feat(workflow): add gateway docs

duanhongyi · duanhongyi · commit a8939a078c92 · 2023-05-06T15:27:28.000+08:00
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ This repository contains the source code for Drycc Workflow documentation. If yo
 
 Please see below for links and descriptions of each component:
 
+- [gateway](https://github.com/drycc/gateway) - Workflow gateway charts
 - [passport](https://github.com/drycc/passport) - Workflow single sign on system
 - [controller](https://github.com/drycc/controller) - Workflow API server
 - [builder](https://github.com/drycc/builder) - Git server and source-to-image component
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -17,7 +17,7 @@ nav:
     - Components: understanding-workflow/components.md
   - Installing To Kubenetes:
     - System Requirements: installing-workflow/system-requirements.md
-    - Installing Ingress: installing-workflow/ingress.md
+    - Installing Gateway: installing-workflow/gateway.md
     - Installing Workflow: installing-workflow/index.md
     - Configuring Object Storage: installing-workflow/configuring-object-storage.md
     - Configuring Postgres: installing-workflow/configuring-postgres.md
@@ -35,6 +35,7 @@ nav:
     - Managing App Configuration: applications/managing-app-configuration.md
     - Managing App Lifecycle: applications/managing-app-lifecycle.md
     - Managing App Volumes: applications/managing-app-volumes.md
+    - Managing App Gateway: applications/managing-app-gateway.md
     - Managing App Resources: applications/managing-app-resources.md
     - Inter-app Communication: applications/inter-app-communication.md
     - Resource Limits: applications/managing-resource-limits.md
diff --git a/src/applications/managing-app-gateway.md b/src/applications/managing-app-gateway.md
@@ -0,0 +1,15 @@
+# About gateway for an Application
+
+A Gateway describes how traffic can be translated to Services within the cluster. That is, it defines a request for a way to translate traffic from somewhere that does not know about Kubernetes to somewhere that does. For example, traffic sent to a Kubernetes Service by a cloud load balancer, an in-cluster proxy, or an external hardware load balancer. While many use cases have client traffic originating “outside” the cluster, this is not a requirement.
+
+## Create Gateway for an Application
+
+Gateway is a way of exposing services externally, which generates an external IP address to connect route and service.
+
+## Create service for an Application
+
+Service is a way of exposing services internally, creating a service generates an internal DNS that can access `procfile_type`.
+
+## Create Route for an Application
+
+A Gateway may be attached to one or more Route references which serve to direct traffic for a subset of traffic to a specific service.
diff --git a/src/applications/ssl-certificates.md b/src/applications/ssl-certificates.md
@@ -196,6 +196,6 @@ remove the certificate from Drycc and re-run the `certs:add` command.
 
 [RapidSSL]: https://www.rapidssl.com/
 [buy an SSL certificate with RapidSSL]: https://www.rapidssl.com/buy-ssl/
-[platform-ssl]: https://kubernetes.io/docs/concepts/services-networking/ingress/
+[platform-ssl]: https://gateway-api.sigs.k8s.io/guides/tls/
 [root CAs]: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
 [intermediary certificates]: http://en.wikipedia.org/wiki/Intermediate_certificate_authorities
diff --git a/src/installing-workflow/gateway.md b/src/installing-workflow/gateway.md
@@ -1,13 +1,13 @@
-# Specify Ingress
+# Specify Gateway
 
-## Install Drycc Workflow (Specify ingress)
+## Install Drycc Workflow (Specify gateway)
 
-Now that Helm is installed and the repository has been added, install Workflow with a native ingress by running:
+Now that Helm is installed and the repository has been added, install Workflow with a native gateway by running:
 
 ```
 $ helm install drycc oci://registry.drycc.cc/charts/workflow \
     --namespace drycc \
-    --set global.ingressClass=nginx \
+    --set global.gatewayClass=istio \
     --set global.platformDomain=drycc.cc \
     --set builder.service.type=LoadBalancer
 ```
@@ -16,7 +16,7 @@ Of course, if you deploy it on a bare machine, you probably do not have Load Bal
 ```
 $ helm install drycc oci://registry.drycc.cc/charts/workflow \
     --namespace drycc \
-    --set global.ingressClass=nginx \
+    --set global.gatewayClass=istio \
     --set global.platformDomain=drycc.cc \
     --set builder.service.type=NodePort \
     --set builder.service.nodePort=32222
@@ -33,10 +33,10 @@ Wait for the pods that Helm launched to be ready. Monitor their status by runnin
 $ kubectl --namespace=drycc get pods
 ```
 
-You should also notice that several Kubernetes ingresses has been installed on your cluster. You can view it by running:
+You should also notice that several Kubernetes gatewayclass has been installed on your cluster. You can view it by running:
 
 ```
-$ kubectl get ingress --namespace drycc
+$ kubectl get gatewayclass --namespace drycc
 ```
 
 Depending on the order in which the Workflow components initialize, some pods may restart. This is common during the
@@ -55,44 +55,46 @@ drycc-database-rad1o           1/1       Running   0          5m
 drycc-logger-fluentd-1v8uk     1/1       Running   0          5m
 drycc-logger-fluentd-esm60     1/1       Running   0          5m
 drycc-logger-sm8b3             1/1       Running   0          5m
-drycc-storage-4ww3t              1/1       Running   0          5m
+drycc-storage-4ww3t            1/1       Running   0          5m
 drycc-registry-asozo           1/1       Running   1          5m
 drycc-rabbitmq-0               1/1       Running   0          5m
 ```
 
-## Install a Kubernetes Ingress Controller
+## Install a Kubernetes Gateway
 
-Now that Workflow has been deployed with the `global.ingressClass` , we will need a Kubernetes ingress controller in place to begin routing traffic.
+Now that Workflow has been deployed with the `global.gatewayClass` , we will need a Kubernetes gateway in place to begin routing traffic.
 
-Here is an example of how to use [traefik](https://traefik.io/) as an ingress controller for Workflow. Of course, you are welcome to use any controller you wish.
+Here is an example of how to use [istio](https://istio.io/) as an gateway for Workflow. Of course, you are welcome to use any controller you wish.
 
 ```
-$ helm install traefik oci://registry.drycc.cc/charts/traefik \
-    --name ingress \
-    --namespace kube-system \
-    --set ssl.enabled=true
+$ helm repo add istio https://istio-release.storage.googleapis.com/charts
+$ helm repo update
+$ kubectl create namespace istio-system
+$ helm install istio-base istio/base -n istio-system
+$ helm install istiod istio/istiod -n istio-system --wait
+$ kubectl create namespace istio-ingress
+$ helm install istio-ingress istio/gateway -n istio-ingress --wait
 ```
 
 ## Configure DNS
 
-User must to set up a hostname, and assumes the `*.$host` convention.
+User must install [drycc](../quickstart/install-workflow.md) and then set up a hostname, and assumes the `*.$host` convention.
 
-We need to point the `*.$host` record to the public IP address of your ingress controller. You can get the public IP using the following command. A wildcard entry is necessary here as apps will use the same rule after they are deployed.
+We need to point the `*.$host` record to the public IP address of your gateway. You can get the public IP using the following command. A wildcard entry is necessary here as apps will use the same rule after they are deployed.
 
