Knative Serving

A Carvel package for Knative Serving, a solution built on Kubernetes to support deploying and serving of applications and functions as serverless containers.

🚀  Getting Started

Prerequisites

• Kubernetes 1.29+

• Carvel kctrl CLI.

• Carvel kapp-controller deployed in your Kubernetes cluster. You can install it with Carvel kapp (recommended choice) or kubectl.

  kapp deploy -a kapp-controller -y \
    -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml

Dependencies

Knative Serving requires cert-manager and the Contour ingress controller. You can install them from the Kadras package repository.

Installation

Add the Kadras package repository to your Kubernetes cluster:

kctrl package repository add -r kadras-packages \
  --url ghcr.io/kadras-io/kadras-packages \
  -n kadras-system --create-namespace

Installation without package repository

The recommended way of installing the Knative Serving package is via the Kadras package repository. If you prefer not using the repository, you can add the package definition directly using kapp or kubectl.

kubectl create namespace kadras-system
kapp deploy -a knative-serving-package -n kadras-system -y \
  -f https://github.com/kadras-io/package-for-knative-serving/releases/latest/download/metadata.yml \
  -f https://github.com/kadras-io/package-for-knative-serving/releases/latest/download/package.yml

Install the Knative Serving package:

kctrl package install -i knative-serving \
  -p knative-serving.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system

Note You can find the ${VERSION} value by retrieving the list of package versions available in the Kadras package repository installed on your cluster.

kctrl package available list -p knative-serving.packages.kadras.io -n kadras-system

Verify the installed packages and their status:

kctrl package installed list -n kadras-system

📙  Documentation

Documentation, tutorials and examples for this package are available in the docs folder. For documentation specific to Knative Serving, check out knative.dev.

🎯  Configuration

The Knative Serving package can be customized via a values.yml file.

domain_name: labs.thomasvitale.com
ingress_issuer: letsencrypt-issuer

Reference the values.yml file from the kctrl command when installing or upgrading the package.

kctrl package install -i knative-serving \
  -p knative-serving.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system \
  --values-file values.yml

Values

The Knative Serving package has the following configurable properties.

Configurable properties

Config	Default	Description
ca_cert_data	""	PEM-encoded certificate data to trust TLS connections with a custom CA.
policies.include	false	Whether to include the out-of-the-box Kyverno policies to validate and secure the package installation.
domain_name	""	Domain name for Knative Services. It must be a valid DNS name.
ingress_issuer	""	A reference to the ClusterIssuer to use if you want to enable autoTLS.

Settings for the Knative Serving workloads.

Config	Default	Description
workloads.activator.minReplicas	1	The minimum number of replicas as controlled by a HorizontalPodAutoscaler. In order to enable high availability, it should be greater than 1.
workloads.autoscaler.replicas	1	The number of replicas for this Deployment. In order to enable high availability, it should be greater than 1.
workloads.controller.replicas	1	The number of replicas for this Deployment. In order to enable high availability, it should be greater than 1.
workloads.webhook.minReplicas	1	The minimum number of replicas as controlled by a HorizontalPodAutoscaler. In order to enable high availability, it should be greater than 1.

Configuration stored in the config-deployment ConfigMap.

Config	Default	Description
config.deployment.progress-deadline	600s	The duration to wait for the deployment to be ready before considering it failed.
config.deployment.queue-sidecar-cpu-request	25m	The queue proxy's CPU request. If omitted, a default value (currently '25m'), is used.
config.deployment.queue-sidecar-cpu-limit	1000m	The queue proxy's CPU limit. If omitted, a default value (currently 1000m), is used when queueproxy.resource-defaults is set to Enabled.
config.deployment.queue-sidecar-memory-request	50Mi	The queue proxy's memory request. If omitted, a default value (currently 400Mi), is used when queueproxy.resource-defaults is set to Enabled.
config.deployment.queue-sidecar-memory-limit	200Mi	The queue proxy's memory limit. If omitted, a default value (currently 800Mi), is used when queueproxy.resource-defaults is set to Enabled.

Configuration stored in the config-network ConfigMap.

Config	Default	Description
config.network.namespace-wildcard-cert-selector	""	A LabelSelector which determines which namespaces should have a wildcard certificate provisioned.
config.network.domain-template	{{.Name}}.{{.Namespace}}.{{.Domain}}	The golang text template string to use when constructing the Knative Service's DNS name.
config.network.http-protocol	Redirected	Controls the behavior of the HTTP endpoint for the Knative ingress. Enabled: The Knative ingress will be able to serve HTTP connection. Redirected: The Knative ingress will send a 301 redirect for all http connections, asking the clients to use HTTPS.
config.network.default-external-scheme	http	Defines the scheme used for external URLs if autoTLS is not enabled. This can be used for making Knative report all URLs as https, for example, if you're fronting Knative with an external loadbalancer that deals with TLS termination and Knative doesn't know about that otherwise.
config.network.rollout-duration	0	The minimal duration in seconds over which the Configuration traffic targets are rolled out to the newest revision.

Configuration stored in the config-tracing ConfigMap.

Config	Default	Description
config.tracing.backend	none	The type of distributed tracing backend. Options: none, zipkin.
config.tracing.zipkin-endpoint	http://tempo.observability-system.svc.cluster.local:9411/api/v2/spans	The Zipkin collector endpoint where traces are sent.
config.tracing.debug	false	Enable the Zipkin debug mode. This allows all spans to be sent to the server bypassing sampling.
config.tracing.sample-rate	0.1	The percentage (0-1) of requests to trace.

Settings for the Ingress controller.

Config	Default	Description
ingress.contour.default-tls-secret	""	If auto-TLS is disabled, fallback to this certificate. An operator is required to setup a TLSCertificateDelegation for this Secret to be used.
ingress.contour.external.namespace	projectcontour	The namespace where the external Ingress controller is installed.
ingress.contour.internal.namespace	projectcontour	The namespace where the internal Ingress controller is installed.

Settings for the corporate proxy.

Config	Default	Description
proxy.http_proxy	""	The HTTP proxy to use for network traffic.
proxy.https_proxy	""	The HTTPS proxy to use for network traffic.
proxy.no_proxy	""	A comma-separated list of hostnames, IP addresses, or IP ranges in CIDR format that should not use a proxy.

🛡️  Security

The security process for reporting vulnerabilities is described in SECURITY.md.

🖊️  License

This project is licensed under the Apache License 2.0. See LICENSE for more information.

🙏  Acknowledgments

This package is inspired by the original Knative Serving package used in the Tanzu Community Edition project before its retirement.