Using Service Mesh with OpenShift Serverless

Prerequisites
Using Service Mesh with OpenShift Serverless
Enabling sidecar injection for a Knative service

Using Service Mesh with OpenShift Serverless enables developers to configure additional networking and routing options that are not supported when using OpenShift Serverless with the default Kourier implementation. These options include setting custom domains, using TLS certificates, and using JSON Web Token authentication.

Prerequisites

Install the OpenShift Serverless Operator and Knative Serving.
Install Red Hat OpenShift Service Mesh. OpenShift Serverless is supported for use with both Red Hat OpenShift Service Mesh version 1.x and version 2.x.

Procedure

Add the namespaces that you would like to integrate with Service Mesh to the ServiceMeshMemberRoll object as members:
```
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
  namespace: istio-system
spec:
  members:
    - <namespace> (1)
```
1 A list of namespaces to be integrated with Service Mesh.

Adding sidecar injection to Pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.

Create a network policy that permits traffic flow from Knative system pods to Knative services:

Add the serving.knative.openshift.io/system-namespace=true label to the knative-serving namespace:
```
$ oc label namespace knative-serving serving.knative.openshift.io/system-namespace=true
```
Add the serving.knative.openshift.io/system-namespace=true label to the knative-serving-ingress namespace:
```
$ oc label namespace knative-serving-ingress serving.knative.openshift.io/system-namespace=true
```

For each namespace that you would like to integrate with Service Mesh, copy the following NetworkPolicy resource into a YAML file:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-serving-system-namespace
  namespace: <namespace>
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          serving.knative.openshift.io/system-namespace: "true"
  podSelector: {}
  policyTypes:
  - Ingress

Apply the NetworkPolicy resource:
```
$ oc apply -f <filename>
```

Enabling sidecar injection for a Knative service

You can add an annotation to the Service resource YAML file to enable sidecar injection for a Knative service.

Procedure

Add the sidecar.istio.io/inject="true" annotation to the Service resource:

Example service resource

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: event-display
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "true" (1)
    spec:
      containers:
      - image: quay.io/openshift-knative/knative-eventing-sources-event-display:latest
        name: container

1	Add the `sidecar.istio.io/inject="true"` annotation.

Apply the Service resource YAML file:
```
$ oc apply -f <filename>
```