to deploy the ALB ingress controller. These commands are based on the [Amazon EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) that covers how to use ALB (specifically in the context of Fargate). 62 | ``` 63 | eksctl utils associate-iam-oidc-provider --region $REGION --cluster $CLUSTERNAME --approve 64 | curl -sS https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/iam-policy.json > albiampolicy.json && aws iam create-policy --policy-name ALBIngressControllerIAMPolicy --policy-document file://albiampolicy.json 65 | kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/rbac-role.yaml 66 | eksctl create iamserviceaccount --region $REGION --name alb-ingress-controller --namespace kube-system --cluster $CLUSTERNAME --attach-policy-arn arn:aws:iam::693935722839:policy/ALBIngressControllerIAMPolicy --override-existing-serviceaccounts --approve 67 | kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/alb-ingress-controller.yaml 68 | ``` 69 | 70 | At this point the ingress needs to be edited to inject the information required for it to work properly. To do so run the following command: 71 | ``` 72 | kubectl edit deployment.apps/alb-ingress-controller -n kube-system 73 | ``` 74 | 75 | Add the cluster name, vpc id and region of your own setup: 76 | ``` 77 | spec: 78 | containers: 79 | - args: 80 | - --ingress-class=alb 81 | - --cluster-name= 82 | - --aws-vpc-id= 83 | - --aws-region= 84 | ``` 85 | 86 | Save and exit. 87 | 88 | #### Preparing the assets for the Knative and Gloo setup 89 | 90 | The standard setup command (`glooctl install knative`) is a black box and installs Knative and Gloo leveraging the Classic Load Balancer. Because EKS/Fargate doesn't support it, we need to find a way to inject the ALB instead. In addition to this, we need to customize other things that `glooctl` does by default. 91 | 92 | *Note*: this repo ships with the two assets you need to deploy Knative and Gloo on EKS/Fargate. They are the `knative-gloo-fargate-first-batch.yaml` file and `knative-gloo-fargate-second-batch.yaml` file and are located in the [assets](./assets/) folder. If you are interested in understand how these assets have been generated you can read [this deep dive](./assets/README.md) so that you can yourself re-create them from scratch (if you ever need to). 93 | 94 | 95 | #### Deploying the assets and setup Knative and Gloo 96 | 97 | We are now at the point where we can run the Knative and Gloo assets. Before you do see clone this repo by running the following `git` command: 98 | ``` 99 | git clone http://github.com/mreferre/knative-on-fargate 100 | ``` 101 | 102 | Run the following command: 103 | ``` 104 | kubectl apply -f ./knative-on-fargate/assets/knative-gloo-fargate-first-batch.yaml 105 | ``` 106 | 107 | Wait a few seconds and the run the following command: 108 | ``` 109 | kubectl apply -f ./knative-on-fargate/assets/knative-gloo-fargate-second-batch.yaml 110 | ``` 111 | 112 | Splitting the creation of the Kubernetes resources is required to avoid race conditions introduced by this deployment mechanism. 113 | 114 | #### Customizing the domain the application will be exposed to 115 | 116 | Inspect the name of the ALB ingress that has been initialized: 117 | ``` 118 | kubectl get ingress -A 119 | NAMESPACE NAME HOSTS ADDRESS PORTS AGE 120 | gloo-system knative-external-proxy * b497c7f1-gloosystem-knativ-677e-1291493325.eu-west-1.elb.amazonaws.com 80 4m10s 121 | ``` 122 | 123 | Customize the domain in config-map with this command: 124 | ``` 125 | kubectl edit cm config-domain --namespace knative-serving 126 | ``` 127 | 128 | Add the ALB address in the position below: 129 | ``` 130 | # Please edit the object below. Lines beginning with a '#' will be ignored, 131 | # and an empty file will abort the edit. If an error occurs while saving this file will be 132 | # reopened with the relevant failures. 133 | # 134 | apiVersion: v1 135 | data: 136 | b497c7f1-gloosystem-knativ-677e-1291493325.eu-west-1.elb.amazonaws.com: "" 137 | _example: | 138 | ################################ 139 | # # 140 | # EXAMPLE CONFIGURATION # 141 | # # 142 | ################################ 143 | ``` 144 | 145 | Save and exit. 146 | 147 | At this point you should have all the plumbing ready to go. Time to move to deploying a demo workload. You have the option of deploying your demo workload using a `scale to zero` strategy or deploying the same demo workload using a strategy to avoid cold starts. 148 | 149 | 150 | #### Deploying an application that scales to zero on Fargate 151 | 152 | The characteristic of this demo application deployment is that it scales to zero after a few seconds the endpoint doesn't get solicited. This means that the next call (after having scaled to zero) will experience a cold start and take a minute or so to respond to the first solicitation. 153 | 154 | Create this `mywebapp-scales-to-zero.yaml` file: 155 | 156 | ``` 157 | apiVersion: serving.knative.dev/v1 158 | kind: Service 159 | metadata: 160 | name: mywebapp-scalestozero 161 | namespace: default 162 | spec: 163 | template: 164 | spec: 165 | containers: 166 | - image: mreferre/nginx-custom-site:0.2.1 167 | env: 168 | - name: INDEX_HTML_CONTENT 169 | value: "This is my web app running on Knative/Fargate that scales to zero" 170 | - name: HTTP_PORT 171 | value: "8080" 172 | timeoutSeconds: 300 173 | ``` 174 | 175 | Apply the file: 176 | ``` 177 | kubectl apply -f mywebapp-scales-to-zero.yaml 178 | ``` 179 | 180 | Inspect the Knative service deployed. Note it may take a minute or so to become `READY`: 181 | ``` 182 | kubectl get ksvc mywebapp-scalestozero 183 | NAME URL LATESTCREATED LATESTREADY READY REASON 184 | mywebapp-scalestozero http://mywebapp-scalestozero.default.b497c7f1-gloosystem-knativ-677e-1291493325.eu-west-1.elb.amazonaws.com mywebapp-scalestozero-jqmjj mywebapp-scalestozero-jqmjj True 185 | ``` 186 | 187 | Take the URL and decompose it with a -H header and the ALB FQDN like this: 188 | ``` 189 | curl -H 'Host: mywebapp-scalestozero.default.b497c7f1-gloosystem-knativ-677e-1291493325.eu-west-1.elb.amazonaws.com' http://b497c7f1-gloosystem-knativ-677e-1291493325.eu-west-1.elb.amazonaws.com 190 | This is my nginx running on Knative/Fargate that scales to zero 191 | ``` 192 | 193 | #### Deploying an application without cold starts 194 | 195 | The characteristic of this demo application deployment is that it doesn't scale to zero because it will always have, at a minimum, one pod up and running to avoid cold starts. 196 | 197 | Create this `mywebapp-no-cold-starts.yaml` file: 198 | 199 | ``` 200 | apiVersion: serving.knative.dev/v1 201 | kind: Service 202 | metadata: 203 | name: mywebapp-nocoldstarts 204 | namespace: default 205 | spec: 206 | template: 207 | metadata: 208 | annotations: 209 | autoscaling.knative.dev/minScale: "1" 210 | spec: 211 | containers: 212 | - image: mreferre/nginx-custom-site:0.2.1 213 | env: 214 | - name: INDEX_HTML_CONTENT 215 | value: "This is my web app running on Knative/Fargate with no cold starts" 216 | - name: HTTP_PORT 217 | value: "8080" 218 | timeoutSeconds: 300 219 | ``` 220 | 221 | Apply the file: 222 | ``` 223 | kubectl apply -f mywebapp-no-cold-starts.yaml 224 | ``` 225 | 226 | Inspect the Knative service deployed. Not it may take a minute or so to become `READY` the first time: 227 | ``` 228 | kubectl get ksvc mywebapp-nocoldstarts 229 | NAME URL LATESTCREATED LATESTREADY READY REASON 230 | mywebapp-nocoldstarts http://mywebapp-nocoldstarts.default.b497c7f1-gloosystem-knativ-677e-1291493325.eu-west-1.elb.amazonaws.com mywebapp-nocoldstarts-dlrgg mywebapp-nocoldstarts-dlrgg True 231 | ``` 232 | 233 | Take the URL and decompose it with a -H header and the ALB FQDN like this: 234 | ``` 235 | curl -H 'Host: mywebapp-nocoldstarts.default.b497c7f1-gloosystem-knativ-677e-1291493325.eu-west-1.elb.amazonaws.com' http://b497c7f1-gloosystem-knativ-677e-1291493325.eu-west-1.elb.amazonaws.com 236 | This is my web app running on Knative/Fargate with no cold starts 237 | ``` 238 | 239 | 240 | -------------------------------------------------------------------------------- /assets/README.md: -------------------------------------------------------------------------------- 1 | 2 | This folder contains the assets that have been pre-created for you to deploy Knative on AWS Fargate. The istructions below detail how these files have been created. These instructions are only useful if you need to re-create them (or want to understand all the details re how they have been created). Otherwise you can just follow the [main instructions](../README.md). 3 | 4 | To begin with, you have to generate the YAML file with a dry-run of the `glooctl` command and manually adjust a few things. You can generate the file launching this command: 5 | ``` 6 | glooctl install knative --dry-run > knative-gloo-fargate.yaml 7 | ``` 8 | 9 | Open the `knative-gloo-fargate.yaml` file in an editor. Locate the `knative-external-proxy` Kubernetes Service and change its type from `LoadBalancer` to `NodePort`: 10 | ``` 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | labels: 15 | app: gloo 16 | gloo: knative-external-proxy 17 | name: knative-external-proxy 18 | namespace: gloo-system 19 | spec: 20 | ports: 21 | - port: 80 22 | protocol: TCP 23 | name: http 24 | - port: 443 25 | protocol: TCP 26 | name: https 27 | selector: 28 | gloo: knative-external-proxy 29 | type: NodePort 30 | ``` 31 | 32 | This will make sure that a CLB doesn't get created. However, we now need a way to setup the ingress that leverages ALB. To do so, right after the Service above, copy and paste this entire new section: 33 | ``` 34 | --- 35 | apiVersion: extensions/v1beta1 36 | kind: Ingress 37 | metadata: 38 | name: knative-external-proxy 39 | namespace: gloo-system 40 | annotations: 41 | kubernetes.io/ingress.class: alb # check this, your ingress.class may be different 42 | alb.ingress.kubernetes.io/scheme: internet-facing 43 | alb.ingress.kubernetes.io/target-type: ip 44 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' 45 | alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=600 46 | labels: 47 | app: gloo 48 | gloo: knative-external-proxy 49 | spec: 50 | rules: 51 | - http: 52 | paths: 53 | - path: /* 54 | - backend: 55 | serviceName: knative-external-proxy 56 | servicePort: 80 57 | - backend: 58 | serviceName: knative-external-proxy 59 | servicePort: 443 60 | --- 61 | ``` 62 | The above brand new session will expose the `knative-external-proxy` Service through the ALB ingress. For the purpose of this PoC I have only configured the http (port 80) listener. 