Setting up knative
source link: https://willschenk.com/articles/2021/setting_up_knative/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Published November 29, 2021 #kubernetes, #helm, #knative
Let's walk through how to setup a k8 cluster on digitalocean with knative.
Digital Ocean
Start the cluster
Installing and configure the doctl tool. Then setup a cluster:
doctl kubernetes cluster create gratitude \
--auto-upgrade \
"--node-pool=name=default;min-nodes=1;max-nodes=10;size=s-4vcpu-8gb;auto-scale=true"
Once that's in place, make sure that you have a domain, in my case
gitgratitude.com
:
doctl compute domain create gitgratitude.com
Installing knative
We are going to use the knative operator to setup the install. For
this post, we will only being using serving
.
Operator
kubectl apply -f https://github.com/knative/operator/releases/download/knative-v1.0.0/operator.yaml
Check status:
kubectl get deployment knative-operator
NAME READY UP-TO-DATE AVAILABLE AGE knative-operator 1/1 1 1 24h
Serving
We will now tell the operator to deploy knative serving, and we will
use kourier
, and set our domain to gitgratitude.com
:
serving.yml
:
apiVersion: v1
kind: Namespace
metadata:
name: knative-serving
---
apiVersion: operator.knative.dev/v1alpha1
kind: KnativeServing
metadata:
name: knative-serving
namespace: knative-serving
spec:
ingress:
kourier:
enabled: true
config:
network:
ingress.class: "kourier.ingress.networking.knative.dev"
domain:
gitgratitude.com: ""
kubectl apply -f serving.yaml
namespace/knative-serving configured knativeserving.operator.knative.dev/knative-serving configured
And to see what the status of the deployment is:
kubectl get deployment -n knative-serving
Add default domain
Lets add the default domain serving as well.
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.0.0/serving-default-domain.yaml
job.batch/default-domain created service/default-domain-service created
Add the certmanager-controller
:
This tells knative to use the certmanager when services get created/deleted:
kubectl apply --filename https://github.com/knative/net-certmanager/releases/download/knative-v1.0.0/release.yaml
Set the cert-manager
config map
apiVersion: v1
kind: ConfigMap
metadata:
name: config-certmanager
namespace: knative-serving
labels:
networking.knative.dev/certificate-provider: cert-manager
data:
issuerRef: |
kind: ClusterIssuer
name: letsencrypt-staging
kubectl apply -f cert-config.yaml
configmap/config-certmanager configured
Add revision garbage collection
apiVersion: v1
kind: ConfigMap
metadata:
name: config-gc
namespace: knative-serving
data:
max-non-active-revisions: "1"
retain-since-create-time: "disabled"
retain-since-last-active-time: "disabled"
kubectl apply -f gc.yaml
configmap/config-gc configured
Install cert-manager
Install helm package
helm repo add jetstack https://charts.jetstack.io
helm upgrade --install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.6.0 \
--set installCRDs=true
Configure letencrypt
Create certs.yaml
to define how we interact with let-encrypt. I'm
going to use the http challenge here.
Also replace [email protected]
with your email address.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: [email protected]
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: staging-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: istio #.ingress.networking.knative.dev
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: prod-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: istio
#.ingress.networking.knative.dev
Then apply it:
kubectl apply -f certs.yaml
Set the domain
My domain is gitgratitude.com
– you should use yours.
Check above where we setup knative-serving
.
Turn on auto-tls
and autocreate-cluster-domain-claims
:
kubectl patch configmap config-network --namespace knative-serving -p '{"data":{"auto-tls":"Enabled","autocreate-cluster-domain-claims":"true"}}'
configmap/config-network patched (no change)
Get the IP
kubectl --namespace knative-serving get service kourier -o json| jq ".status.loadBalancer.ingress[0].ip"
"143.244.212.121"
doctl compute domain records create gitgratitude.com --record-type A --record-data 143.244.212.121 --record-name default
ID Type Name Data Priority Port TTL Weight 280306756 A default 143.244.212.121 0 0 1800 0
Then setup a wildcard CNAME
to point to the root.
doctl compute domain records create gitgratitude.com --record-type CNAME --record-data default\. --record-name \*.default
ID Type Name Data Priority Port TTL Weight 280306923 CNAME *.default default.gitgratitude.com 0 0 1800 0
Testing out a simple service
kn service create helloworld-go --image gcr.io/knative-samples/helloworld-go
Creating service 'helloworld-go' in namespace 'default': 0.036s The Route is still working to reflect the latest desired specification. 0.064s Configuration "helloworld-go" is waiting for a Revision to become ready. 0.099s ... 17.273s ... 17.343s Ingress has not yet been reconciled. 17.416s Waiting for load balancer to be ready 17.628s Ready to serve. Service 'helloworld-go' created to latest revision 'helloworld-go-00001' is available at URL: http://helloworld-go.default.gitgratitude.com
And you should be able to hit your function now.
curl -k http://helloworld-go.default.gitgratitude.com
Hello GitHub!
Look to see if a tls endpoint has been added
kn service ls
NAME URL LATEST AGE CONDITIONS READY REASON helloworld-go https://helloworld-go.default.gitgratitude.com helloworld-go-00001 114s 3 OK / 3 True
Look at the certificates
kubectl get certificates
NAME READY SECRET AGE route-7bbf3267-6eb1-4516-bbb8-e65d81e0b968 True route-7bbf3267-6eb1-4516-bbb8-e65d81e0b968 62s
curl --insecure -vvI https://helloworld-go.default.gitgratitude.com 2>&1 | \
awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
,* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 ,* ALPN, server accepted to use h2 ,* Server certificate: ,* subject: CN=helloworld-go.default.gitgratitude.com ,* start date: Dec 7 10:28:31 2021 GMT ,* expire date: Mar 7 10:28:30 2022 GMT ,* issuer: C=US; O=(STAGING) Let's Encrypt; CN=(STAGING) Artificial Apricot R3 ,* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. ,* Using HTTP2, server supports multi-use ,* Connection state changed (HTTP/2 confirmed) ,* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 ,* Using Stream ID: 1 (easy handle 0x120012a00) ,* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)! ,* Connection #0 to host helloworld-go.default.gitgratitude.com left intact
References
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK