Zenn
☁️

Knative sevingをaws eksにインストールしてhttpsで動かす

2022/06/26に公開
AWS
Kubernetes
tech

Knative sevingをaws eksにインストールしてhttpsで動かす

1.Knative ServingをKubernetesにインストールする

https://knative.dev/docs/install/yaml-install/serving/install-serving-with-yaml/

kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.5.0/serving-crds.yaml

kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.5.0/serving-core.yaml

2.Knativeのネットワークレイヤーをインストールする

https://knative.dev/docs/install/yaml-install/serving/install-serving-with-yaml/#install-a-networking-layer

kubectl apply -f https://github.com/knative/net-kourier/releases/download/knative-v1.5.0/kourier.yaml

kubectl patch configmap/config-network \
  --namespace knative-serving \
  --type merge \
  --patch '{"data":{"ingress-class":"kourier.ingress.networking.knative.dev"}}'

3.DNSの設定をする

https://knative.dev/docs/install/yaml-install/serving/install-serving-with-yaml/#configure-dns

kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.5.0/serving-default-domain.yaml

4.カスタムドメインを登録

https://knative.dev/docs/serving/using-a-custom-domain

kubectl edit configmap config-domain -n knative-serving

apiVersion: v1
data:
  mydomain.com: ""
kind: ConfigMap
[...]

5.カスタムドメインでknative serviceに接続してみる

https://knative.dev/docs/serving/services/custom-domains/#prerequisites

kubectl apply -f service.yaml

kubectl apply -f cluster-domain.yaml

kubectl apply -f domain-mapping.yaml
# (この時点ではtls設定をコメントアウトしておく必要がある)

7.https化 (dns01 challenge)

https://cert-manager.io/docs/installation/kubectl/#installing-with-regular-manifests

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.yaml

https://cert-manager.io/docs/configuration/acme/dns01/route53/

参考:route53への認証情報の作成 
https://voyagermesh.com/docs/v11.0.0/guides/cert-manager/dns01_challenge/aws-route53/

kubectl create secret generic route53-secret --from-literal=secret-access-key="< secret_access_key >" -n cert-manager

必要な情報
# access_key_id=*******************
# secret_access_key=********************
# hosted_zone_id=*********************

ClusterIssuerの作成と適用

kubectl apply -f cluster-issuer.yaml

net-certmanager-controllerのインストール

kubectl apply -f https://github.com/knative/net-certmanager/releases/download/knative-v1.5.0/release.yaml

cert-manager-configmapの編集

https://knative.dev/docs/serving/using-auto-tls/#configure-config-certmanager-configmap

kubectl edit configmap config-certmanager -n knative-serving

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-certmanager
  namespace: knative-serving
  labels:
    networking.knative.dev/certificate-provider: cert-manager
data:
  issuerRef: |
    kind: ClusterIssuer
    name: < issuer-name >

Turn on auto TLS and Redirect

https://knative.dev/docs/serving/using-auto-tls/#turn-on-auto-tls

kubectl edit configmap config-network -n knative-serving

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving
data:
   ...
   auto-tls: Enabled
   http-protocol: Redirected
   ...

各serviceでtlsの設定を有効にする

kubectl apply -f domain-mapping.yaml

warning

secretのnamespaceに注意が必要(defaultではなくcert-managerを指定しないと通らなかった

Discussion