Setting up custom ingress gateway
Knative uses a shared ingress Gateway to serve all incoming traffic within Knative service mesh, which is the knative-ingress-gateway
Gateway under the knative-serving
namespace. By default, we use Istio gateway service istio-ingressgateway
under istio-system
namespace as its underlying service. You can replace the service with that of your own as follows.
Step 1: Create Gateway Service and Deployment Instance
You’ll need to create the gateway service and deployment instance to handle traffic first. Let’s say you customized the default istio-ingressgateway
to custom-ingressgateway
as follows.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
global:
proxy:
autoInject: disabled
useMCP: false
# The third-party-jwt is not enabled on all k8s.
# See: https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
jwtPolicy: first-party-jwt
addonComponents:
pilot:
enabled: true
prometheus:
enabled: false
components:
ingressGateways:
- name: custom-ingressgateway
enabled: true
namespace: custom-ns
label:
istio: custom-gateway
Step 2: Update Knative Gateway
Update gateway instance knative-ingress-gateway
under knative-serving
namespace:
kubectl edit gateway knative-ingress-gateway -n knative-serving
Replace the label selector with the label of your service:
istio: ingressgateway
For the service above, it should be updated to:
istio: custom-gateway
If there is a change in service ports (compared with that of istio-ingressgateway
), update the port info in the gateway accordingly.
Step 3: Update Gateway Configmap
Update gateway configmap config-istio
under knative-serving
namespace:
kubectl edit configmap config-istio -n knative-serving
Replace the istio-ingressgateway.istio-system.svc.cluster.local
field with the fully qualified url of your service.
gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local"
For the service above, it should be updated to:
gateway.knative-serving.knative-ingress-gateway: custom-ingressgateway.custom-ns.svc.cluster.local