63 | 64 | Note: with the `idle_timeout.timeout_seconds=600` custom attributes we change the timeout for the ALB from 60 seconds (default) to 600 seconds. This is important particularly for the "scale-to-zero" scenarios where Fargate may take more than 60 seconds to run the first pod. 65 | 66 | For reasons discussed in [this issue](https://github.com/knative/docs/issues/2255) the file generated by the dry-run doesn't create the `gloo-system` Kubernetes namespace that the remaining of the file assumes exist. Because of this, you need to manually add the following section to the `knative-gloo-fargate.yaml` file: 67 | ``` 68 | --- 69 | apiVersion: v1 70 | kind: Namespace 71 | metadata: 72 | name: gloo-system 73 | --- 74 | ``` 75 | 76 | We are almost there. There is one last tweak we need to do. The `glooctl install knative` command handle race conditions and setup things in the proper order. When you export the YAML file with the --dry-run option and attempt to run it in its entirety in a single apply, some of the objects will spit an error at creation because (presumably) other objects they are dependent on are not yet ready. Because of this we need to split the `knative-gloo-fargate.yaml` file into two distinct files that we will apply at different times: 77 | - `knative-gloo-fargate-first-batch.yaml` contains everything but objects of kind `Image` , `Gateway` and `Settings` 78 | - `knative-gloo-fargate-second-batch.yaml` contains only objects of kind `Image` , `Gateway` and `Settings` 79 | 80 | These are the two files that are shipped with the repo. You don't need to re-create them but now you know how they have been built. 81 | 82 | Go back to the [main istructions](../README.md). -------------------------------------------------------------------------------- /assets/knative-gloo-fargate-first-batch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: enabled 6 | serving.knative.dev/release: "v0.10.0" 7 | name: knative-serving 8 | 9 | --- 10 | 11 | apiVersion: v1 12 | kind: Namespace 13 | metadata: 14 | name: gloo-system 15 | 16 | --- 17 | 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: ClusterRole 20 | metadata: 21 | labels: 22 | autoscaling.knative.dev/metric-provider: custom-metrics 23 | serving.knative.dev/release: "v0.10.0" 24 | name: custom-metrics-server-resources 25 | rules: 26 | - apiGroups: 27 | - custom.metrics.k8s.io 28 | resources: 29 | - '*' 30 | verbs: 31 | - '*' 32 | 33 | --- 34 | 35 | apiVersion: rbac.authorization.k8s.io/v1 36 | kind: ClusterRole 37 | metadata: 38 | labels: 39 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 40 | serving.knative.dev/release: "v0.10.0" 41 | name: knative-serving-namespaced-admin 42 | rules: 43 | - apiGroups: 44 | - serving.knative.dev 45 | - networking.internal.knative.dev 46 | - autoscaling.internal.knative.dev 47 | - caching.internal.knative.dev 48 | resources: 49 | - '*' 50 | verbs: 51 | - '*' 52 | --- 53 | 54 | apiVersion: rbac.authorization.k8s.io/v1 55 | kind: ClusterRole 56 | metadata: 57 | labels: 58 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 59 | serving.knative.dev/release: "v0.10.0" 60 | name: knative-serving-namespaced-edit 61 | rules: 62 | - apiGroups: 63 | - serving.knative.dev 64 | - networking.internal.knative.dev 65 | - autoscaling.internal.knative.dev 66 | resources: 67 | - '*' 68 | verbs: 69 | - create 70 | - update 71 | - patch 72 | - delete 73 | --- 74 | 75 | apiVersion: rbac.authorization.k8s.io/v1 76 | kind: ClusterRole 77 | metadata: 78 | labels: 79 | rbac.authorization.k8s.io/aggregate-to-view: "true" 80 | serving.knative.dev/release: "v0.10.0" 81 | name: knative-serving-namespaced-view 82 | rules: 83 | - apiGroups: 84 | - serving.knative.dev 85 | - networking.internal.knative.dev 86 | - autoscaling.internal.knative.dev 87 | resources: 88 | - '*' 89 | verbs: 90 | - get 91 | - list 92 | - watch 93 | 94 | --- 95 | 96 | aggregationRule: 97 | clusterRoleSelectors: 98 | - matchLabels: 99 | serving.knative.dev/controller: "true" 100 | apiVersion: rbac.authorization.k8s.io/v1 101 | kind: ClusterRole 102 | metadata: 103 | labels: 104 | serving.knative.dev/release: "v0.10.0" 105 | name: knative-serving-admin 106 | rules: [] 107 | --- 108 | 109 | apiVersion: rbac.authorization.k8s.io/v1 110 | kind: ClusterRole 111 | metadata: 112 | labels: 113 | serving.knative.dev/controller: "true" 114 | serving.knative.dev/release: "v0.10.0" 115 | name: knative-serving-core 116 | rules: 117 | - apiGroups: 118 | - "" 119 | resources: 120 | - pods 121 | - namespaces 122 | - secrets 123 | - configmaps 124 | - endpoints 125 | - services 126 | - events 127 | - serviceaccounts 128 | verbs: 129 | - get 130 | - list 131 | - create 132 | - update 133 | - delete 134 | - patch 135 | - watch 136 | - apiGroups: 137 | - "" 138 | resources: 139 | - endpoints/restricted 140 | verbs: 141 | - create 142 | - apiGroups: 143 | - apps 144 | resources: 145 | - deployments 146 | - deployments/finalizers 147 | verbs: 148 | - get 149 | - list 150 | - create 151 | - update 152 | - delete 153 | - patch 154 | - watch 155 | - apiGroups: 156 | - admissionregistration.k8s.io 157 | resources: 158 | - mutatingwebhookconfigurations 159 | - validatingwebhookconfigurations 160 | verbs: 161 | - get 162 | - list 163 | - create 164 | - update 165 | - delete 166 | - patch 167 | - watch 168 | - apiGroups: 169 | - apiextensions.k8s.io 170 | resources: 171 | - customresourcedefinitions 172 | verbs: 173 | - get 174 | - list 175 | - create 176 | - update 177 | - delete 178 | - patch 179 | - watch 180 | - apiGroups: 181 | - autoscaling 182 | resources: 183 | - horizontalpodautoscalers 184 | verbs: 185 | - get 186 | - list 187 | - create 188 | - update 189 | - delete 190 | - patch 191 | - watch 192 | - apiGroups: 193 | - serving.knative.dev 194 | - autoscaling.internal.knative.dev 195 | - networking.internal.knative.dev 196 | resources: 197 | - '*' 198 | - '*/status' 199 | - '*/finalizers' 200 | verbs: 201 | - get 202 | - list 203 | - create 204 | - update 205 | - delete 206 | - deletecollection 207 | - patch 208 | - watch 209 | - apiGroups: 210 | - caching.internal.knative.dev 211 | resources: 212 | - images 213 | verbs: 214 | - get 215 | - list 216 | - create 217 | - update 218 | - delete 219 | - patch 220 | - watch 221 | 222 | --- 223 | 224 | apiVersion: v1 225 | kind: ServiceAccount 226 | metadata: 227 | labels: 228 | serving.knative.dev/release: "v0.10.0" 229 | name: controller 230 | namespace: knative-serving 231 | 232 | --- 233 | 234 | apiVersion: rbac.authorization.k8s.io/v1 235 | kind: ClusterRoleBinding 236 | metadata: 237 | labels: 238 | autoscaling.knative.dev/metric-provider: custom-metrics 239 | serving.knative.dev/release: "v0.10.0" 240 | name: custom-metrics:system:auth-delegator 241 | roleRef: 242 | apiGroup: rbac.authorization.k8s.io 243 | kind: ClusterRole 244 | name: system:auth-delegator 245 | subjects: 246 | - kind: ServiceAccount 247 | name: controller 248 | namespace: knative-serving 249 | 250 | --- 251 | 252 | apiVersion: rbac.authorization.k8s.io/v1 253 | kind: ClusterRoleBinding 254 | metadata: 255 | labels: 256 | autoscaling.knative.dev/metric-provider: custom-metrics 257 | serving.knative.dev/release: "v0.10.0" 258 | name: hpa-controller-custom-metrics 259 | roleRef: 260 | apiGroup: rbac.authorization.k8s.io 261 | kind: ClusterRole 262 | name: custom-metrics-server-resources 263 | subjects: 264 | - kind: ServiceAccount 265 | name: horizontal-pod-autoscaler 266 | namespace: kube-system 267 | 268 | --- 269 | 270 | apiVersion: rbac.authorization.k8s.io/v1 271 | kind: ClusterRoleBinding 272 | metadata: 273 | labels: 274 | serving.knative.dev/release: "v0.10.0" 275 | name: knative-serving-controller-admin 276 | roleRef: 277 | apiGroup: rbac.authorization.k8s.io 278 | kind: ClusterRole 279 | name: knative-serving-admin 280 | subjects: 281 | - kind: ServiceAccount 282 | name: controller 283 | namespace: knative-serving 284 | 285 | --- 286 | 287 | apiVersion: rbac.authorization.k8s.io/v1 288 | kind: RoleBinding 289 | metadata: 290 | labels: 291 | autoscaling.knative.dev/metric-provider: custom-metrics 292 | serving.knative.dev/release: "v0.10.0" 293 | name: custom-metrics-auth-reader 294 | namespace: kube-system 295 | roleRef: 296 | apiGroup: rbac.authorization.k8s.io 297 | kind: Role 298 | name: extension-apiserver-authentication-reader 299 | subjects: 300 | - kind: ServiceAccount 301 | name: controller 302 | namespace: knative-serving 303 | 304 | --- 305 | 306 | apiVersion: apiextensions.k8s.io/v1beta1 307 | kind: CustomResourceDefinition 308 | metadata: 309 | labels: 310 | knative.dev/crd-install: "true" 311 | serving.knative.dev/release: "v0.10.0" 312 | name: certificates.networking.internal.knative.dev 313 | spec: 314 | additionalPrinterColumns: 315 | - JSONPath: .status.conditions[?(@.type=="Ready")].status 316 | name: Ready 317 | type: string 318 | - JSONPath: .status.conditions[?(@.type=="Ready")].reason 319 | name: Reason 320 | type: string 321 | group: networking.internal.knative.dev 322 | names: 323 | categories: 324 | - knative-internal 325 | - networking 326 | kind: Certificate 327 | plural: certificates 328 | shortNames: 329 | - kcert 330 | singular: certificate 331 | scope: Namespaced 332 | subresources: 333 | status: {} 334 | version: v1alpha1 335 | 336 | --- 337 | 338 | apiVersion: apiextensions.k8s.io/v1beta1 339 | kind: CustomResourceDefinition 340 | metadata: 341 | labels: 342 | knative.dev/crd-install: "true" 343 | serving.knative.dev/release: "v0.10.0" 344 | name: configurations.serving.knative.dev 345 | spec: 346 | additionalPrinterColumns: 347 | - JSONPath: .status.latestCreatedRevisionName 348 | name: LatestCreated 349 | type: string 350 | - JSONPath: .status.latestReadyRevisionName 351 | name: LatestReady 352 | type: string 353 | - JSONPath: .status.conditions[?(@.type=='Ready')].status 354 | name: Ready 355 | type: string 356 | - JSONPath: .status.conditions[?(@.type=='Ready')].reason 357 | name: Reason 358 | type: string 359 | group: serving.knative.dev 360 | names: 361 | categories: 362 | - all 363 | - knative 364 | - serving 365 | kind: Configuration 366 | plural: configurations 367 | shortNames: 368 | - config 369 | - cfg 370 | singular: configuration 371 | scope: Namespaced 372 | subresources: 373 | status: {} 374 | versions: 375 | - name: v1alpha1 376 | served: true 377 | storage: true 378 | - name: v1beta1 379 | served: true 380 | storage: false 381 | - name: v1 382 | served: true 383 | storage: false 384 | 385 | --- 386 | 387 | apiVersion: apiextensions.k8s.io/v1beta1 388 | kind: CustomResourceDefinition 389 | metadata: 390 | labels: 391 | knative.dev/crd-install: "true" 392 | name: images.caching.internal.knative.dev 393 | spec: 394 | group: caching.internal.knative.dev 395 | names: 396 | categories: 397 | - knative-internal 398 | - caching 399 | kind: Image 400 | plural: images 401 | shortNames: 402 | - img 403 | singular: image 404 | scope: Namespaced 405 | subresources: 406 | status: {} 407 | version: v1alpha1 408 | 409 | --- 410 | 411 | apiVersion: apiextensions.k8s.io/v1beta1 412 | kind: CustomResourceDefinition 413 | metadata: 414 | labels: 415 | knative.dev/crd-install: "true" 416 | serving.knative.dev/release: "v0.10.0" 417 | name: ingresses.networking.internal.knative.dev 418 | spec: 419 | additionalPrinterColumns: 420 | - JSONPath: .status.conditions[?(@.type=='Ready')].status 421 | name: Ready 422 | type: string 423 | - JSONPath: .status.conditions[?(@.type=='Ready')].reason 424 | name: Reason 425 | type: string 426 | group: networking.internal.knative.dev 427 | names: 428 | categories: 429 | - knative-internal 430 | - networking 431 | kind: Ingress 432 | plural: ingresses 433 | shortNames: 434 | - ing 435 | singular: ingress 436 | scope: Namespaced 437 | subresources: 438 | status: {} 439 | versions: 440 | - name: v1alpha1 441 | served: true 442 | storage: true 443 | 444 | --- 445 | 446 | apiVersion: apiextensions.k8s.io/v1beta1 447 | kind: CustomResourceDefinition 448 | metadata: 449 | labels: 450 | knative.dev/crd-install: "true" 451 | serving.knative.dev/release: "v0.10.0" 452 | name: metrics.autoscaling.internal.knative.dev 453 | spec: 454 | additionalPrinterColumns: 455 | - JSONPath: .status.conditions[?