Automator: update istio.io@master reference docs (#6900)

2020-03-18 06:44:02 -07:00 · 2020-03-18 06:44:02 -07:00 · 0c3f225672
parent 4756fc8686
commit 0c3f225672
3 changed files with 16 additions and 159 deletions
--- a/content/en/docs/reference/commands/istioctl/index.html
+++ b/content/en/docs/reference/commands/istioctl/index.html
@ -1075,7 +1075,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
 <tr>
 <td><code>--output &lt;string&gt;</code></td>
 <td><code>-o</code></td>
-<td>Output format: one of [yaml log json]  (default `log`)</td>
+<td>Output format: one of [log json yaml]  (default `log`)</td>
 </tr>
 <tr>
 <td><code>--output-threshold &lt;Level&gt;</code></td>
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@ -679,8 +679,7 @@ No
 <td><code>bool</code></td>
 <td>
 <p>If set to true, the load balancer will send a 301 redirect for
-all http connections, asking the clients to use HTTPS. Not
-applicable in Sidecar API.</p>
+all http connections, asking the clients to use HTTPS.</p>

 </td>
 <td>
@ -741,22 +740,13 @@ No
 <td><code>credentialName</code></td>
 <td><code>string</code></td>
 <td>
-<p>The credentialName stands for a unique identifier that can be used
-to identify the serverCertificate and the privateKey. The
-credentialName appended with suffix &ldquo;-cacert&rdquo; is used to identify
-the CaCertificates associated with this server. Proxies
-capable of fetching credentials from a remote credential store such
-as Kubernetes secrets, will be configured to retrieve the
-serverCertificate and the privateKey using credentialName, instead
-of using the file system paths specified above. If using mutual TLS,
-proxy instances will retrieve the CaCertificates using
-credentialName-cacert. The semantics of the name are platform
-dependent.  In Kubernetes, the default Istio supplied credential
-server expects the credentialName to match the name of the
-Kubernetes secret that holds the server certificate, the private
-key, and the CA certificate (if using mutual TLS). Set the
-<code>ISTIO_META_USER_SDS</code> metadata variable in the proxy to
-enable the dynamic credential fetching feature.</p>
+<p>For gateways running on Kubernetes, the name of the secret that
+holds the TLS certs including the CA certificates. Applicable
+only on Kubernetes, and only if the dynamic credential fetching
+feature is enabled in the proxy by setting
+<code>ISTIO_META_USER_SDS</code> metadata variable.  The secret (of type
+<code>generic</code>) should contain the following keys and values: <code>key:
+&lt;privateKey&gt;</code>, <code>cert: &lt;serverCert&gt;</code>, <code>cacert: &lt;CACertificate&gt;</code>.</p>

 </td>
 <td>
@ -910,9 +900,7 @@ No
 <td>
 <p>The SNI string presented by the client will be used as the
 match criterion in a VirtualService TLS route to determine
-the destination service from the service registry. On a
-sidecar, TLS traffic will be forwarded as is to the default
-endpoint defined in the Ingress Listener.</p>
+the destination service from the service registry.</p>

 </td>
 </tr>
@ -944,8 +932,7 @@ value. This server is typically used to provide connectivity
 between services in disparate L3 networks that otherwise do
 not have direct connectivity between their respective
 endpoints. Use of this mode assumes that both the source and
-the destination are using Istio mTLS to secure traffic. Not
-applicable in Sidecar API.</p>
+the destination are using Istio mTLS to secure traffic.</p>

 </td>
 </tr>
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@ -131,18 +131,11 @@ spec:
 <p>The following example declares a <code>Sidecar</code> configuration in the
 <code>prod-us1</code> namespace for all pods with labels <code>app: ratings</code>
 belonging to the <code>ratings.prod-us1</code> service.  The workload accepts
-inbound HTTP traffic on port 9080 without any authentication, and
-HTTPS traffic on port 9443 with one-way TLS termination using
-custom certificates. <em>To accomplish custom TLS termination on this
-workload, the <code>PeerAuthentication</code> security policy must be declared
-to disable Istio mutual TLS on these two ports. Any other
-auto-generated listener for this workload will still obey the
-mutual TLS termination requirements set forth in the
-PeerAuthentication policy</em>. The traffic is then forwarded to the
-attached workload instance listening on a Unix domain socket. In
-the egress direction, in addition to the <code>istio-system</code> namespace,
-the sidecar proxies only HTTP traffic bound for port 9080 for
-services in the <code>prod-us1</code> namespace.</p>
+inbound HTTP traffic on port 9080. The traffic is then forwarded to
+the attached workload instance listening on a Unix domain
+socket. In the egress direction, in addition to the <code>istio-system</code>
+namespace, the sidecar proxies only HTTP traffic bound for port
+9080 for services in the <code>prod-us1</code> namespace.</p>

