From 828972ee0c045a1fb3d8330e932b8c871f2c81fa Mon Sep 17 00:00:00 2001 From: fanyq <2629791115@qq.com> Date: Sat, 5 Aug 2023 11:06:31 +0800 Subject: [PATCH] kourier --- .gitignore | 3 +- kourier.yaml | 657 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 659 insertions(+), 1 deletion(-) create mode 100644 kourier.yaml diff --git a/.gitignore b/.gitignore index 4939c19..07c5a36 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -knative-docs \ No newline at end of file +knative-docs +.Ds_Store \ No newline at end of file diff --git a/kourier.yaml b/kourier.yaml new file mode 100644 index 0000000..a4b58f9 --- /dev/null +++ b/kourier.yaml @@ -0,0 +1,657 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: kourier-bootstrap + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +data: + envoy-bootstrap.yaml: | + dynamic_resources: + ads_config: + transport_api_version: V3 + api_type: GRPC + rate_limit_settings: {} + grpc_services: + - envoy_grpc: {cluster_name: xds_cluster} + cds_config: + resource_api_version: V3 + ads: {} + lds_config: + resource_api_version: V3 + ads: {} + node: + cluster: kourier-knative + id: 3scale-kourier-gateway + static_resources: + listeners: + - name: stats_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: stats_server + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + virtual_hosts: + - name: admin_interface + domains: + - "*" + routes: + - match: + safe_regex: + google_re2: {} + regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' + headers: + - name: ':method' + exact_match: GET + route: + cluster: service_stats + clusters: + - name: service_stats + connect_timeout: 0.250s + type: static + load_assignment: + cluster_name: service_stats + endpoints: + lb_endpoints: + endpoint: + address: + pipe: + path: /tmp/envoy.admin + - name: xds_cluster + # This keepalive is recommended by envoy docs. + # https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + connect_timeout: 1s + load_assignment: + cluster_name: xds_cluster + endpoints: + lb_endpoints: + endpoint: + address: + socket_address: + address: "net-kourier-controller.knative-serving" + port_value: 18000 + type: STRICT_DNS + admin: + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + address: + pipe: + path: /tmp/envoy.admin + layered_runtime: + layers: + - name: static-layer + static_layer: + envoy.reloadable_features.override_request_timeout_by_gateway_timeout: false + +--- +# Copyright 2021 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Specifies whether requests reaching the Kourier gateway + # in the context of services should be logged. Readiness + # probes etc. must be configured via the bootstrap config. + enable-service-access-logging: "true" + + # Specifies whether to use proxy-protocol in order to safely + # transport connection information such as a client's address + # across multiple layers of TCP proxies. + # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE + enable-proxy-protocol: "false" + + # The server certificates to serve the internal TLS traffic for Kourier Gateway. + # It is specified by the secret name in controller namespace, which has + # the "tls.crt" and "tls.key" data field. + # Use an empty value to disable the feature (default). + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + cluster-cert-secret: "" + + # Specifies the amount of time that Kourier waits for the incoming requests. + # The default, 0s, imposes no timeout at all. + stream-idle-timeout: "0s" + + # Control the desired level of incoming traffic isolation. + # + # When set to an empty value (default), all incoming traffic flows through + # a shared ingress and listeners. + # + # When set to "port", incoming traffic is isolated by using different + # listener ports. + # + # NOTE: This flag is in an alpha state. + traffic-isolation: "" + + # Specifies whether to use CryptoMB private key provider in order to + # acclerate the TLS handshake. + # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE. + enable-cryptomb: "false" + + # Configures the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + trusted-hops-count: "0" + + # Specifies the cipher suites for TLS external listener. + # Use ',' separated values like "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305" + # The default uses the default cipher suites of the envoy version. + cipher-suites: "" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: net-kourier + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: net-kourier + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["pods", "endpoints", "services", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["networking.internal.knative.dev"] + resources: ["ingresses/status"] + verbs: ["update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: net-kourier + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: net-kourier +subjects: + - kind: ServiceAccount + name: net-kourier + namespace: knative-serving + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: net-kourier-controller + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 100% + replicas: 1 + selector: + matchLabels: + app: net-kourier-controller + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + prometheus.io/path: "/metrics" + labels: + app: net-kourier-controller + spec: + containers: + - image: registry.cn-beijing.aliyuncs.com/cypress-boat/knative-kourier:v1.11 + name: controller + env: + - name: CERTS_SECRET_NAMESPACE + value: "" + - name: CERTS_SECRET_NAME + value: "" + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METRICS_DOMAIN + value: "knative.dev/samples" + - name: KOURIER_GATEWAY_NAMESPACE + value: "kourier-system" + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" + # KUBE_API_BURST and KUBE_API_QPS allows to configure maximum burst for throttle and maximum QPS to the server from the client. + # Setting these values using env vars is possible since https://github.com/knative/pkg/pull/2755. + # 200 is an arbitrary value, but it speeds up kourier startup duration, and the whole ingress reconciliation process as a whole. + - name: KUBE_API_BURST + value: "200" + - name: KUBE_API_QPS + value: "200" + ports: + - name: http2-xds + containerPort: 18000 + protocol: TCP + readinessProbe: + grpc: + port: 18000 + periodSeconds: 10 + failureThreshold: 3 + livenessProbe: + grpc: + port: 18000 + periodSeconds: 10 + failureThreshold: 6 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + cpu: 500m + memory: 500Mi + restartPolicy: Always + serviceAccountName: net-kourier +--- +apiVersion: v1 +kind: Service +metadata: + name: net-kourier-controller + namespace: knative-serving + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +spec: + ports: + - name: grpc-xds + port: 18000 + protocol: TCP + targetPort: 18000 + selector: + app: net-kourier-controller + type: ClusterIP + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: 3scale-kourier-gateway + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 100% + selector: + matchLabels: + app: 3scale-kourier-gateway + template: + metadata: + labels: + app: 3scale-kourier-gateway + annotations: + # v0.26 supports envoy v3 API, so + # adding this label to restart pod. + networking.knative.dev/poke: "v0.26" + prometheus.io/scrape: "true" + prometheus.io/port: "9000" + prometheus.io/path: "/stats/prometheus" + spec: + containers: + - args: + - --base-id 1 + - -c /tmp/config/envoy-bootstrap.yaml + - --log-level info + command: + - /usr/local/bin/envoy + image: docker.io/envoyproxy/envoy:v1.24-latest + name: kourier-gateway + ports: + - name: http2-external + containerPort: 8080 + protocol: TCP + - name: http2-internal + containerPort: 8081 + protocol: TCP + - name: https-external + containerPort: 8443 + protocol: TCP + - name: http-probe + containerPort: 8090 + protocol: TCP + - name: https-probe + containerPort: 9443 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: config-volume + mountPath: /tmp/config + lifecycle: + preStop: + exec: + command: + [ + "/bin/sh", + "-c", + "curl -X POST --unix /tmp/envoy.admin http://localhost/healthcheck/fail; sleep 15", + ] + readinessProbe: + httpGet: + httpHeaders: + - name: Host + value: internalkourier + path: /ready + port: 8081 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + failureThreshold: 3 + livenessProbe: + httpGet: + httpHeaders: + - name: Host + value: internalkourier + path: /ready + port: 8081 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + failureThreshold: 6 + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + cpu: 500m + memory: 500Mi + volumes: + - name: config-volume + configMap: + name: kourier-bootstrap + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: 3scale-kourier-gateway + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + name: kourier-internal + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +spec: + ports: + - name: http2 + port: 80 + protocol: TCP + targetPort: 8081 + - name: https + port: 443 + protocol: TCP + targetPort: 8444 + selector: + app: 3scale-kourier-gateway + type: ClusterIP +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: 3scale-kourier-gateway + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +spec: + minReplicas: 1 + maxReplicas: 10 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 3scale-kourier-gateway + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + # Percentage of the requested CPU + averageUtilization: 100 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: 3scale-kourier-gateway-pdb + namespace: kourier-system + labels: + networking.knative.dev/ingress-provider: kourier + app.kubernetes.io/component: net-kourier + app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/name: knative-serving +spec: + minAvailable: 80% + selector: + matchLabels: + app: 3scale-kourier-gateway + +--- +