Copy edit for Control Ingress Traffic. (#1732)

Signed-off-by: Stephen Gilson <gilsonsm@google.com>
2018-07-10 10:08:20 -04:00 · 2018-07-10 10:08:20 -04:00 · 0fca91c7c0
parent 451c76ca22
commit 0fca91c7c0
1 changed files with 27 additions and 26 deletions
--- a/content/docs/tasks/traffic-management/ingress/index.md
+++ b/content/docs/tasks/traffic-management/ingress/index.md
@ -13,7 +13,7 @@ In a Kubernetes environment, the [Kubernetes Ingress Resource](https://kubernete
 is used to specify services that should be exposed outside the cluster.
 In an Istio service mesh, a better approach (which also works in both Kubernetes and other environments) is to use a
 different configuration model, namely [Istio Gateway](/docs/reference/config/istio.networking.v1alpha3/#Gateway).
-A `Gateway` allows Istio features, for example, monitoring and route rules, to be applied to traffic entering the cluster.
+A `Gateway` allows Istio features such as monitoring and route rules to be applied to traffic entering the cluster.

 This task describes how to configure Istio to expose a service outside of the service mesh using an Istio `Gateway`.

@ -26,13 +26,13 @@ This task describes how to configure Istio to expose a service outside of the se
 *   Start the [httpbin]({{< github_tree >}}/samples/httpbin) sample,
    which will be used as the destination service to be exposed externally.

-    If you have enabled [automatic sidecar injection](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection), do
+    If you have enabled [automatic sidecar injection](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection), deploy the `httpbin` service:

    {{< text bash >}}
    $ kubectl apply -f @samples/httpbin/httpbin.yaml@
    {{< /text >}}

-    otherwise, you have to manually inject the sidecar before deploying the `httpbin` application:
+    Otherwise, you have to manually inject the sidecar before deploying the `httpbin` application:

    {{< text bash >}}
    $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@)
@ -42,7 +42,7 @@ This task describes how to configure Istio to expose a service outside of the se

 ### Determining the ingress IP and ports

-Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers.
+Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:

 {{< text bash >}}
 $ kubectl get svc istio-ingressgateway -n istio-system
@ -56,6 +56,8 @@ In this case, you can access the gateway using the service's [node port](https:/

 #### Determining the ingress IP and ports when using an external load balancer

+Determine the ingress IP and ports:
+
 {{< text bash >}}
 $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
@ -71,7 +73,7 @@ $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway
 $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
 {{< /text >}}

-Determining the ingress IP depends on the cluster provider.
+Determining the ingress IP depends on the cluster provider:

 1.  _GKE:_

@ -80,7 +82,7 @@ Determining the ingress IP depends on the cluster provider.
    {{< /text >}}

    You need to create firewall rules to allow the TCP traffic to the _ingressgateway_ service's ports.
-    Run the following commands to allow the traffic for the HTTP port, the secure port (HTTPS) or both.
+    Run the following commands to allow the traffic for the HTTP port, the secure port (HTTPS) or both:

    {{< text bash >}}
    $ gcloud compute firewall-rules create allow-gateway-http --allow tcp:$INGRESS_PORT
@ -108,15 +110,15 @@ Determining the ingress IP depends on the cluster provider.

 ## Configuring ingress using an Istio Gateway

-An ingress [Gateway](/docs/reference/config/istio.networking.v1alpha3/#Gateway) describes a load balancer operating at the edge of the mesh receiving incoming HTTP/TCP connections.
-It configures exposed ports, protocols, etc.,
+An ingress [Gateway](/docs/reference/config/istio.networking.v1alpha3/#Gateway) describes a load balancer operating at the edge of the mesh that receives incoming HTTP/TCP connections.
+It configures exposed ports, protocols, etc.
 but, unlike [Kubernetes Ingress Resources](https://kubernetes.io/docs/concepts/services-networking/ingress/),
 does not include any traffic routing configuration. Traffic routing for ingress traffic is instead configured
 using Istio routing rules, exactly in the same was as for internal service requests.

 Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.