(@.type=='Ready')].status 456 | name: Ready 457 | type: string 458 | - JSONPath: .status.conditions[?(@.type=='Ready')].reason 459 | name: Reason 460 | type: string 461 | group: autoscaling.internal.knative.dev 462 | names: 463 | categories: 464 | - knative-internal 465 | - autoscaling 466 | kind: Metric 467 | plural: metrics 468 | singular: metric 469 | scope: Namespaced 470 | subresources: 471 | status: {} 472 | version: v1alpha1 473 | 474 | --- 475 | 476 | apiVersion: apiextensions.k8s.io/v1beta1 477 | kind: CustomResourceDefinition 478 | metadata: 479 | labels: 480 | knative.dev/crd-install: "true" 481 | serving.knative.dev/release: "v0.10.0" 482 | name: podautoscalers.autoscaling.internal.knative.dev 483 | spec: 484 | additionalPrinterColumns: 485 | - JSONPath: .status.desiredScale 486 | name: DesiredScale 487 | type: integer 488 | - JSONPath: .status.actualScale 489 | name: ActualScale 490 | type: integer 491 | - JSONPath: .status.conditions[?(@.type=='Ready')].status 492 | name: Ready 493 | type: string 494 | - JSONPath: .status.conditions[?(@.type=='Ready')].reason 495 | name: Reason 496 | type: string 497 | group: autoscaling.internal.knative.dev 498 | names: 499 | categories: 500 | - knative-internal 501 | - autoscaling 502 | kind: PodAutoscaler 503 | plural: podautoscalers 504 | shortNames: 505 | - kpa 506 | - pa 507 | singular: podautoscaler 508 | scope: Namespaced 509 | subresources: 510 | status: {} 511 | versions: 512 | - name: v1alpha1 513 | served: true 514 | storage: true 515 | 516 | --- 517 | 518 | apiVersion: apiextensions.k8s.io/v1beta1 519 | kind: CustomResourceDefinition 520 | metadata: 521 | labels: 522 | knative.dev/crd-install: "true" 523 | serving.knative.dev/release: "v0.10.0" 524 | name: revisions.serving.knative.dev 525 | spec: 526 | additionalPrinterColumns: 527 | - JSONPath: .metadata.labels['serving\.knative\.dev/configuration'] 528 | name: Config Name 529 | type: string 530 | - JSONPath: .status.serviceName 531 | name: K8s Service Name 532 | type: string 533 | - JSONPath: .metadata.labels['serving\.knative\.dev/configurationGeneration'] 534 | name: Generation 535 | type: string 536 | - JSONPath: .status.conditions[?(@.type=='Ready')].status 537 | name: Ready 538 | type: string 539 | - JSONPath: .status.conditions[?(@.type=='Ready')].reason 540 | name: Reason 541 | type: string 542 | group: serving.knative.dev 543 | names: 544 | categories: 545 | - all 546 | - knative 547 | - serving 548 | kind: Revision 549 | plural: revisions 550 | shortNames: 551 | - rev 552 | singular: revision 553 | scope: Namespaced 554 | subresources: 555 | status: {} 556 | versions: 557 | - name: v1alpha1 558 | served: true 559 | storage: true 560 | - name: v1beta1 561 | served: true 562 | storage: false 563 | - name: v1 564 | served: true 565 | storage: false 566 | 567 | --- 568 | 569 | apiVersion: apiextensions.k8s.io/v1beta1 570 | kind: CustomResourceDefinition 571 | metadata: 572 | labels: 573 | duck.knative.dev/addressable: "true" 574 | knative.dev/crd-install: "true" 575 | serving.knative.dev/release: "v0.10.0" 576 | name: routes.serving.knative.dev 577 | spec: 578 | additionalPrinterColumns: 579 | - JSONPath: .status.url 580 | name: URL 581 | type: string 582 | - JSONPath: .status.conditions[?(@.type=='Ready')].status 583 | name: Ready 584 | type: string 585 | - JSONPath: .status.conditions[?(@.type=='Ready')].reason 586 | name: Reason 587 | type: string 588 | group: serving.knative.dev 589 | names: 590 | categories: 591 | - all 592 | - knative 593 | - serving 594 | kind: Route 595 | plural: routes 596 | shortNames: 597 | - rt 598 | singular: route 599 | scope: Namespaced 600 | subresources: 601 | status: {} 602 | versions: 603 | - name: v1alpha1 604 | served: true 605 | storage: true 606 | - name: v1beta1 607 | served: true 608 | storage: false 609 | - name: v1 610 | served: true 611 | storage: false 612 | 613 | --- 614 | 615 | apiVersion: apiextensions.k8s.io/v1beta1 616 | kind: CustomResourceDefinition 617 | metadata: 618 | labels: 619 | duck.knative.dev/addressable: "true" 620 | knative.dev/crd-install: "true" 621 | serving.knative.dev/release: "v0.10.0" 622 | name: services.serving.knative.dev 623 | spec: 624 | additionalPrinterColumns: 625 | - JSONPath: .status.url 626 | name: URL 627 | type: string 628 | - JSONPath: .status.latestCreatedRevisionName 629 | name: LatestCreated 630 | type: string 631 | - JSONPath: .status.latestReadyRevisionName 632 | name: LatestReady 633 | type: string 634 | - JSONPath: .status.conditions[?(@.type=='Ready')].status 635 | name: Ready 636 | type: string 637 | - JSONPath: .status.conditions[?(@.type=='Ready')].reason 638 | name: Reason 639 | type: string 640 | group: serving.knative.dev 641 | names: 642 | categories: 643 | - all 644 | - knative 645 | - serving 646 | kind: Service 647 | plural: services 648 | shortNames: 649 | - kservice 650 | - ksvc 651 | singular: service 652 | scope: Namespaced 653 | subresources: 654 | status: {} 655 | versions: 656 | - name: v1alpha1 657 | served: true 658 | storage: true 659 | - name: v1beta1 660 | served: true 661 | storage: false 662 | - name: v1 663 | served: true 664 | storage: false 665 | 666 | --- 667 | 668 | apiVersion: apiextensions.k8s.io/v1beta1 669 | kind: CustomResourceDefinition 670 | metadata: 671 | labels: 672 | knative.dev/crd-install: "true" 673 | serving.knative.dev/release: "v0.10.0" 674 | name: serverlessservices.networking.internal.knative.dev 675 | spec: 676 | additionalPrinterColumns: 677 | - JSONPath: .spec.mode 678 | name: Mode 679 | type: string 680 | - JSONPath: .status.serviceName 681 | name: ServiceName 682 | type: string 683 | - JSONPath: .status.privateServiceName 684 | name: PrivateServiceName 685 | type: string 686 | - JSONPath: .status.conditions[?(@.type=='Ready')].status 687 | name: Ready 688 | type: string 689 | - JSONPath: .status.conditions[?(@.type=='Ready')].reason 690 | name: Reason 691 | type: string 692 | group: networking.internal.knative.dev 693 | names: 694 | categories: 695 | - knative-internal 696 | - networking 697 | kind: ServerlessService 698 | plural: serverlessservices 699 | shortNames: 700 | - sks 701 | singular: serverlessservice 702 | scope: Namespaced 703 | subresources: 704 | status: {} 705 | versions: 706 | - name: v1alpha1 707 | served: true 708 | storage: true 709 | 710 | --- 711 | 712 | apiVersion: v1 713 | kind: Service 714 | metadata: 715 | labels: 716 | app: activator 717 | serving.knative.dev/release: "v0.10.0" 718 | name: activator-service 719 | namespace: knative-serving 720 | spec: 721 | ports: 722 | - name: http 723 | port: 80 724 | protocol: TCP 725 | targetPort: 8012 726 | - name: http2 727 | port: 81 728 | protocol: TCP 729 | targetPort: 8013 730 | - name: metrics 731 | port: 9090 732 | protocol: TCP 733 | targetPort: 9090 734 | selector: 735 | app: activator 736 | type: ClusterIP 737 | 738 | --- 739 | 740 | apiVersion: v1 741 | kind: Service 742 | metadata: 743 | labels: 744 | app: controller 745 | serving.knative.dev/release: "v0.10.0" 746 | name: controller 747 | namespace: knative-serving 748 | spec: 749 | ports: 750 | - name: metrics 751 | port: 9090 752 | protocol: TCP 753 | targetPort: 9090 754 | selector: 755 | app: controller 756 | 757 | --- 758 | 759 | apiVersion: v1 760 | kind: Service 761 | metadata: 762 | labels: 763 | role: webhook 764 | serving.knative.dev/release: "v0.10.0" 765 | name: webhook 766 | namespace: knative-serving 767 | spec: 768 | ports: 769 | - port: 443 770 | targetPort: 8443 771 | selector: 772 | role: webhook 773 | 774 | --- 775 | 776 | apiVersion: admissionregistration.k8s.io/v1beta1 777 | kind: MutatingWebhookConfiguration 778 | metadata: 779 | labels: 780 | serving.knative.dev/release: "v0.10.0" 781 | name: webhook.serving.knative.dev 782 | webhooks: 783 | - admissionReviewVersions: 784 | - v1beta1 785 | clientConfig: 786 | service: 787 | name: webhook 788 | namespace: knative-serving 789 | failurePolicy: Fail 790 | name: webhook.serving.knative.dev 791 | --- 792 | 793 | apiVersion: admissionregistration.k8s.io/v1beta1 794 | kind: ValidatingWebhookConfiguration 795 | metadata: 796 | labels: 797 | serving.knative.dev/release: "v0.10.0" 798 | name: config.webhook.serving.knative.dev 799 | webhooks: 800 | - admissionReviewVersions: 801 | - v1beta1 802 | clientConfig: 803 | service: 804 | name: webhook 805 | namespace: knative-serving 806 | failurePolicy: Fail 807 | name: config.webhook.serving.knative.dev 808 | namespaceSelector: 809 | matchExpressions: 810 | - key: serving.knative.dev/release 811 | operator: Exists 812 | 813 | --- 814 | 815 | apiVersion: apps/v1 816 | kind: Deployment 817 | metadata: 818 | labels: 819 | serving.knative.dev/release: "v0.10.0" 820 | name: activator 821 | namespace: knative-serving 822 | spec: 823 | selector: 824 | matchLabels: 825 | app: activator 826 | role: activator 827 | template: 828 | metadata: 829 | annotations: 830 | cluster-autoscaler.kubernetes.io/safe-to-evict: "false" 831 | sidecar.istio.io/inject: "true" 832 | labels: 833 | app: activator 834 | role: activator 835 | serving.knative.dev/release: "v0.10.0" 836 | spec: 837 | containers: 838 | - env: 839 | - name: POD_NAME 840 | valueFrom: 841 | fieldRef: 842 | fieldPath: metadata.name 843 | - name: POD_IP 844 | valueFrom: 845 | fieldRef: 846 | fieldPath: status.podIP 847 | - name: SYSTEM_NAMESPACE 848 | valueFrom: 849 | fieldRef: 850 | fieldPath: metadata.namespace 851 | - name: CONFIG_LOGGING_NAME 852 | value: config-logging 853 | - name: CONFIG_OBSERVABILITY_NAME 854 | value: config-observability 855 | - name: METRICS_DOMAIN 856 | value: knative.dev/internal/serving 857 | image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:0c52e0a85612bbedebf6d0de2b1951a4f762a05691f86e78079a5089d4848652 858 | livenessProbe: 859 | httpGet: 860 | httpHeaders: 861 | - name: k-kubelet-probe 862 | value: activator 863 | path: /healthz 864 | port: 8012 865 | name: activator 866 | ports: 867 | - containerPort: 8012 868 | name: http1 869 | - containerPort: 8013 870 | name: h2c 871 | - containerPort: 9090 872 | name: metrics 873 | - containerPort: 8008 874 | name: profiling 875 | readinessProbe: 876 | httpGet: 877 | httpHeaders: 878 | - name: k-kubelet-probe 879 | value: activator 880 | path: /healthz 881 | port: 8012 882 | resources: 883 | limits: 884 | cpu: 1000m 885 | memory: 600Mi 886 | requests: 887 | cpu: 300m 888 | memory: 60Mi 889 | securityContext: 890 | allowPrivilegeEscalation: false 891 | serviceAccountName: controller 892 | terminationGracePeriodSeconds: 300 893 | --- 894 | 895 | apiVersion: autoscaling/v2beta1 896 | kind: HorizontalPodAutoscaler 897 | metadata: 898 | name: activator 899 | namespace: knative-serving 900 | spec: 901 | maxReplicas: 20 902 | metrics: 903 | - resource: 904 | name: cpu 905 | targetAverageUtilization: 100 906 | type: Resource 907 | minReplicas: 1 908 | scaleTargetRef: 909 | apiVersion: apps/v1 910 | kind: Deployment 911 | name: activator 912 | 913 | --- 914 | 915 | apiVersion: apps/v1 916 | kind: Deployment 917 | metadata: 918 | labels: 919 | autoscaling.knative.dev/autoscaler-provider: