Using Service Mesh with OpenShift Serverless enables developers to configure additional networking and routing options that are not supported when using OpenShift Serverless with the default Kourier implementation. These options include setting custom domains, using TLS certificates, and using JSON Web Token authentication.

Prerequisites

Using Service Mesh with OpenShift Serverless

Procedure
  1. Add the namespaces that you would like to integrate with Service Mesh to the ServiceMeshMemberRoll object as members:

    apiVersion: maistra.io/v1
    kind: ServiceMeshMemberRoll
    metadata:
      name: default
      namespace: istio-system
    spec:
      members:
        - <namespace> (1)
    1 A list of namespaces to be integrated with Service Mesh.

    Adding sidecar injection to Pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.

  2. Create a network policy that permits traffic flow from Knative system pods to Knative services:

    1. Add the serving.knative.openshift.io/system-namespace=true label to the knative-serving namespace:

      $ oc label namespace knative-serving serving.knative.openshift.io/system-namespace=true
    2. Add the serving.knative.openshift.io/system-namespace=true label to the knative-serving-ingress namespace:

      $ oc label namespace knative-serving-ingress serving.knative.openshift.io/system-namespace=true
    3. For each namespace that you would like to integrate with Service Mesh, copy the following NetworkPolicy resource into a YAML file:

      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: allow-from-serving-system-namespace
        namespace: <namespace>
      spec:
        ingress:
        - from:
          - namespaceSelector:
              matchLabels:
                serving.knative.openshift.io/system-namespace: "true"
        podSelector: {}
        policyTypes:
        - Ingress
    4. Apply the NetworkPolicy resource:

      $ oc apply -f <filename>

Enabling sidecar injection for a Knative service

You can add an annotation to the Service resource YAML file to enable sidecar injection for a Knative service.

Procedure
  1. Add the sidecar.istio.io/inject="true" annotation to the Service resource:

    Example service resource
    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      name: event-display
    spec:
      template:
        metadata:
          annotations:
            sidecar.istio.io/inject: "true" (1)
        spec:
          containers:
          - image: quay.io/openshift-knative/knative-eventing-sources-event-display:latest
            name: container
    1 Add the sidecar.istio.io/inject="true" annotation.
  2. Apply the Service resource YAML file:

    $ oc apply -f <filename>