serving-operator icon indicating copy to clipboard operation
serving-operator copied to clipboard
verified publisher icon knative

The serving-operator incorrectly re-initialize knative-ingress-gateway configuration

Open chunlongliang-ibm opened this issue 6 years ago • 6 comments

I edit the gateway yaml to enable TLS kubectl edit gateway -n knative-serving knative-ingress-gateway -o yaml by adding tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

However, after sometime, the gateway configuration is reinitialized and my update is removed.

Steps to recreate the problem:

  1. Modify Gateway

oc edit gateway knative-ingress-gateway --namespace knative-serving

e.g.

BEFORE:

  • hosts:
    • '*' port: name: https

AFTER:

  • hosts:
    • 'test' port: name: https
  1. Restart one of serving pods

e.g.

oc delete pod -n knative-serving autoscaler-64c549bcf4-vnq6h

  1. Verify Gateway again

Modified Gateway is initialized (i.e., 'test' becomes "*" again).

chunlongliang-ibm avatar Sep 05 '19 04:09 chunlongliang-ibm

In the case of overriding the selector on the Gateway, a means is provided as part of the KnativeServing custom resource spec. Would a similar capability be useful here? Or a means to indicate that the operator shouldn't alter the gateway?

It seems challenging to provide consistent/reliable behavior while supporting both manual overrides to the Gateway and overrides configured inside the KnativeServing resource.

garron avatar Sep 05 '19 18:09 garron

@chunlongliang-ibm Is this config platform-specific, or your personal customization of your cluster?

You have a discussion going on with platform-specific configurations at https://github.com/knative/serving-operator/issues/122. There are multiple options as candidates to implement. Mutating webhook is one of them.

houshengbo avatar Sep 06 '19 20:09 houshengbo

@houshengbo I deploy knative serving with serving-operator in openshift (OKD), and I also need TLS enabled (and I follow the instruction to modify gateway configuration in https://github.com/knative/docs/blob/master/docs/serving/using-a-tls-cert.md). I think it is OK for my use case if serving operator implementation has option to edit gateway configuration.

chunlongliang-ibm avatar Sep 09 '19 14:09 chunlongliang-ibm

@chunlongliang-ibm I guess I found a better solution to the case of knative-ingress-gateway config.

As you can see here: https://github.com/knative/serving-operator/blob/master/config/crds/serving_v1alpha1_knativeserving_crd.yaml#L54

knative-ingress-gateway is valid property in the CRD, so when you apply the CR, you can config your knative-ingress-gateway in the CR before applying it. Then knative-ingress-gateway will be propagated into your environment.

houshengbo avatar Sep 17 '19 16:09 houshengbo

It seems that we can config the "selector" but not "servers" config of knative-ingress-gateway.

ghost avatar Jan 20 '20 09:01 ghost

https://github.com/knative/serving-operator/issues/302 might be the solution for this ticket.

aliok avatar Mar 02 '20 11:03 aliok