hpa 920 | serving.knative.dev/release: "v0.10.0" 921 | name: autoscaler-hpa 922 | namespace: knative-serving 923 | spec: 924 | replicas: 1 925 | selector: 926 | matchLabels: 927 | app: autoscaler-hpa 928 | template: 929 | metadata: 930 | annotations: 931 | sidecar.istio.io/inject: "false" 932 | labels: 933 | app: autoscaler-hpa 934 | serving.knative.dev/release: "v0.10.0" 935 | spec: 936 | containers: 937 | - env: 938 | - name: SYSTEM_NAMESPACE 939 | valueFrom: 940 | fieldRef: 941 | fieldPath: metadata.namespace 942 | - name: CONFIG_LOGGING_NAME 943 | value: config-logging 944 | - name: CONFIG_OBSERVABILITY_NAME 945 | value: config-observability 946 | - name: METRICS_DOMAIN 947 | value: knative.dev/serving 948 | image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa@sha256:f5514430997ed3799e0f708d657fef935e7eef2774f073a46ffb06311c8b5e76 949 | name: autoscaler-hpa 950 | ports: 951 | - containerPort: 9090 952 | name: metrics 953 | - containerPort: 8008 954 | name: profiling 955 | resources: 956 | limits: 957 | cpu: 1000m 958 | memory: 1000Mi 959 | requests: 960 | cpu: 100m 961 | memory: 100Mi 962 | securityContext: 963 | allowPrivilegeEscalation: false 964 | serviceAccountName: controller 965 | 966 | --- 967 | 968 | apiVersion: v1 969 | kind: Service 970 | metadata: 971 | labels: 972 | app: autoscaler 973 | serving.knative.dev/release: "v0.10.0" 974 | name: autoscaler 975 | namespace: knative-serving 976 | spec: 977 | ports: 978 | - name: http 979 | port: 8080 980 | protocol: TCP 981 | targetPort: 8080 982 | - name: metrics 983 | port: 9090 984 | protocol: TCP 985 | targetPort: 9090 986 | - name: custom-metrics 987 | port: 443 988 | protocol: TCP 989 | targetPort: 8443 990 | selector: 991 | app: autoscaler 992 | 993 | --- 994 | 995 | apiVersion: apps/v1 996 | kind: Deployment 997 | metadata: 998 | labels: 999 | serving.knative.dev/release: "v0.10.0" 1000 | name: autoscaler 1001 | namespace: knative-serving 1002 | spec: 1003 | replicas: 1 1004 | selector: 1005 | matchLabels: 1006 | app: autoscaler 1007 | template: 1008 | metadata: 1009 | annotations: 1010 | cluster-autoscaler.kubernetes.io/safe-to-evict: "false" 1011 | sidecar.istio.io/inject: "true" 1012 | traffic.sidecar.istio.io/includeInboundPorts: 8080,9090 1013 | labels: 1014 | app: autoscaler 1015 | serving.knative.dev/release: "v0.10.0" 1016 | spec: 1017 | containers: 1018 | - args: 1019 | - --secure-port=8443 1020 | - --cert-dir=/tmp 1021 | env: 1022 | - name: SYSTEM_NAMESPACE 1023 | valueFrom: 1024 | fieldRef: 1025 | fieldPath: metadata.namespace 1026 | - name: CONFIG_LOGGING_NAME 1027 | value: config-logging 1028 | - name: CONFIG_OBSERVABILITY_NAME 1029 | value: config-observability 1030 | - name: METRICS_DOMAIN 1031 | value: knative.dev/serving 1032 | image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:9b716bec384c166782f30756e0981ab11178e1a6b7a4fa6965cc6225abf8567c 1033 | livenessProbe: 1034 | httpGet: 1035 | httpHeaders: 1036 | - name: k-kubelet-probe 1037 | value: autoscaler 1038 | path: /healthz 1039 | port: 8080 1040 | name: autoscaler 1041 | ports: 1042 | - containerPort: 8080 1043 | name: websocket 1044 | - containerPort: 9090 1045 | name: metrics 1046 | - containerPort: 8443 1047 | name: custom-metrics 1048 | - containerPort: 8008 1049 | name: profiling 1050 | readinessProbe: 1051 | httpGet: 1052 | httpHeaders: 1053 | - name: k-kubelet-probe 1054 | value: autoscaler 1055 | path: /healthz 1056 | port: 8080 1057 | resources: 1058 | limits: 1059 | cpu: 300m 1060 | memory: 400Mi 1061 | requests: 1062 | cpu: 30m 1063 | memory: 40Mi 1064 | securityContext: 1065 | allowPrivilegeEscalation: false 1066 | serviceAccountName: controller 1067 | 1068 | --- 1069 | 1070 | apiVersion: v1 1071 | data: 1072 | _example: | 1073 | ################################ 1074 | # # 1075 | # EXAMPLE CONFIGURATION # 1076 | # # 1077 | ################################ 1078 | 1079 | # This block is not actually functional configuration, 1080 | # but serves to illustrate the available configuration 1081 | # options and document them in a way that is accessible 1082 | # to users that `kubectl edit` this config map. 1083 | # 1084 | # These sample configuration options may be copied out of 1085 | # this example block and unindented to be in the data block 1086 | # to actually change the configuration. 1087 | 1088 | # The Revision ContainerConcurrency field specifies the maximum number 1089 | # of requests the Container can handle at once. Container concurrency 1090 | # target percentage is how much of that maximum to use in a stable 1091 | # state. E.g. if a Revision specifies ContainerConcurrency of 10, then 1092 | # the Autoscaler will try to maintain 7 concurrent connections per pod 1093 | # on average. 1094 | # Note: this limit will be applied to container concurrency set at every 1095 | # level (ConfigMap, Revision Spec or Annotation). 1096 | # For legacy and backwards compatibility reasons, this value also accepts 1097 | # fractional values in (0, 1] interval (i.e. 0.7 ⇒ 70%). 1098 | # Thus minimal percentage value must be greater than 1.0, or it will be 1099 | # treated as a fraction. 1100 | container-concurrency-target-percentage: "70" 1101 | 1102 | # The container concurrency target default is what the Autoscaler will 1103 | # try to maintain when concurrency is used as the scaling metric for a 1104 | # Revision and the Revision specifies unlimited concurrency. 1105 | # Even when specifying unlimited concurrency, the autoscaler will 1106 | # horizontally scale the application based on this target concurrency. 1107 | # NOTE: Only one metric can be used for autoscaling a Revision. 1108 | container-concurrency-target-default: "100" 1109 | 1110 | # The requests per second (RPS) target default is what the Autoscaler will 1111 | # try to maintain when RPS is used as the scaling metric for a Revision and 1112 | # the Revision specifies unlimited RPS. Even when specifying unlimited RPS, 1113 | # the autoscaler will horizontally scale the application based on this 1114 | # target RPS. 1115 | # Must be greater than 1.0. 1116 | # NOTE: Only one metric can be used for autoscaling a Revision. 1117 | requests-per-second-target-default: "200" 1118 | 1119 | # The target burst capacity specifies the size of burst in concurrent 1120 | # requests that the system operator expects the system will receive. 1121 | # Autoscaler will try to protect the system from queueing by introducing 1122 | # Activator in the request path if the current spare capacity of the 1123 | # service is less than this setting. 1124 | # If this setting is 0, then Activator will be in the request path only 1125 | # when the revision is scaled to 0. 1126 | # If this setting is > 0 and container-concurrency-target-percentage is 1127 | # 100% or 1.0, then activator will always be in the request path. 1128 | # -1 denotes unlimited target-burst-capacity and activator will always 1129 | # be in the request path. 1130 | # Other negative values are invalid. 1131 | target-burst-capacity: "200" 1132 | 1133 | # When operating in a stable mode, the autoscaler operates on the 1134 | # average concurrency over the stable window. 1135 | stable-window: "60s" 1136 | 1137 | # When observed average concurrency during the panic window reaches 1138 | # panic-threshold-percentage the target concurrency, the autoscaler 1139 | # enters panic mode. When operating in panic mode, the autoscaler 1140 | # scales on the average concurrency over the panic window which is 1141 | # panic-window-percentage of the stable-window. 1142 | panic-window-percentage: "10.0" 1143 | 1144 | # Absolute panic window duration. 1145 | # Deprecated in favor of panic-window-percentage. 1146 | # Existing revisions will continue to scale based on panic-window 1147 | # but new revisions will default to panic-window-percentage. 1148 | panic-window: "6s" 1149 | 1150 | # The percentage of the container concurrency target at which to 1151 | # enter panic mode when reached within the panic window. 1152 | panic-threshold-percentage: "200.0" 1153 | 1154 | # Max scale up rate limits the rate at which the autoscaler will 1155 | # increase pod count. It is the maximum ratio of desired pods versus 1156 | # observed pods. 1157 | # Cannot less or equal to 1. 1158 | # I.e with value of 2.0 the number of pods can at most go N to 2N 1159 | # over single Autoscaler period (see tick-interval), but at least N to 1160 | # N+1, if Autoscaler needs to scale up. 1161 | max-scale-up-rate: "1000.0" 1162 | 1163 | # Max scale down rate limits the rate at which the autoscaler will 1164 | # decrease pod count. It is the maximum ratio of observed pods versus 1165 | # desired pods. 1166 | # Cannot less or equal to 1. 1167 | # I.e. with value of 2.0 the number of pods can at most go N to N/2 1168 | # over single Autoscaler evaluation period (see tick-interval), but at 1169 | # least N to N-1, if Autoscaler needs to scale down. 1170 | # Not yet used // TODO(vagababov) remove once other parts are ready. 1171 | max-scale-down-rate: "2.0" 1172 | 1173 | # Scale to zero feature flag 1174 | enable-scale-to-zero: "true" 1175 | 1176 | # Tick interval is the time between autoscaling calculations. 1177 | tick-interval: "2s" 1178 | 1179 | # Dynamic parameters (take effect when config map is updated): 1180 | 1181 | # Scale to zero grace period is the time an inactive revision is left 1182 | # running before it is scaled to zero (min: 30s). 1183 | scale-to-zero-grace-period: "30s" 1184 | kind: ConfigMap 1185 | metadata: 1186 | labels: 1187 | serving.knative.dev/release: "v0.10.0" 1188 | name: config-autoscaler 1189 | namespace: knative-serving 1190 | 1191 | --- 1192 | 1193 | apiVersion: v1 1194 | data: 1195 | _example: | 1196 | ################################ 1197 | # # 1198 | # EXAMPLE CONFIGURATION # 1199 | # # 1200 | ################################ 1201 | 1202 | # This block is not actually functional configuration, 1203 | # but serves to illustrate the available configuration 1204 | # options and document them in a way that is accessible 1205 | # to users that `kubectl edit` this config map. 1206 | # 1207 | # These sample configuration options may be copied out of 1208 | # this example block and unindented to be in the data block 1209 | # to actually change the configuration. 1210 | 1211 | # revision-timeout-seconds contains the default number of 1212 | # seconds to use for the revision's per-request timeout, if 1213 | # none is specified. 1214 | revision-timeout-seconds: "300" # 5 minutes 1215 | 1216 | # max-revision-timeout-seconds contains the maximum number of 1217 | # seconds that can be used for revision-timeout-seconds. 1218 | # This value must be greater than or equal to revision-timeout-seconds. 1219 | # If omitted, the system default is used (600 seconds). 