 ```
-$ kubectl get svc ingress-traefik --namespace kube-system
-NAME              CLUSTER-IP   EXTERNAL-IP      PORT(S)                      AGE
-ingress-traefik   10.0.25.3    138.91.243.152   80:31625/TCP,443:30871/TCP   33m
+$ kubectl get gateway --namespace drycc
+NAME      CLASS   ADDRESS         PROGRAMMED   AGE
+gateway   istio   138.91.243.152  True         36d
 ```
 
-
 If we were using `drycc.cc` as a hostname, we would need to create the following A DNS records.
 
 | Name                         | Type          | Value          |
 | ---------------------------- |:-------------:| --------------:|
 | *.drycc.cc                   | A             | 138.91.243.152 |
 
-Once all of the pods are in the `READY` state, and `*.$host` resolves to the external IP found above, the preparation of ingress has been completed!
+Once all of the pods are in the `READY` state, and `*.$host` resolves to the external IP found above, the preparation of gateway has been completed!
 
 After installing Workflow, [register a user and deploy an application](../quickstart/deploy-an-app.md).
 
diff --git a/src/installing-workflow/index.md b/src/installing-workflow/index.md
@@ -33,9 +33,9 @@ More rigorous installations would benefit from using outside sources for the fol
 * [Redis](../managing-workflow/platform-logging.md#configuring-off-cluster-redis) - Such as AWS Elasticache
 * [InfluxDB](../managing-workflow/platform-monitoring.md#configuring-off-cluster-influxdb) and [Grafana](../managing-workflow/platform-monitoring.md#off-cluster-grafana)
 
-#### Ingress
+#### Gateway
 
-Now, workflow requires that ingress and cert-manager must be installed. Any compatible Kubernetes entry controller can be used, but only ingress-nginx and ingress-traefik currently support enforced HTTPS and allowlist. Enable entries in accordance with [this guide](./ingress.md).
+Now, workflow requires that gateway and cert-manager must be installed. Any compatible Kubernetes entry controller can be used.
 
 ## Install Drycc Workflow
 
diff --git a/src/installing-workflow/system-requirements.md b/src/installing-workflow/system-requirements.md
@@ -8,8 +8,7 @@ Drycc Workflow requires Kubernetes v1.16.15 or later.
 
 ## Components Requirements
 
-Drycc uses ingress as a routing implementation, so you have to choose an ingress.
-We recommend using [nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) or [traefik-ingress](https://github.com/helm/charts/tree/master/stable/traefik), which we have adapted to allowlist and force TLS functions.
+Drycc uses gateway as a routing implementation, so you have to choose an gateway. We recommend using [istio](https://istio.io/) or [kong](https://konghq.com/).
 
 Workflow supports the use of ACME to manage automatic certificates, [cert-manager](https://github.com/helm/charts/tree/master/stable/cert-manager) is also one of the necessary components, if you use cert-manager EAB, you need to set the `clusterResourceNamespace` to the namespace of drycc.
 
diff --git a/src/managing-workflow/configuring-dns.md b/src/managing-workflow/configuring-dns.md
@@ -23,7 +23,7 @@ DNS for any applications using a "custom domain" (a fully-qualified domain name
 Although it is dependent upon your distribution of Kubernetes and your underlying infrastructure, in many cases, the IP(s) or existing fully-qualified domain name of a load balancer can be determined directly using the `kubectl` tool:
 
 ```
-$ kubectl --namespace=ingress-nginx describe service | grep "LoadBalancer Ingress"
+$ kubectl --namespace=istio-nginx describe service | grep "LoadBalancer"
 LoadBalancer Ingress:	a493e4e58ea0511e5bb390686bc85da3-1558404688.us-west-2.elb.amazonaws.com
 ```
 
@@ -40,7 +40,7 @@ In general, for any IP, `a.b.c.d`, the fully-qualified domain name `any-subdomai
 To begin, find the node(s) hosting router instances using `kubectl`:
 
 ```
-$ kubectl --namespace=ingress-nginx describe pod | grep Node
+$ kubectl --namespace=istio-ingress describe pod | grep Node:
 Node:       ip-10-0-0-199.us-west-2.compute.internal/10.0.0.199
 Node:       ip-10-0-0-198.us-west-2.compute.internal/10.0.0.198
 ```
@@ -73,7 +73,7 @@ We'll assume the following in this section:
 Here are the steps for configuring cloud DNS to route to your drycc cluster:
 
 1. Get the load balancer IP or domain name
-  - If you are on Google Container Engine, you can run `kubectl get svc -n ingress-nginx` and look for the `LoadBalancer Ingress` column to get the IP address
+  - If you are on Google Container Engine, you can run `kubectl get svc -n istio-ingress` and look for the `LoadBalancer Ingress` column to get the IP address
 2. Create a new Cloud DNS Zone (on the console: `Networking` => `Cloud DNS`, then click on `Create Zone`)
 3. Name your zone, and set the DNS name to `mystuff.com.` (note the `.` at the end
 4. Click on the `Create` button
diff --git a/src/reference-guide/creating-a-self-signed-ssl-certificate.md b/src/reference-guide/creating-a-self-signed-ssl-certificate.md
@@ -43,4 +43,4 @@ The self-signed SSL certificate is generated from the server.key private key and
 The server.crt file is your site certificate suitable for use with [Drycc's SSL endpoint][app ssl] along with the server.key private key.
 
 [app ssl]: ../applications/ssl-certificates.md
-[platform ssl]: https://kubernetes.io/docs/concepts/services-networking/ingress/
+[platform ssl]: https://gateway-api.sigs.k8s.io/guides/tls/
