apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
labels:
<label_name>: <label_value>
annotations:
<annotation_name>: <annotation_value>
...
Knative leverages OpenShift Container Platform TLS termination to provide routing for Knative services. When a Knative service is created, a OpenShift Container Platform route is automatically created for the service. This route is managed by the OpenShift Serverless Operator. The OpenShift Container Platform route exposes the Knative service through the same domain as the OpenShift Container Platform cluster.
You can disable Operator control of OpenShift Container Platform routing so that you can configure a Knative route to directly use your TLS certificates instead.
Knative routes can also be used alongside the OpenShift Container Platform route to provide additional fine-grained routing capabilities, such as traffic splitting.
OpenShift Container Platform routes support the use of custom labels and annotations, which you can configure by modifying the metadata
spec of a Knative service. Custom labels and annotations are propagated from the service to the Knative route, then to the Knative ingress, and finally to the OpenShift Container Platform route.
You must have the OpenShift Serverless Operator and Knative Serving installed on your OpenShift Container Platform cluster.
Install the OpenShift CLI (oc
).
Create a Knative service that contains the label or annotation that you want to propagate to the OpenShift Container Platform route:
To create a service by using YAML:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
labels:
<label_name>: <label_value>
annotations:
<annotation_name>: <annotation_value>
...
To create a service by using the Knative (kn
) CLI, enter:
kn
command$ kn service create <service_name> \
--image=<image> \
--annotation <annotation_name>=<annotation_value> \
--label <label_value>=<label_value>
Verify that the OpenShift Container Platform route has been created with the annotation or label that you added by inspecting the output from the following command:
$ oc get routes.route.openshift.io \
-l serving.knative.openshift.io/ingressName=<service_name> \ (1)
-l serving.knative.openshift.io/ingressNamespace=<service_namespace> \ (2)
-n knative-serving-ingress -o yaml \
| grep -e "<label_name>: \"<label_value>\"" -e "<annotation_name>: <annotation_value>" (3)
1 | Use the name of your service. |
2 | Use the namespace where your service was created. |
3 | Use your values for the label and annotation names and values. |
If you want to configure a Knative service to use your TLS certificate on OpenShift Container Platform, you must disable the automatic creation of a route for the service by the OpenShift Serverless Operator and instead manually create a route for the service.
When you complete the following procedure, the default OpenShift Container Platform route in the |
The OpenShift Serverless Operator and Knative Serving component must be installed on your OpenShift Container Platform cluster.
Install the OpenShift CLI (oc
).
Create a Knative service that includes the serving.knative.openshift.io/disableroute=true
annotation:
The |
Create a Knative Service
resource:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
annotations:
serving.knative.openshift.io/disableroute: "true"
spec:
template:
spec:
containers:
- image: <image>
...
Apply the Service
resource:
$ oc apply -f <filename>
Optional. Create a Knative service by using the kn service create
command:
kn
command$ kn service create <service_name> \
--image=gcr.io/knative-samples/helloworld-go \
--annotation serving.knative.openshift.io/disableroute=true
Verify that no OpenShift Container Platform route has been created for the service:
$ $ oc get routes.route.openshift.io \
-l serving.knative.openshift.io/ingressName=$KSERVICE_NAME \
-l serving.knative.openshift.io/ingressNamespace=$KSERVICE_NAMESPACE \
-n knative-serving-ingress
You will see the following output:
No resources found in knative-serving-ingress namespace.
Create a route
resource in the knative-serving-ingress
namespace:
apiVersion: route.openshift.io/v1
kind: route
metadata:
annotations:
haproxy.router.openshift.io/timeout: 600s (1)
name: <route_name> (2)
namespace: knative-serving-ingress (3)
spec:
host: <service_host> (4)
port:
targetPort: http2
to:
kind: Service
name: kourier
weight: 100
tls:
insecureEdgeTerminationPolicy: Allow
termination: edge (5)
key: |-
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
certificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
caCertificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE----
wildcardPolicy: None
1 | The timeout value for the OpenShift Container Platform route. You must set the same value as the max-revision-timeout-seconds setting (600s by default). |
2 | The name of the OpenShift Container Platform route. |
3 | The namespace for the OpenShift Container Platform route. This must be knative-serving-ingress . |
4 | The hostname for external access. You can set this to <service_name>-<service_namespace>.<domain> . |
5 | The certificates you want to use. Currently, only edge termination is supported. |
Apply the route
resource:
$ oc apply -f <filename>
By default, Knative services are published to a public IP address. Being published to a public IP address means that Knative services are public applications, and have a publicly accessible URL.
Publicly accessible URLs are accessible from outside of the cluster.
However, developers may need to build back-end services that are only be accessible from inside the cluster, known as private services.
Developers can label individual services in the cluster with the networking.knative.dev/visibility=cluster-local
label to make them private.
For OpenShift Serverless 1.15.0 and newer versions, the |
The OpenShift Serverless Operator and Knative Serving are installed on the cluster.
You have created a Knative service.
Set the visibility for your service by adding the networking.knative.dev/visibility=cluster-local
label:
$ oc label ksvc <service_name> networking.knative.dev/visibility=cluster-local
Check that the URL for your service is now in the format http://<service_name>.<namespace>.svc.cluster.local
, by entering the following command and reviewing the output:
$ oc get ksvc
NAME URL LATESTCREATED LATESTREADY READY REASON
hello http://hello.default.svc.cluster.local hello-tx2g7 hello-tx2g7 True