1220 | max-revision-timeout-seconds: "600" # 10 minutes 1221 | 1222 | # revision-cpu-request contains the cpu allocation to assign 1223 | # to revisions by default. If omitted, no value is specified 1224 | # and the system default is used. 1225 | revision-cpu-request: "400m" # 0.4 of a CPU (aka 400 milli-CPU) 1226 | 1227 | # revision-memory-request contains the memory allocation to assign 1228 | # to revisions by default. If omitted, no value is specified 1229 | # and the system default is used. 1230 | revision-memory-request: "100M" # 100 megabytes of memory 1231 | 1232 | # revision-cpu-limit contains the cpu allocation to limit 1233 | # revisions to by default. If omitted, no value is specified 1234 | # and the system default is used. 1235 | revision-cpu-limit: "1000m" # 1 CPU (aka 1000 milli-CPU) 1236 | 1237 | # revision-memory-limit contains the memory allocation to limit 1238 | # revisions to by default. If omitted, no value is specified 1239 | # and the system default is used. 1240 | revision-memory-limit: "200M" # 200 megabytes of memory 1241 | 1242 | # container-name-template contains a template for the default 1243 | # container name, if none is specified. This field supports 1244 | # Go templating and is supplied with the ObjectMeta of the 1245 | # enclosing Service or Configuration, so values such as 1246 | # {{.Name}} are also valid. 1247 | container-name-template: "user-container" 1248 | 1249 | # container-concurrency specifies the maximum number 1250 | # of requests the Container can handle at once, and requests 1251 | # above this threshold are queued. Setting a value of zero 1252 | # disables this throttling and lets through as many requests as 1253 | # the pod receives. 1254 | container-concurrency: "0" 1255 | kind: ConfigMap 1256 | metadata: 1257 | labels: 1258 | serving.knative.dev/release: "v0.10.0" 1259 | name: config-defaults 1260 | namespace: knative-serving 1261 | 1262 | --- 1263 | 1264 | apiVersion: v1 1265 | data: 1266 | _example: | 1267 | ################################ 1268 | # # 1269 | # EXAMPLE CONFIGURATION # 1270 | # # 1271 | ################################ 1272 | 1273 | # This block is not actually functional configuration, 1274 | # but serves to illustrate the available configuration 1275 | # options and document them in a way that is accessible 1276 | # to users that `kubectl edit` this config map. 1277 | # 1278 | # These sample configuration options may be copied out of 1279 | # this example block and unindented to be in the data block 1280 | # to actually change the configuration. 1281 | 1282 | # List of repositories for which tag to digest resolving should be skipped 1283 | registriesSkippingTagResolving: "ko.local,dev.local" 1284 | queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:5ff357b66622c98f24c56bba0a866be5e097306b83c5e6c41c28b6e87ec64c7c 1285 | kind: ConfigMap 1286 | metadata: 1287 | labels: 1288 | serving.knative.dev/release: "v0.10.0" 1289 | name: config-deployment 1290 | namespace: knative-serving 1291 | 1292 | --- 1293 | 1294 | apiVersion: v1 1295 | data: 1296 | _example: | 1297 | ################################ 1298 | # # 1299 | # EXAMPLE CONFIGURATION # 1300 | # # 1301 | ################################ 1302 | 1303 | # This block is not actually functional configuration, 1304 | # but serves to illustrate the available configuration 1305 | # options and document them in a way that is accessible 1306 | # to users that `kubectl edit` this config map. 1307 | # 1308 | # These sample configuration options may be copied out of 1309 | # this example block and unindented to be in the data block 1310 | # to actually change the configuration. 1311 | 1312 | # Default value for domain. 1313 | # Although it will match all routes, it is the least-specific rule so it 1314 | # will only be used if no other domain matches. 1315 | example.com: | 1316 | 1317 | # These are example settings of domain. 1318 | # example.org will be used for routes having app=nonprofit. 1319 | example.org: | 1320 | selector: 1321 | app: nonprofit 1322 | 1323 | # Routes having domain suffix of 'svc.cluster.local' will not be exposed 1324 | # through Ingress. You can define your own label selector to assign that 1325 | # domain suffix to your Route here, or you can set the label 1326 | # "serving.knative.dev/visibility=cluster-local" 1327 | # to achieve the same effect. This shows how to make routes having 1328 | # the label app=secret only exposed to the local cluster. 1329 | svc.cluster.local: | 1330 | selector: 1331 | app: secret 1332 | kind: ConfigMap 1333 | metadata: 1334 | labels: 1335 | serving.knative.dev/release: "v0.10.0" 1336 | name: config-domain 1337 | namespace: knative-serving 1338 | 1339 | --- 1340 | 1341 | apiVersion: v1 1342 | data: 1343 | _example: | 1344 | ################################ 1345 | # # 1346 | # EXAMPLE CONFIGURATION # 1347 | # # 1348 | ################################ 1349 | 1350 | # This block is not actually functional configuration, 1351 | # but serves to illustrate the available configuration 1352 | # options and document them in a way that is accessible 1353 | # to users that `kubectl edit` this config map. 1354 | # 1355 | # These sample configuration options may be copied out of 1356 | # this example block and unindented to be in the data block 1357 | # to actually change the configuration. 1358 | 1359 | # Delay after revision creation before considering it for GC 1360 | stale-revision-create-delay: "24h" 1361 | 1362 | # Duration since a route has been pointed at a revision before it should be GC'd 1363 | # This minus lastpinned-debounce be longer than the controller resync period (10 hours) 1364 | stale-revision-timeout: "15h" 1365 | 1366 | # Minimum number of generations of revisions to keep before considering for GC 1367 | stale-revision-minimum-generations: "1" 1368 | 1369 | # To avoid constant updates, we allow an existing annotation to be stale by this 1370 | # amount before we update the timestamp 1371 | stale-revision-lastpinned-debounce: "5h" 1372 | kind: ConfigMap 1373 | metadata: 1374 | labels: 1375 | serving.knative.dev/release: "v0.10.0" 1376 | name: config-gc 1377 | namespace: knative-serving 1378 | 1379 | --- 1380 | 1381 | apiVersion: v1 1382 | data: 1383 | _example: | 1384 | ################################ 1385 | # # 1386 | # EXAMPLE CONFIGURATION # 1387 | # # 1388 | ################################ 1389 | 1390 | # This block is not actually functional configuration, 1391 | # but serves to illustrate the available configuration 1392 | # options and document them in a way that is accessible 1393 | # to users that `kubectl edit` this config map. 1394 | # 1395 | # These sample configuration options may be copied out of 1396 | # this example block and unindented to be in the data block 1397 | # to actually change the configuration. 1398 | 1399 | # Common configuration for all Knative codebase 1400 | zap-logger-config: | 1401 | { 1402 | "level": "info", 1403 | "development": false, 1404 | "outputPaths": ["stdout"], 1405 | "errorOutputPaths": ["stderr"], 1406 | "encoding": "json", 1407 | "encoderConfig": { 1408 | "timeKey": "ts", 1409 | "levelKey": "level", 1410 | "nameKey": "logger", 1411 | "callerKey": "caller", 1412 | "messageKey": "msg", 1413 | "stacktraceKey": "stacktrace", 1414 | "lineEnding": "", 1415 | "levelEncoder": "", 1416 | "timeEncoder": "iso8601", 1417 | "durationEncoder": "", 1418 | "callerEncoder": "" 1419 | } 1420 | } 1421 | 1422 | # Log level overrides 1423 | # For all components except the autoscaler and queue proxy, 1424 | # changes are be picked up immediately. 1425 | # For autoscaler and queue proxy, changes require recreation of the pods. 1426 | loglevel.controller: "info" 1427 | loglevel.autoscaler: "info" 1428 | loglevel.queueproxy: "info" 1429 | loglevel.webhook: "info" 1430 | loglevel.activator: "info" 1431 | kind: ConfigMap 1432 | metadata: 1433 | labels: 1434 | serving.knative.dev/release: "v0.10.0" 1435 | name: config-logging 1436 | namespace: knative-serving 1437 | 1438 | --- 1439 | 1440 | apiVersion: v1 1441 | data: 1442 | _example: | 1443 | ################################ 1444 | # # 1445 | # EXAMPLE CONFIGURATION # 1446 | # # 1447 | ################################ 1448 | 1449 | # This block is not actually functional configuration, 1450 | # but serves to illustrate the available configuration 1451 | # options and document them in a way that is accessible 1452 | # to users that `kubectl edit` this config map. 1453 | # 1454 | # These sample configuration options may be copied out of 1455 | # this example block and unindented to be in the data block 1456 | # to actually change the configuration. 1457 | 1458 | # istio.sidecar.includeOutboundIPRanges specifies the IP ranges that Istio sidecar 1459 | # will intercept. 1460 | # 1461 | # Replace this with the IP ranges of your cluster (see below for some examples). 1462 | # Separate multiple entries with a comma. 1463 | # Example: "10.4.0.0/14,10.7.240.0/20" 1464 | # 1465 | # If set to "*" Istio will intercept all traffic within 1466 | # the cluster as well as traffic that is going outside the cluster. 1467 | # Traffic going outside the cluster will be blocked unless 1468 | # necessary egress rules are created. 1469 | # 1470 | # If omitted or set to "", value of global.proxy.includeIPRanges 1471 | # provided at Istio deployment time is used. In default Knative serving 1472 | # deployment, global.proxy.includeIPRanges value is set to "*". 1473 | # 1474 | # If an invalid value is passed, "" is used instead. 1475 | # 1476 | # If valid set of IP address ranges are put into this value, 1477 | # Istio will no longer intercept traffic going to IP addresses 1478 | # outside the provided ranges and there is no need to specify 1479 | # egress rules. 1480 | # 1481 | # To determine the IP ranges of your cluster: 1482 | # IBM Cloud Private: cat cluster/config.yaml | grep service_cluster_ip_range 1483 | # IBM Cloud Kubernetes Service: "172.30.0.0/16,172.20.0.0/16,10.10.10.0/24" 1484 | # Google Container Engine (GKE): gcloud container clusters describe XXXXXXX --zone=XXXXXX | grep -e clusterIpv4Cidr -e servicesIpv4Cidr 1485 | # Azure Kubernetes Service (AKS): "10.0.0.0/16" 1486 | # Azure Container Service (ACS; deprecated): "10.244.0.0/16,10.240.0.0/16" 1487 | # Azure Container Service Engine (ACS-Engine; OSS): Configurable, but defaults to "10.0.0.0/16" 1488 | # Minikube: "10.0.0.1/24" 1489 | # 1490 | # For more information, visit 1491 | # https://istio.io/docs/tasks/traffic-management/egress/ 1492 | # 1493 | istio.sidecar.includeOutboundIPRanges: "*" 1494 | 1495 | # clusteringress.class has been deprecated. Please use ingress.class instead. 1496 | clusteringress.class: "istio.ingress.networking.knative.dev" 1497 | 1498 | # ingress.class specifies the default ingress class 1499 | # to use when not dictated by Route annotation. 1500 | # 1501 | # If not specified, will use the Istio ingress. 1502 | # 1503 | # Note that changing the Ingress class of an existing Route 1504 | # will result in undefined behavior. Therefore it is best to only 1505 | # update this value during the setup of Knative, to avoid getting 1506 | # undefined behavior. 1507 | ingress.class: "istio.ingress.networking.knative.dev" 1508 | 1509 | # certificate.class specifies the default Certificate class 1510 | # to use when not dictated by Route annotation. 1511 | # 1512 | # If not specified, will use the Cert-Manager Certificate. 1513 | # 1514 | # Note that changing the Certificate class of an existing Route 1515 | # will result in undefined behavior. Therefore it is best to only 1516 | # update this value during the setup of Knative, to avoid getting 1517 | # undefined behavior. 1518 | certificate.class: "cert-manager.certificate.networking.internal.knative.dev" 1519 | 1520 | # domainTemplate specifies the golang text template string to use 1521 | # when constructing the Knative service's DNS name. The default 1522 | # value is "{{.Name}}.{{.Namespace}}.{{.Domain}}". And those three 1523 | # values (Name, Namespace, Domain) are the only variables defined. 1524 | # 1525 | # Changing this value might be necessary when the extra levels in 1526 | # the domain name generated is problematic for wildcard certificates 1527 | # that only support a single level of domain name added to the 1528 | # certificate's domain. In those cases you might consider using a value 1529 | # of "{{.Name}}-{{.Namespace}}.{{.Domain}}", or removing the Namespace 1530 | # entirely from the template. When choosing a new value be thoughtful 1531 | # of the potential for conflicts - for example, when users choose to use 1532 | # characters such as `-` in their service, or namespace, names. 1533 | # {{.Annotations}} can be used for any customization in the go template if needed. 1534 | # We strongly recommend keeping namespace part of the template to avoid domain name clashes 1535 | # Example '{{.Name}}-{{.Namespace}}.{{ index .Annotations "sub"}}.{{.Domain}}' 1536 | # and you have an annotation {"sub":"foo"}, then the generated template would be {Name}-{Namespace}.foo.{Domain} 1537 | domainTemplate: "{{.Name}}.{{.Namespace}}.{{.Domain}}" 1538 | 1539 | # tagTemplate specifies the golang text template string to use 1540 | # when constructing the DNS name for "tags" within the traffic blocks 1541 | # of Routes and Configuration. This is used in conjunction with the 1542 | # domainTemplate above to determine the full URL for the tag. 1543 | tagTemplate: "{{.Name}}-{{.Tag}}" 1544 | 1545 | # Controls whether TLS certificates are automatically provisioned and 1546 | # installed in the Knative ingress to terminate external TLS connection. 1547 | # 1. Enabled: enabling auto-TLS feature. 1548 | # 2. Disabled: disabling auto-TLS feature. 1549 | autoTLS: "Disabled" 1550 | 1551 | # Controls the behavior of the HTTP endpoint for the Knative ingress. 1552 | # It requires autoTLS to be enabled or reconcileExternalGateway in config-istio to be true. 1553 | # 1. Enabled: The Knative ingress will be able to serve HTTP connection. 1554 | # 2. Disabled: The Knative ingress will reject HTTP traffic. 1555 | # 3. Redirected: The Knative ingress will send a 302 redirect for all 1556 | # http connections, asking the clients to use HTTPS 1557 | httpProtocol: "Enabled" 1558 | kind: ConfigMap 1559 | metadata: 1560 | labels: 1561 | serving.knative.dev/release: "v0.10.0" 1562 | name: config-network 1563 | namespace: knative-serving 1564 | 1565 | --- 1566 | 1567 | apiVersion: v1 1568 | data: 1569 | _example: | 1570 | ################################ 1571 | # # 1572 | # EXAMPLE CONFIGURATION # 1573 | # # 1574 | ################################ 1575 | 1576 | # This block is not actually functional configuration, 1577 | # but serves to illustrate the available configuration 1578 | # options and document them in a way that is accessible 1579 | # to users that `kubectl edit` this config map. 1580 | # 1581 | # These sample configuration options may be copied out of 1582 | # this example block and unindented to be in the data block 1583 | # to actually change the configuration. 1584 | 1585 | # logging.enable-var-log-collection defaults to false. 1586 | # The fluentd daemon set will be set up to collect /var/log if 1587 | # this flag is true. 1588 | logging.enable-var-log-collection: "false" 1589 | 1590 | # logging.revision-url-template provides a template to use for producing the 1591 | # logging URL that is injected into the status of each Revision. 1592 | # This value is what you might use the the Knative monitoring bundle, and provides 1593 | # access to Kibana after setting up kubectl proxy. 1594 | logging.revision-url-template: | 1595 | http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.serving-knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase)))) 1596 | 1597 | # If non-empty, this enables queue proxy writing user request logs to stdout, excluding probe 1598 | # requests. 1599 | # The value determines the shape of the request logs and it must be a valid go text/template. 1600 | # It is important to keep this as a single line. Multiple lines are parsed as separate entities 1601 | # by most collection agents and will split the request logs into multiple records. 1602 | # 1603 | # The following fields and functions are available to the template: 1604 | # 1605 | # Request: An http.Request (see https://golang.org/pkg/net/http/#Request) 1606 | # representing an HTTP request received by the server. 1607 | # 1608 | # Response: 1609 | # struct { 1610 | # Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) 1611 | # Size int // An int representing the size of the response. 1612 | # Latency float64 // A float64 representing the latency of the response in seconds. 1613 | # } 1614 | # 1615 | # Revision: 1616 | # struct { 1617 | # Name string // Knative revision name 1618 | # Namespace string // Knative revision namespace 1619 | # Service string // Knative service name 1620 | # Configuration string // Knative configuration name 1621 | # PodName string // Name of the pod hosting the revision 1622 | # PodIP string // IP of the pod hosting the revision 1623 | # } 1624 | # 1625 | logging.request-log-template: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}' 1626 | 1627 | # If true, this enables queue proxy writing request logs for probe requests to stdout. 1628 | # It uses the same template for user requests, i.e. logging.request-log-template. 1629 | logging.enable-probe-request-log: "false" 1630 | 1631 | # metrics.backend-destination field specifies the system metrics destination. 1632 | # It supports either prometheus (the default) or stackdriver. 1633 | # Note: Using stackdriver will incur additional charges 1634 | metrics.backend-destination: prometheus 1635 | 1636 | # metrics.request-metrics-backend-destination specifies the request metrics 1637 | # destination. If non-empty, it enables queue proxy to send request metrics. 1638 | # Currently supported values: prometheus, stackdriver. 1639 | metrics.request-metrics-backend-destination: prometheus 1640 | 1641 | # metrics.stackdriver-project-id field specifies the stackdriver project ID. This 1642 | # field is optional. When running on GCE, application default credentials will be 1643 | # used if this field is not provided. 1644 | metrics.stackdriver-project-id: "" 1645 | 1646 | # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to 1647 | # Stackdriver using "global" resource type and custom metric type if the 1648 | # metrics are not supported by "knative_revision" resource type. Setting this 1649 | # flag to "true" could cause extra Stackdriver charge. 1650 | # If metrics.backend-destination is not Stackdriver, this is ignored. 1651 | metrics.allow-stackdriver-custom-metrics: "false" 1652 | 1653 | # profiling.enable indicates whether it is allowed to retrieve runtime profiling data from 1654 | # the pods via an HTTP server in the format expected by the pprof visualization tool. When 1655 | # enabled, the Knative Serving pods expose the profiling data on an alternate HTTP port 8008. 1656 | # The HTTP context root for profiling is then /debug/pprof/. 1657 | profiling.enable: "false" 1658 | kind: ConfigMap 1659 | metadata: 1660 | labels: 1661 | serving.knative.dev/release: "v0.10.0" 1662 | name: config-observability 1663 | namespace: knative-serving 1664 | 1665 | --- 1666 | 1667 | apiVersion: v1 1668 | data: 1669 | _example: | 1670 | ################################ 1671 | # # 1672 | # EXAMPLE CONFIGURATION # 1673 | # # 1674 | ################################ 1675 | 1676 | # This block is not actually functional configuration, 1677 | # but serves to illustrate the available configuration 1678 | # options and document them in a way that is accessible 1679 | # to users that `kubectl edit` this config map. 1680 | # 1681 | # These sample configuration options may be copied out of 1682 | # this example block and unindented to be in the data block 1683 | # to actually change the configuration. 1684 | # 1685 | # This may be "zipkin" or "stackdriver", the default is "none" 1686 | backend: "none" 1687 | 1688 | # URL to zipkin collector where traces are sent. 1689 | # This must be specified when backend is "zipkin" 1690 | zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans" 1691 | 1692 | # The GCP project into which stackdriver metrics will be written 1693 | # when backend is "stackdriver". If unspecified, the project-id 1694 | # is read from GCP metadata when running on GCP. 1695 | stackdriver-project-id: "my-project" 1696 | 1697 | # Enable zipkin debug mode. This allows all spans to be sent to the server 1698 | # bypassing sampling. 1699 | debug: "false" 1700 | 1701 | # Percentage (0-1) of requests to trace 1702 | sample-rate: "0.1" 1703 | kind: ConfigMap 1704 | metadata: 1705 | labels: 1706 | serving.knative.dev/release: "v0.10.0" 1707 | name: config-tracing 1708 | namespace: knative-serving 1709 | 1710 | --- 1711 | 1712 | apiVersion: apps/v1 1713 | kind: Deployment 1714 | metadata: 1715 | labels: 1716 | serving.knative.dev/release: "v0.10.0" 1717 | name: controller 1718 | namespace: knative-serving 1719 | spec: 1720 | replicas: 1 1721 | selector: 1722 | matchLabels: 1723 | app: controller 1724 | template: 1725 | metadata: 1726 | annotations: 1727 | sidecar.istio.io/inject: "false" 1728 | labels: 1729 | app: controller 1730 | serving.knative.dev/release: "v0.10.0" 1731 | spec: 1732 | containers: 1733 | - env: 1734 | - name: SYSTEM_NAMESPACE 1735 | valueFrom: 1736 | fieldRef: 1737 | fieldPath: metadata.namespace 1738 | - name: CONFIG_LOGGING_NAME 1739 | value: config-logging 1740 | - name: CONFIG_OBSERVABILITY_NAME 1741 | value: config-observability 1742 | - name: METRICS_DOMAIN 1743 | value: knative.dev/internal/serving 1744 | image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:a168c9fa095c88b3e0bcbbaa6d4501a8a02ab740b360938879ae9df55964a758 1745 | name: controller 1746 | ports: 1747 | - containerPort: 9090 1748 | name: metrics 1749 | - containerPort: 8008 1750 | name: profiling 1751 | resources: 1752 | limits: 1753 | cpu: 1000m 1754 | memory: 1000Mi 1755 | requests: 1756 | cpu: 100m 1757 | memory: 100Mi 1758 | securityContext: 1759 | allowPrivilegeEscalation: false 1760 | serviceAccountName: controller 1761 | 1762 | --- 1763 | 1764 | apiVersion: apiregistration.k8s.io/v1beta1 1765 | kind: APIService 1766 | metadata: 1767 | labels: 1768 | autoscaling.knative.dev/metric-provider: custom-metrics 1769 | serving.knative.dev/release: "v0.10.0" 1770 | name: v1beta1.custom.metrics.k8s.io 1771 | spec: 1772 | group: custom.metrics.k8s.io 1773 | groupPriorityMinimum: 100 1774 | insecureSkipTLSVerify: true 1775 | service: 1776 | name: autoscaler 1777 | namespace: knative-serving 1778 | version: v1beta1 1779 | versionPriority: 100 1780 | 1781 | --- 1782 | 1783 | apiVersion: apps/v1 1784 | kind: Deployment 1785 | metadata: 1786 | labels: 1787 | serving.knative.dev/release: "v0.10.0" 1788 | name: webhook 1789 | namespace: knative-serving 1790 | spec: 1791 | replicas: 1 1792 | selector: 1793 | matchLabels: 1794 | app: webhook 1795 | role: webhook 1796 | template: 1797 | metadata: 1798 | annotations: 1799 | cluster-autoscaler.kubernetes.io/safe-to-evict: "false" 1800 | sidecar.istio.io/inject: "false" 1801 | labels: 1802 | app: webhook 1803 | role: webhook 1804 | serving.knative.dev/release: "v0.10.0" 1805 | spec: 1806 | containers: 1807 | - env: 1808 | - name: SYSTEM_NAMESPACE 1809 | valueFrom: 1810 | fieldRef: 1811 | fieldPath: metadata.namespace 1812 | - name: CONFIG_LOGGING_NAME 1813 | value: config-logging 1814 | - name: CONFIG_OBSERVABILITY_NAME 1815 | value: config-observability 1816 | - name: METRICS_DOMAIN 1817 | value: knative.dev/serving 1818 | image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:f59e8d9782f17b1af3060152d99b70ae08f40aa69b799180d24964e527ebb818 1819 | name: webhook 1820 | ports: 1821 | - containerPort: 9090 1822 | name: metrics 1823 | - containerPort: 8008 1824 | name: profiling 1825 | resources: 1826 | limits: 1827 | cpu: 200m 1828 | memory: 200Mi 1829 | requests: 1830 | cpu: 20m 1831 | memory: 20Mi 1832 | securityContext: 1833 | allowPrivilegeEscalation: false 1834 | serviceAccountName: controller 1835 | 1836 | --- 1837 | apiVersion: apiextensions.k8s.io/v1beta1 1838 | kind: CustomResourceDefinition 1839 | metadata: 1840 | name: authconfigs.enterprise.gloo.solo.io 1841 | annotations: 1842 | "helm.sh/hook": crd-install 1843 | spec: 1844 | group: enterprise.gloo.solo.io 1845 | names: 1846 | kind: AuthConfig 1847 | listKind: AuthConfigList 1848 | plural: authconfigs 1849 | shortNames: 1850 | - ac 1851 | singular: authconfig 1852 | scope: Namespaced 1853 | version: v1 1854 | versions: 1855 | - name: v1 1856 | served: true 1857 | storage: true 1858 | --- 1859 | apiVersion: apiextensions.k8s.io/v1beta1 1860 | kind: CustomResourceDefinition 1861 | metadata: 1862 | name: gateways.gateway.solo.io 1863 | annotations: 1864 | "helm.sh/hook": crd-install 1865 | spec: 1866 | group: gateway.solo.io 1867 | names: 1868 | kind: Gateway 1869 | listKind: GatewayList 1870 | plural: gateways 1871 | shortNames: 1872 | - gw 1873 | singular: gateway 1874 | scope: Namespaced 1875 | version: v1 1876 | versions: 1877 | - name: v1 1878 | storage: true 1879 | served: true 1880 | 1881 | --- 1882 | apiVersion: apiextensions.k8s.io/v1beta1 1883 | kind: CustomResourceDefinition 1884 | metadata: 1885 | name: proxies.gloo.solo.io 1886 | annotations: 1887 | "helm.sh/hook": crd-install 1888 | spec: 1889 | group: gloo.solo.io 1890 | names: 1891 | kind: Proxy 1892 | listKind: ProxyList 1893 | plural: proxies 1894 | shortNames: 1895 | - px 1896 | singular: proxy 1897 | scope: Namespaced 1898 | version: v1 1899 | versions: 1900 | - name: v1 1901 | served: true 1902 | storage: true 1903 | 1904 | --- 1905 | apiVersion: apiextensions.k8s.io/v1beta1 1906 | kind: CustomResourceDefinition 1907 | metadata: 1908 | name: routetables.gateway.solo.io 1909 | annotations: 1910 | "helm.sh/hook": crd-install 1911 | spec: 1912 | group: gateway.solo.io 1913 | names: 1914 | kind: RouteTable 1915 | listKind: RouteTableList 1916 | plural: routetables 1917 | shortNames: 1918 | - rt 1919 | singular: routetable 1920 | scope: Namespaced 1921 | version: v1 1922 | versions: 1923 | - name: v1 1924 | served: true 1925 | storage: true 1926 | 1927 | --- 1928 | apiVersion: apiextensions.k8s.io/v1beta1 1929 | kind: CustomResourceDefinition 1930 | metadata: 1931 | name: settings.gloo.solo.io 1932 | annotations: 1933 | "helm.sh/hook": crd-install 1934 | labels: 1935 | gloo: settings 1936 | spec: 1937 | group: gloo.solo.io 1938 | names: 1939 | kind: Settings 1940 | listKind: SettingsList 1941 | plural: settings 1942 | shortNames: 1943 | - st 1944 | scope: Namespaced 1945 | version: v1 1946 | versions: 1947 | - name: v1 1948 | served: true 1949 | storage: true 1950 | --- 1951 | apiVersion: apiextensions.k8s.io/v1beta1 1952 | kind: CustomResourceDefinition 1953 | metadata: 1954 | name: upstreams.gloo.solo.io 1955 | annotations: 1956 | "helm.sh/hook": crd-install 1957 | spec: 1958 | group: gloo.solo.io 1959 | names: 1960 | kind: Upstream 1961 | listKind: UpstreamList 1962 | plural: upstreams 1963 | shortNames: 1964 | - us 1965 | singular: upstream 1966 | scope: Namespaced 1967 | version: v1 1968 | versions: 1969 | - name: v1 1970 | served: true 1971 | storage: true 1972 | 1973 | --- 1974 | apiVersion: apiextensions.k8s.io/v1beta1 1975 | kind: CustomResourceDefinition 1976 | metadata: 1977 | name: upstreamgroups.gloo.solo.io 1978 | annotations: 1979 | "helm.sh/hook": crd-install 1980 | spec: 1981 | group: gloo.solo.io 1982 | names: 1983 | kind: UpstreamGroup 1984 | listKind: UpstreamGroupList 1985 | plural: upstreamgroups 1986 | shortNames: 1987 | - ug 1988 | singular: upstreamgroup 1989 | scope: Namespaced 1990 | version: v1 1991 | versions: 1992 | - name: v1 1993 | served: true 1994 | storage: true 1995 | 1996 | --- 1997 | apiVersion: apiextensions.k8s.io/v1beta1 1998 | kind: CustomResourceDefinition 1999 | metadata: 2000 | name: virtualservices.gateway.solo.io 2001 | annotations: 2002 | "helm.sh/hook": crd-install 2003 | spec: 2004 | group: gateway.solo.io 2005 | names: 2006 | kind: VirtualService 2007 | listKind: VirtualServiceList 2008 | plural: virtualservices 2009 | shortNames: 2010 | - vs 2011 | singular: virtualservice 2012 | scope: Namespaced 2013 | version: v1 2014 | versions: 2015 | - name: v1 2016 | served: true 2017 | storage: true 2018 | --- 2019 | --- 2020 | # Source: gloo/templates/2-gloo-usage-configmap.yaml 2021 | # use this config map to record envoy usage stats 2022 | apiVersion: v1 2023 | kind: ConfigMap 2024 | metadata: 2025 | name: gloo-usage 2026 | namespace: gloo-system 2027 | labels: 2028 | app: gloo 2029 | gloo: gloo-usage 2030 | data: 2031 | --- 2032 | # Source: gloo/templates/27-knative-external-proxy-configmap.yaml 2033 | # configmap 2034 | apiVersion: v1 2035 | kind: ConfigMap 2036 | metadata: 2037 | name: knative-external-proxy-config 2038 | namespace: gloo-system 2039 | labels: 2040 | app: gloo 2041 | gloo: knative-external-proxy 2042 | data: 2043 | envoy.yaml: | 2044 | node: 2045 | cluster: knative 2046 | id: "{{.PodName}}.{{.PodNamespace}}" 2047 | metadata: 2048 | # role's value is the key for the in-memory xds cache (projects/gloo/pkg/xds/envoy.go) 2049 | role: "{{.PodNamespace}}~knative-external-proxy" 2050 | static_resources: 2051 | clusters: 2052 | - name: xds_cluster 2053 | connect_timeout: 5.000s 2054 | load_assignment: 2055 | cluster_name: xds_cluster 2056 | endpoints: 2057 | - lb_endpoints: 2058 | - endpoint: 2059 | address: 2060 | socket_address: 2061 | address: gloo 2062 | port_value: 9977 2063 | http2_protocol_options: {} 2064 | upstream_connection_options: 2065 | tcp_keepalive: {} 2066 | type: STRICT_DNS 2067 | 2068 | 2069 | dynamic_resources: 2070 | ads_config: 2071 | api_type: GRPC 2072 | rate_limit_settings: {} 2073 | grpc_services: 2074 | - envoy_grpc: {cluster_name: xds_cluster} 2075 | cds_config: 2076 | ads: {} 2077 | lds_config: 2078 | ads: {} 2079 | admin: 2080 | access_log_path: /dev/null 2081 | address: 2082 | socket_address: 2083 | address: 127.0.0.1 2084 | port_value: 19000 # if .Values.settings.integrations.knative.proxy.tracing 2085 | --- 2086 | # Source: gloo/templates/30-knative-internal-proxy-configmap.yaml 2087 | # configmap 2088 | apiVersion: v1 2089 | kind: ConfigMap 2090 | metadata: 2091 | name: knative-internal-proxy-config 2092 | namespace: gloo-system 2093 | labels: 2094 | app: gloo 2095 | gloo: knative-internal-proxy 2096 | data: 2097 | envoy.yaml: | 2098 | node: 2099 | cluster: knative 2100 | id: "{{.PodName}}.{{.PodNamespace}}" 2101 | metadata: 2102 | # role's value is the key for the in-memory xds cache (projects/gloo/pkg/xds/envoy.go) 2103 | role: "{{.PodNamespace}}~knative-internal-proxy" 2104 | static_resources: 2105 | clusters: 2106 | - name: xds_cluster 2107 | connect_timeout: 5.000s 2108 | load_assignment: 2109 | cluster_name: xds_cluster 2110 | endpoints: 2111 | - lb_endpoints: 2112 | - endpoint: 2113 | address: 2114 | socket_address: 2115 | address: gloo 2116 | port_value: 9977 2117 | http2_protocol_options: {} 2118 | upstream_connection_options: 2119 | tcp_keepalive: {} 2120 | type: STRICT_DNS 2121 | 2122 | 2123 | dynamic_resources: 2124 | ads_config: 2125 | api_type: GRPC 2126 | rate_limit_settings: {} 2127 | grpc_services: 2128 | - envoy_grpc: {cluster_name: xds_cluster} 2129 | cds_config: 2130 | ads: {} 2131 | lds_config: 2132 | ads: {} 2133 | admin: 2134 | access_log_path: /dev/null 2135 | address: 2136 | socket_address: 2137 | address: 127.0.0.1 2138 | port_value: 19000 # if .Values.settings.integrations.knative.proxy.tracing 2139 | --- 2140 | # Source: gloo/templates/2-gloo-service-account.yaml 2141 | apiVersion: v1 2142 | kind: ServiceAccount 2143 | metadata: 2144 | labels: 2145 | app: gloo 2146 | gloo: gloo 2147 | name: gloo 2148 | namespace: gloo-system 2149 | --- 2150 | # Source: gloo/templates/3-discovery-service-account.yaml 2151 | apiVersion: v1 2152 | kind: ServiceAccount 2153 | metadata: 2154 | labels: 2155 | app: gloo 2156 | gloo: discovery 2157 | name: discovery 2158 | namespace: gloo-system 2159 | --- 2160 | # Source: gloo/templates/22-namespace-clusterrole-knative.yaml 2161 | kind: ClusterRole 2162 | apiVersion: rbac.authorization.k8s.io/v1 2163 | metadata: 2164 | name: gloo-role-knative 2165 | labels: 2166 | app: gloo 2167 | gloo: rbac 2168 | rules: 2169 | - apiGroups: [""] 2170 | resources: ["pods", "services", "secrets", "endpoints", "configmaps"] 2171 | verbs: ["*"] 2172 | - apiGroups: [""] 2173 | resources: ["namespaces"] 2174 | verbs: ["get", "list", "watch"] 2175 | - apiGroups: ["apiextensions.k8s.io"] 2176 | resources: ["customresourcedefinitions"] 2177 | verbs: ["get", "create"] 2178 | - apiGroups: ["gloo.solo.io", "enterprise.gloo.solo.io"] 2179 | resources: ["settings", "upstreams","upstreamgroups", "proxies","virtualservices", "routetables", "authconfigs"] 2180 | verbs: ["*"] 2181 | - apiGroups: ["networking.internal.knative.dev"] 2182 | resources: ["clusteringresses"] 2183 | verbs: ["get", "list", "watch"] 2184 | - apiGroups: ["networking.internal.knative.dev"] 2185 | resources: ["clusteringresses/status"] 2186 | verbs: ["update"] 2187 | - apiGroups: ["networking.internal.knative.dev"] 2188 | resources: ["ingresses"] 2189 | verbs: ["get", "list", "watch"] 2190 | - apiGroups: ["networking.internal.knative.dev"] 2191 | resources: ["ingresses/status"] 2192 | verbs: ["update"] 2193 | --- 2194 | # Source: gloo/templates/25-namespace-clusterrolebinding-knative.yaml 2195 | kind: ClusterRoleBinding 2196 | apiVersion: rbac.authorization.k8s.io/v1 2197 | metadata: 2198 | name: gloo-role-binding-knative-gloo-system 2199 | labels: 2200 | app: gloo 2201 | gloo: rbac 2202 | subjects: 2203 | - kind: ServiceAccount 2204 | name: default 2205 | namespace: gloo-system 2206 | - kind: ServiceAccount 2207 | name: discovery 2208 | namespace: gloo-system 2209 | - kind: ServiceAccount 2210 | name: gloo 2211 | namespace: gloo-system 2212 | roleRef: 2213 | kind: ClusterRole 2214 | name: gloo-role-knative 2215 | apiGroup: rbac.authorization.k8s.io 2216 | --- 2217 | # Source: gloo/templates/2-gloo-service.yaml 2218 | apiVersion: v1 2219 | kind: Service 2220 | metadata: 2221 | labels: 2222 | app: gloo 2223 | gloo: gloo 2224 | name: gloo 2225 | namespace: gloo-system 2226 | spec: 2227 | ports: 2228 | - name: grpc-xds 2229 | port: 9977 2230 | protocol: TCP 2231 | - name: grpc-validation 2232 | port: 9988 2233 | protocol: TCP 2234 | - name: metrics-grpc 2235 | port: 9966 2236 | protocol: TCP 2237 | - name: wasm-cache 2238 | port: 9979 2239 | protocol: TCP 2240 | selector: 2241 | gloo: gloo 2242 | --- 2243 | # Source: gloo/templates/28-knative-external-proxy-service.yaml 2244 | apiVersion: v1 2245 | kind: Service 2246 | metadata: 2247 | labels: 2248 | app: gloo 2249 | gloo: knative-external-proxy 2250 | name: knative-external-proxy 2251 | namespace: gloo-system 2252 | spec: 2253 | ports: 2254 | - port: 80 2255 | protocol: TCP 2256 | name: http 2257 | - port: 443 2258 | protocol: TCP 2259 | name: https 2260 | selector: 2261 | gloo: knative-external-proxy 2262 | type: NodePort 2263 | --- 2264 | apiVersion: extensions/v1beta1 2265 | kind: Ingress 2266 | metadata: 2267 | name: knative-external-proxy 2268 | namespace: gloo-system 2269 | annotations: 2270 | kubernetes.io/ingress.class: alb # check this, your ingress.class may be different 2271 | alb.ingress.kubernetes.io/scheme: internet-facing 2272 | alb.ingress.kubernetes.io/target-type: ip 2273 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' 2274 | alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=600 2275 | labels: 2276 | app: gloo 2277 | gloo: knative-external-proxy 2278 | spec: 2279 | rules: 2280 | - http: 2281 | paths: 2282 | - path: /* 2283 | backend: 2284 | serviceName: knative-external-proxy 2285 | servicePort: 80 2286 | --- 2287 | # Source: gloo/templates/31-knative-internal-proxy-service.yaml 2288 | apiVersion: v1 2289 | kind: Service 2290 | metadata: 2291 | labels: 2292 | app: gloo 2293 | gloo: knative-internal-proxy 2294 | name: knative-internal-proxy 2295 | namespace: gloo-system 2296 | spec: 2297 | ports: 2298 | - port: 80 2299 | protocol: TCP 2300 | name: http 2301 | - port: 443 2302 | protocol: TCP 2303 | name: https 2304 | selector: 2305 | gloo: knative-internal-proxy 2306 | type: ClusterIP 2307 | --- 2308 | # Source: gloo/templates/1-gloo-deployment.yaml 2309 | apiVersion: apps/v1 2310 | kind: Deployment 2311 | metadata: 2312 | labels: 2313 | app: gloo 2314 | gloo: gloo 2315 | name: gloo 2316 | namespace: gloo-system 2317 | spec: 2318 | replicas: 1 2319 | selector: 2320 | matchLabels: 2321 | gloo: gloo 2322 | template: 2323 | metadata: 2324 | labels: 2325 | gloo: gloo 2326 | annotations: 2327 | prometheus.io/path: /metrics 2328 | prometheus.io/port: "9091" 2329 | prometheus.io/scrape: "true" 2330 | spec: 2331 | serviceAccountName: gloo 2332 | volumes: 2333 | - name: labels-volume 2334 | downwardAPI: 2335 | items: 2336 | - path: "labels" 2337 | fieldRef: 2338 | fieldPath: metadata.labels 2339 | containers: 2340 | - image: quay.io/solo-io/gloo:1.3.9 2341 | imagePullPolicy: IfNotPresent 2342 | name: gloo 2343 | resources: 2344 | requests: 2345 | cpu: 500m 2346 | memory: 256Mi 2347 | securityContext: 2348 | readOnlyRootFilesystem: true 2349 | allowPrivilegeEscalation: false 2350 | runAsNonRoot: true 2351 | runAsUser: 10101 2352 | capabilities: 2353 | drop: 2354 | - ALL 2355 | ports: 2356 | - containerPort: 9977 2357 | name: grpc-xds 2358 | protocol: TCP 2359 | - containerPort: 9988 2360 | name: grpc-validation 2361 | protocol: TCP 2362 | - containerPort: 9979 2363 | name: wasm-cache 2364 | protocol: TCP 2365 | volumeMounts: 2366 | - name: labels-volume 2367 | mountPath: /etc/gloo 2368 | readOnly: true 2369 | env: 2370 | - name: POD_NAMESPACE 2371 | valueFrom: 2372 | fieldRef: 2373 | fieldPath: metadata.namespace 2374 | - name: START_STATS_SERVER 2375 | value: "true" 2376 | readinessProbe: 2377 | tcpSocket: 2378 | port: 9977 2379 | initialDelaySeconds: 1 2380 | periodSeconds: 2 2381 | failureThreshold: 10 2382 | --- 2383 | # Source: gloo/templates/10-ingress-deployment.yaml 2384 | apiVersion: apps/v1 2385 | kind: Deployment 2386 | metadata: 2387 | labels: 2388 | app: gloo 2389 | gloo: ingress 2390 | name: ingress 2391 | namespace: gloo-system 2392 | spec: 2393 | replicas: 1 2394 | selector: 2395 | matchLabels: 2396 | gloo: ingress 2397 | template: 2398 | metadata: 2399 | labels: 2400 | gloo: ingress 2401 | spec: 2402 | containers: 2403 | - image: quay.io/solo-io/ingress:1.3.9 2404 | imagePullPolicy: IfNotPresent 2405 | name: ingress 2406 | env: 2407 | - name: POD_NAMESPACE 2408 | valueFrom: 2409 | fieldRef: 2410 | fieldPath: metadata.namespace 2411 | - name: "ENABLE_KNATIVE_INGRESS" 2412 | value: "true" 2413 | - name: "KNATIVE_VERSION" 2414 | value: "0.10.0" 2415 | - name: "DISABLE_KUBE_INGRESS" 2416 | value: "true" 2417 | --- 2418 | # Source: gloo/templates/26-knative-external-proxy-deployment.yaml 2419 | apiVersion: apps/v1 2420 | kind: Deployment 2421 | metadata: 2422 | labels: 2423 | app: gloo 2424 | gloo: knative-external-proxy 2425 | name: knative-external-proxy 2426 | namespace: gloo-system 2427 | spec: 2428 | replicas: 1 2429 | selector: 2430 | matchLabels: 2431 | gloo: knative-external-proxy 2432 | template: 2433 | metadata: 2434 | labels: 2435 | gloo: knative-external-proxy 2436 | spec: 2437 | containers: 2438 | - args: ["--disable-hot-restart"] 2439 | env: 2440 | - name: POD_NAMESPACE 2441 | valueFrom: 2442 | fieldRef: 2443 | fieldPath: metadata.namespace 2444 | - name: POD_NAME 2445 | valueFrom: 2446 | fieldRef: 2447 | fieldPath: metadata.name 2448 | image: quay.io/solo-io/gloo-envoy-wrapper:1.3.9 2449 | imagePullPolicy: IfNotPresent 2450 | name: knative-external-proxy 2451 | securityContext: 2452 | readOnlyRootFilesystem: true 2453 | allowPrivilegeEscalation: false 2454 | capabilities: 2455 | drop: 2456 | - ALL 2457 | add: 2458 | - NET_BIND_SERVICE 2459 | ports: 2460 | - containerPort: 80 2461 | name: http 2462 | protocol: TCP 2463 | - containerPort: 443 2464 | name: https 2465 | protocol: TCP 2466 | volumeMounts: 2467 | - mountPath: /etc/envoy 2468 | name: envoy-config 2469 | volumes: 2470 | - configMap: 2471 | name: knative-external-proxy-config 2472 | name: envoy-config 2473 | --- 2474 | # Source: gloo/templates/29-knative-internal-proxy-deployment.yaml 2475 | apiVersion: apps/v1 2476 | kind: Deployment 2477 | metadata: 2478 | labels: 2479 | app: gloo 2480 | gloo: knative-internal-proxy 2481 | name: knative-internal-proxy 2482 | namespace: gloo-system 2483 | spec: 2484 | replicas: 1 2485 | selector: 2486 | matchLabels: 2487 | gloo: knative-internal-proxy 2488 | template: 2489 | metadata: 2490 | labels: 2491 | gloo: knative-internal-proxy 2492 | spec: 2493 | containers: 2494 | - args: ["--disable-hot-restart"] 2495 | env: 2496 | - name: POD_NAMESPACE 2497 | valueFrom: 2498 | fieldRef: 2499 | fieldPath: metadata.namespace 2500 | - name: POD_NAME 2501 | valueFrom: 2502 | fieldRef: 2503 | fieldPath: metadata.name 2504 | image: quay.io/solo-io/gloo-envoy-wrapper:1.3.9 2505 | imagePullPolicy: IfNotPresent 2506 | name: knative-internal-proxy 2507 | securityContext: 2508 | readOnlyRootFilesystem: true 2509 | allowPrivilegeEscalation: false 2510 | capabilities: 2511 | drop: 2512 | - ALL 2513 | add: 2514 | - NET_BIND_SERVICE 2515 | ports: 2516 | - containerPort: 80 2517 | name: http 2518 | protocol: TCP 2519 | - containerPort: 443 2520 | name: https 2521 | protocol: TCP 2522 | volumeMounts: 2523 | - mountPath: /etc/envoy 2524 | name: envoy-config 2525 | volumes: 2526 | - configMap: 2527 | name: knative-internal-proxy-config 2528 | name: envoy-config 2529 | --- 2530 | # Source: gloo/templates/3-discovery-deployment.yaml 2531 | apiVersion: apps/v1 2532 | kind: Deployment 2533 | metadata: 2534 | labels: 2535 | app: gloo 2536 | gloo: discovery 2537 | name: discovery 2538 | namespace: gloo-system 2539 | spec: 2540 | replicas: 1 2541 | selector: 2542 | matchLabels: 2543 | gloo: discovery 2544 | template: 2545 | metadata: 2546 | labels: 2547 | gloo: discovery 2548 | annotations: 2549 | prometheus.io/path: /metrics 2550 | prometheus.io/port: "9091" 2551 | prometheus.io/scrape: "true" 2552 | spec: 2553 | serviceAccountName: discovery 2554 | containers: 2555 | - image: quay.io/solo-io/discovery:1.3.9 2556 | imagePullPolicy: IfNotPresent 2557 | name: discovery 2558 | securityContext: 2559 | readOnlyRootFilesystem: true 2560 | allowPrivilegeEscalation: false 2561 | runAsNonRoot: true 2562 | runAsUser: 10101 2563 | capabilities: 2564 | drop: 2565 | - ALL 2566 | env: 2567 | - name: POD_NAMESPACE 2568 | valueFrom: 2569 | fieldRef: 2570 | fieldPath: metadata.namespace 2571 | - name: START_STATS_SERVER 2572 | value: "true" 2573 | -------------------------------------------------------------------------------- /assets/knative-gloo-fargate-second-batch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: caching.internal.knative.dev/v1alpha1 2 | kind: Image 3 | metadata: 4 | labels: 5 | serving.knative.dev/release: "v0.10.0" 6 | name: queue-proxy 7 | namespace: knative-serving 8 | spec: 9 | image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:5ff357b66622c98f24c56bba0a866be5e097306b83c5e6c41c28b6e87ec64c7c 10 | 11 | --- 12 | 13 | # Source: gloo/templates/8-default-gateways.yaml 14 | apiVersion: gateway.solo.io/v1 15 | kind: Gateway 16 | metadata: 17 | name: gateway-proxy 18 | namespace: gloo-system 19 | labels: 20 | app: gloo 21 | spec: 22 | bindAddress: "::" 23 | bindPort: 8080 24 | httpGateway: {} 25 | useProxyProto: false 26 | ssl: false 27 | proxyNames: 28 | - gateway-proxy 29 | --- 30 | # Source: gloo/templates/8-default-gateways.yaml 31 | apiVersion: gateway.solo.io/v1 32 | kind: Gateway 33 | metadata: 34 | name: gateway-proxy-ssl 35 | namespace: gloo-system 36 | labels: 37 | app: gloo 38 | spec: 39 | bindAddress: "::" 40 | bindPort: 8443 41 | httpGateway: {} 42 | useProxyProto: false 43 | ssl: true 44 | proxyNames: 45 | - gateway-proxy 46 | --- 47 | # Source: gloo/templates/18-settings.yaml 48 | apiVersion: gloo.solo.io/v1 49 | kind: Settings 50 | metadata: 51 | labels: 52 | app: gloo 53 | name: default 54 | namespace: gloo-system 55 | spec: 56 | gloo: 57 | xdsBindAddr: "0.0.0.0:9977" 58 | invalidConfigPolicy: 59 | invalidRouteResponseBody: Gloo Gateway has invalid configuration. Administrators should 60 | run `glooctl check` to find and fix config errors. 61 | invalidRouteResponseCode: 404 62 | disableKubernetesDestinations: false 63 | disableProxyGarbageCollection: false 64 | discoveryNamespace: gloo-system 65 | kubernetesArtifactSource: {} 66 | kubernetesConfigSource: {} 67 | kubernetesSecretSource: {} 68 | refreshRate: 60s 69 | knative: 70 | knativeExternalProxyAddress: "knative-external-proxy.gloo-system.svc.cluster.local" 71 | knativeInternalProxyAddress: "knative-internal-proxy.gloo-system.svc.cluster.local" 72 | gateway: 73 | readGatewaysFromAllNamespaces: false 74 | validation: 75 | proxyValidationServerAddr: gloo:9988 76 | alwaysAccept: true 77 | discovery: 78 | fdsMode: WHITELIST -------------------------------------------------------------------------------- /images/knative-on-fargate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mreferre/knative-on-fargate/a1639719759a024e26346604d4c6892104514874/images/knative-on-fargate.png -------------------------------------------------------------------------------- /images/knative-on-fargate.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mreferre/knative-on-fargate/a1639719759a024e26346604d4c6892104514874/images/knative-on-fargate.pptx --------------------------------------------------------------------------------