 <p>{{<tabset category-name="example">}}
 {{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
@ -162,15 +155,6 @@ spec:
      protocol: HTTP
      name: somename
    defaultEndpoint: unix:///var/run/someuds.sock
-  - port:
-      number: 9443
-      protocol: HTTPS
-      name: httpsport
-    inboundTls:
-      mode: SIMPLE # overrides namespace default
-      serverCertificate: /etc/certs/servercert.pem
-      privateKey: /etc/certs/privatekey.pem
-    defaultEndpoint: unix:///var/run/someuds.sock
  egress:
  - port:
      number: 9080
@ -201,15 +185,6 @@ spec:
      protocol: HTTP
      name: somename
    defaultEndpoint: unix:///var/run/someuds.sock
-  - port:
-      number: 9443
-      protocol: HTTPS
-      name: httpsport
-    inboundTls:
-      mode: SIMPLE # overrides namespace default
-      serverCertificate: /etc/certs/servercert.pem
-      privateKey: /etc/certs/privatekey.pem
-    defaultEndpoint: unix:///var/run/someuds.sock
  egress:
  - port:
      number: 9080
@ -224,80 +199,6 @@ spec:
 <p>{{</tab>}}
 {{</tabset>}}</p>

-<p>and the associated PeerAuthentication security policy to ensure
-that mutual TLS based authentication is not configured for ports
-9080 and 9443:</p>
-
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
-  name: ratings-istio-mtls-exception
-  namespace: prod-us1
-spec:
-  selector:
-    matchLabels:
-      app: ratings
-  # other ports inherit the settings from namespace-wide policy.
-  portLevelMtls:
-    9080:
-      mode: DISABLE
-    9443:
-      mode: DISABLE
-</code></pre>
-
-<p>and the associated DestinationRule to ensure that the clients use
-the appropriate TLS settings:</p>
-
-<p>{{<tabset category-name="example">}}
-{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
-
-<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: ratings-istio-mtls-exception
-  namespace: prod-us1
-spec:
-  host: ratings.prod-us1.svc.cluster.local
-  trafficPolicy:
-   portLevelSettings:
-   - port:
-       number: 9080
-     tls:
-       mode: DISABLE
-   - port:
-       number: 9443
-     tls:
-       mode: SIMPLE
-       caCertificates: /etc/certs/ca-certs.pem
-</code></pre>
-
-<p>{{</tab>}}</p>
-
-<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
-
-<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
-kind: DestinationRule
-metadata:
-  name: ratings-istio-mtls-exception
-  namespace: prod-us1
-spec:
-  host: ratings.prod-us1.svc.cluster.local
-  trafficPolicy:
-   portLevelSettings:
-   - port:
-       number: 9080
-     tls:
-       mode: DISABLE
-   - port:
-       number: 9443
-     tls:
-       mode: SIMPLE
-       caCertificates: /etc/certs/ca-certs.pem
-</code></pre>
-
-<p>{{</tab>}}
-{{</tabset>}}</p>
-
 <p>If the workload is deployed without IPTables-based traffic capture,
 the <code>Sidecar</code> configuration is the only way to configure the ports
 on the proxy attached to the workload instance. The following
@ -721,20 +622,6 @@ connections. Format should be <code>127.0.0.1:PORT</code> or <code>unix:///path/
 Yes
 </td>
 </tr>
-<tr id="IstioIngressListener-inbound_tls">
-<td><code>inboundTls</code></td>
-<td><code><a href="/docs/reference/config/networking/gateway.html#Server-TLSOptions">TLSOptions</a></code></td>
-<td>
-<p>Overrides Sidecar level <code>inboundTls</code> settings. Has same
-restrictions as the Sidecar level inboundTls,
-i.e. PeerAuthentication policy takes precedance unless explicitly
-disabled.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
 </tbody>
 </table>
 </section>
@ -872,23 +759,6 @@ application to its requested destination. If not specified,
 inherits the system detected defaults from the namespace-wide or
 the global default Sidecar.</p>

-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="Sidecar-inbound_tls">
-<td><code>inboundTls</code></td>
-<td><code><a href="/docs/reference/config/networking/gateway.html#Server-TLSOptions">TLSOptions</a></code></td>
-<td>
-<p>Set of TLS related options that allow a listener to terminate
-SIMPLE or MUTUAL TLS connections at the
-sidecar. <code>PeerAuthentication</code> policy&rsquo;s settings take precedance
-over custom TLS settings for the workload. When the
-PeerAuthentication policy disables mTLS tunneling for one or more
-ports in the workload, the TLS settings specified here will be
-applied.</p>
-
 </td>
 <td>
 No