From 1f9f55c0ff32b7689d00f1bd726588c14756c88a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Br=C3=BCder=2C=20Lena?= Date: Tue, 18 May 2021 13:56:39 +0200 Subject: [PATCH] docs about usage of internal services in an "api-gateway" access model --- .../samples/knative-routing-go/index.md | 35 +++++++++++ .../knative-routing-go/routing-internal.yaml | 59 +++++++++++++++++++ .../samples/knative-routing-go/routing.yaml | 2 +- 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 docs/serving/samples/knative-routing-go/routing-internal.yaml diff --git a/docs/serving/samples/knative-routing-go/index.md b/docs/serving/samples/knative-routing-go/index.md index 4152ebbf60f..a001f7db3fa 100644 --- a/docs/serving/samples/knative-routing-go/index.md +++ b/docs/serving/samples/knative-routing-go/index.md @@ -260,6 +260,41 @@ The Gateway proxy checks the updated host, and forwards it to `Search` or ![Object model](./images/knative-routing-sample-flow.png) +## Using internal services and `"httpProtocol": "Redirected"` + +Using the above approach, services will be available using two entrypoints into the cluster: +The original ones provided by Knative Serving (`search-service.default.example.com` and `login-service.default.example.com`), +as well as the additional entrypoints `example.com/search` and `example.com/login` +provided by the manually added VirtualService (`entry-route`). + +To make sure your service can only be reached via the manually created +VirtualService, you can add the label `networking.knative.dev/visibility: cluster-local` +to the Knative Service definitions, and route traffic over +`knative-local-gateway.istio-system.svc.cluster.local` with a destination address of an internal service, +instead of the public ingress one at `istio-ingressgateway.istio-system.svc.cluster.local` +with a destination address of an externally available service. + +Using + +``` +kubectl label kservice search-service login-service networking.knative.dev/visibility=cluster-local +``` + +you label the services as an cluster-local services, removing access via `search-service.default.example.com` +and `login-service.default.example.com`. After doing so, your previous routing rule will not be routable anymore. +Running + +``` +kubectl apply --filename docs/serving/samples/knative-routing-go/routing-internal.yaml +``` + +will replace the custom routing rule with one that uses the `knative-local-gateway`, enabling access +via `example.com/search` and `example.com/login` again. + +With these changes, you can also use [the `autoTLS` feature](../../using-auto-tls.md) in combination with the global setting +`"httpProtocol": "Redirected"`, which would otherwise try to redirect the `entry-route` +VirtualService requests from HTTP to HTTPS, failing the request. + ## Clean Up To clean up the sample resources: diff --git a/docs/serving/samples/knative-routing-go/routing-internal.yaml b/docs/serving/samples/knative-routing-go/routing-internal.yaml new file mode 100644 index 00000000000..c283fcbd267 --- /dev/null +++ b/docs/serving/samples/knative-routing-go/routing-internal.yaml @@ -0,0 +1,59 @@ +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: entry-route + namespace: default +spec: + # This is the gateway shared in knative service mesh. + gateways: + - knative-ingress-gateway.knative-serving.svc.cluster.local + # Set host to the domain name that you own. + hosts: + - example.com + http: + - match: + - uri: + prefix: "/search" + rewrite: + # Rewrite the original host header to the host header of Search service + # in order to redirect requests to Search service. + authority: search-service.default.svc.cluster.local + route: + # Basically here we redirect the request to the internal gateway with + # updated header "search-service.default.svc.cluster.local" so the request will + # eventually be directed to Search service. + - destination: + host: knative-local-gateway.istio-system.svc.cluster.local + port: + number: 80 + weight: 100 + - match: + - uri: + prefix: "/login" + rewrite: + # Rewrite the original host header to the host header of Search service + # in order to redirect requests to Search service. + authority: login-service.default.svc.cluster.local + route: + # Basically here we redirect the request to the internal gateway with + # updated header "login-service.default.svc.cluster.local" so the request will + # eventually be directed to Login service. + - destination: + host: knative-local-gateway.istio-system.svc.cluster.local + port: + number: 80 + weight: 100 diff --git a/docs/serving/samples/knative-routing-go/routing.yaml b/docs/serving/samples/knative-routing-go/routing.yaml index f4bbfef6af3..a5858abde73 100644 --- a/docs/serving/samples/knative-routing-go/routing.yaml +++ b/docs/serving/samples/knative-routing-go/routing.yaml @@ -51,7 +51,7 @@ spec: route: # Basically here we redirect the request to the cluster entry again with # updated header "login-service.default.example.com" so the request will - # eventually be directed to LOgin service. + # eventually be directed to Login service. - destination: host: istio-ingressgateway.istio-system.svc.cluster.local port: