hakn

module

v1.12.2 Latest Latest Go to latest Published: Jan 4, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/chainguard-dev/hakn

Links

Open Source Insights

README ¶

`hakn`

hakn (pronounced like "kraken") stands for "High-Availability Knative", and is an opinionated downstream distribution of Knative on which we (will) run Chainguard's hosted platform.

Who is this for?

We put this together to satisfy our own operational needs, and to give us a place to codify some of the "opinionation" of our own internal platform. Over time, more of these opinions will surface.

How is this different?

This is a "shrink wrapped" distribution of Knative, so where upstream offers a wide selection of unopinionated "lego blocks" (e.g. networking layer, TLS provider, eventing subsystem, ...), this is a mostly-built "lego set". For the most part, we will aim for upstream "conformance", but the underlying system may itself behave fairly differently.

We operate our controlplane pods as HA-by-default stateful sets, which enables us to bound the worst case downtime of a single replica being out of commission. In our downstream CI, using upstream releases we would pretty frequently see flakes due to one of the upstream webhooks getting restarted. Each knative-serving controlplane pod runs the following:

Upstream webhook logic (serving core, domain mappings)
Upstream controller logic (serving core, domain mappings, autoscaler)
Upstream net-istio integration (typically separate)
Custom GCLB TLS logic (see below, but based on Knative's webhook cert logic)

For our networking layer, we are bundling net-istio which is (currently) the best-supported service mesh integration with Knative. Currently we aren't testing mesh-mode, but we plan to start soon; however, we also leverage Istio (and a custom integration) to terminate TLS coming from Google's HTTPS load balancer (GCLB). Since we are terminating TLS at the GCLB and configuring a self-signed cert for Istio to terminate at the Gateway, we do not utilize Knative's auto-TLS integrations, since those fundamentally require SNI, which is not supported by GCLB.

We do not (currently) support scaling to zero. This is in part to simplify the networking policies we have to author, since the way we have things configured the upstream activator is never in the data path (we don't build or ship it). To offset this, we have cranked up our default garbage collection settings to be fairly aggressive about cleaning up old revisions.

Directories ¶

Path	Synopsis
cmd
serving
pkg
reconciler/certificates
reconciler/certificates/resources
third_party
VENDOR-LICENSE/github.com/hashicorp/golang-lru Package lru provides three different LRU caches of varying sophistication.	Package lru provides three different LRU caches of varying sophistication.
VENDOR-LICENSE/github.com/hashicorp/golang-lru/simplelru Package simplelru provides simple LRU implementation based on build-in container/list.	Package simplelru provides simple LRU implementation based on build-in container/list.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL