Services

Console: new service

A service in Otomi Container Platform is a feature for easy deployment of (serverless) container workloads and exposing these and pre-deployed services with a public URL. Otomi will automatically create and configure all ingress resources needed, including Istio Virtual Services and Gateways, certificates, DNS records and Oauth2 proxy for Single Sign On.

Create a Service#

  1. Enter a name for the service. The name will be used to generate hostname if Use suggested domain is chosen (see below). When configuring ingress for an existing (pre-deployed) service, make sure the name provided here matches the name of the Knative or Kubernetes service (default).
  2. Enter the port number of the service.

After providing a name and a port number, you can now configure ingress for the existing Kubernetes service and optionally select a different service type.

If the defaults (cluster/private) apply, you can now click 'Submit'.

Configuring exposure (ingress)#

Exposure controls wether internet exposure should be enabled or not. Three options exist:

  • Cluster: has no internet exposure, and is only accessible in the cluster
  • Private: only accessible via the cluster's private network loadbalancer
  • Public: publicly accessible via the cluster's public network loadbalancer

Cluster#

If backend is a Knative service, this will expose a Knative service on a local Istio gateway, so other services can access it at their $svc.$namespace host name.

Notes

Coming soon: the ability to choose endpoints to connect to, so network policies are automatically generated.

Private#

Will only accept traffic coming from the private-network loadbalancer.

A private URL will have a hostname that consists of $HOST_NAME.$DNS_ZONE. Options are described below.

SettingDescription
TLS passthroughPass through the request as is to the backing service.
Use suggested domainThe suggested domain is the team domain for which a wildcard certificate already exists. Has the team name in it.
HostChoose a hostname that will be the prefix of the domain.
Forward pathDo not "terminate" the path but instead pass it to the receiving service.
DNS ZoneChoose a dns zone that will be the suffix of the domain.
Authenticate with Single Sign OnForwards any unauthenticated traffic to the Keycloak login page, which might forward to an external IDP.
Already has a certificateDon't generate certificates for this service.
> Certificate ARN[AWS only] Provide the certificate arn.
> Select existing secret name[non AWS] Provide a TLS secret name previously created under Secrets. Override to select name of secret not known here.
Notes

The private exposure option is currently not working, but is comming soon.

Public#

Use Public exposure to expose a service with a public URL and certificate.

A public URL will have a hostname that consists of $HOST_NAME.$DNS_ZONE. Options are described below.

SettingDescription
TLS passthroughPass through the request as is to the backing service.
Use suggested domainThe suggested domain is the team domain for which a wildcard certificate already exists. Has the team name in it.
HostChoose a hostname that will be the prefix of the domain.
Forward pathDo not "terminate" the path but instead pass it to the receiving service.
DNS ZoneChoose a dns zone that will be the suffix of the domain.
Authenticate with Single Sign OnForwards any unauthenticated traffic to the Keycloak login page, which might forward to an external IDP.
Already has a certificateDon't generate certificates for this service.
> Certificate ARN[AWS only] Provide the certificate arn.
> Select existing secret name[non AWS] Provide a TLS secret name previously created under Secrets. Override to select name of secret not known here.

Configuring the Service Type#

The Service type is the type of service to deploy/expose. Three options are supported:

Existing Kubernetes Service#

When selecting this option, Otomi expects a pre-deployed Kubernetes service by the name and port given.

Existing Knative Service#

When selecting this option, Otomi expects a pre-deployed Knative service by the name and port given. This option will do an internal rewrite of the public url to the existing knative url.

New Knative service#

Select this option to deploy a new knative service using Otomi. In this case, Otomi will generate a knative service manifest and deploy it for you.

Pod annotations#

Kubernetes annotations with arbitrary metadata.

Container image#

SettingDescription
RepositoryThe full repository url of the image (i.e. otomi/console)
TagThe image tag (i.e. latest)
PullPolicyThe selected pullpolicy (i.e. IfNotPresent or Always)

Container resources#

Please refer to the kubernetes documentation for in depth information on how to determine the values your workload needs.

Requests#
SettingDescription
cpuThe guaranteed amount of CPU
memorythe guaranteed amount of RAM
Limits#
SettingDescription
cpuThe maximum amount of CPU
memorythe maximum amount of RAM

NOTE: Limits are not guaranteed. If you need guaranteed resources, set higher requests.

Environment variables#

Provide all the needed environment variables that are needed for your container to run.

Secrets#

Secrets that have been created with the console can be referenced here by name. All props from the secret will be injected as env var.

Secret mounts#

Secrets that have been created with the console can be mounted on a path. All props from the secret will be added as file on the path.

Files#

Files registered here as path > content pairs will be mounted in the container.

Command#

Override the entrypoint/command of the container.

Command Arguments#

Override the arguments given to the entrypoint/command of the container.

Container Port#

Container port the knative pod will connect with. Leaving this empty will let knative infer the port from the container, which usually works, but might be problematic when the container does not specifically expose a port (As is the case with nginx derived images!). Default is set to 80.

Scale to zero#

Will bring down service if not accessed for 60 seconds. Will also disable probes that check to see if the service is up.

Continuous Delivery (coming soon!)#

Wether or not to allow automatic deployment of image tags that match the chosen strategy's matcher.

SettingDescription
OffNo automatic continuous deployment
Semver versioningSemver version pattern. Use this filter if your images tags follow semantic versioning rules (MAJOR.MINOR.PATCH). E.g.: PATCH only: "~1.1", MINOR and PATCH only "~1", ALL "*"
Glob pattern matchingGlob string pattern. Use this filter if you want to make simple non-standard patterns. E.g.: "master-v1.."