-1.  Create an Istio `Gateway`
+1.  Create an Istio `Gateway`:

    {{< text bash >}}
    $ cat <<EOF | istioctl create -f -
@ -137,7 +139,7 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
    EOF
    {{< /text >}}

-1.  Configure routes for traffic entering via the `Gateway`
+1.  Configure routes for traffic entering via the `Gateway`:

    {{< text bash >}}
    $ cat <<EOF | istioctl create -f -
@ -164,19 +166,19 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
    EOF
    {{< /text >}}

-    Here we've created a [virtual service](/docs/reference/config/istio.networking.v1alpha3/#VirtualService)
-    configuration for the `httpbin` service, containing two route rules that allow traffic for paths `/status` and
+    You have now created a [virtual service](/docs/reference/config/istio.networking.v1alpha3/#VirtualService)
+    configuration for the `httpbin` service containing two route rules that allow traffic for paths `/status` and
    `/delay`.

    The [gateways](/docs/reference/config/istio.networking.v1alpha3/#VirtualService-gateways) list
-    specifies that only requests through our `httpbin-gateway` are allowed.
+    specifies that only requests through your `httpbin-gateway` are allowed.
    All other external requests will be rejected with a 404 response.

-    Note that in this configuration internal requests from other services in the mesh are not subject to these rules,
-    but instead will simply default to round-robin routing. To apply these (or other rules) to internal calls,
-    we could add the special value `mesh` to the list of `gateways`.
+    Note that in this configuration, internal requests from other services in the mesh are not subject to these rules
+    but instead will default to round-robin routing. To apply these or other rules to internal calls,
+    you can add the special value `mesh` to the list of `gateways`.

-1.  Access the _httpbin_ service using _curl_.
+1.  Access the _httpbin_ service using _curl_:

    {{< text bash >}}
    $ curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/status/200
@ -190,9 +192,9 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
    x-envoy-upstream-service-time: 48
    {{< /text >}}

-    Note that we use the `-H` flag to set the _Host_ HTTP Header to
-    "httpbin.example.com". This is needed because our ingress `Gateway` is configured to handle "httpbin.example.com",
-    but in our test environment we have no DNS binding for that host and are simply sending our request to the ingress IP.
+    Note that you use the `-H` flag to set the _Host_ HTTP Header to
+    "httpbin.example.com". This is needed because your ingress `Gateway` is configured to handle "httpbin.example.com",
+    but in your test environment you have no DNS binding for that host and are simply sending your request to the ingress IP.

 1.  Access any other URL that has not been explicitly exposed. You should see an HTTP 404 error:

@ -206,9 +208,9 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.

 ## Accessing ingress services using a browser

-As you may have guessed, entering the httpbin service URL in a browser won't work because we don't have a way to tell the browser to pretend to be accessing "httpbin.example.com", like we did with _curl_. In a real world situation this wouldn't be a problem because the requested host would be properly configured and DNS resolvable, so we would simply be using its domain name in the URL (e.g., `https://httpbin.example.com/status/200`).
+As you may have guessed, entering the `httpbin` service URL in a browser won't work because you don't have a way to tell the browser to pretend to be accessing "httpbin.example.com", like you did with _curl_. In a real world situation this wouldn't be a problem because the requested host would be properly configured and DNS resolvable, so you would be using its domain name in the URL (for example, `https://httpbin.example.com/status/200`).

-To work around this problem for simple tests and demos, we can use a wildcard `*` value for the host in the `Gateway` and `VirutualService` configurations. For example, if we change our ingress configuration to the following:
+To work around this problem for simple tests and demos, use a wildcard `*` value for the host in the `Gateway` and `VirutualService` configurations. For example, if you change your ingress configuration to the following:

 {{< text bash >}}
 $ cat <<EOF | istioctl replace -f -
@ -248,7 +250,7 @@ spec:
 EOF
 {{< /text >}}

-We can then use `$INGRESS_HOST:$INGRESS_PORT` (e.g., `192.168.99.100:31380`) in the URL that we enter in a browser. For example, `http://192.168.99.100:31380/headers` should display the request headers sent by our browser.
+You can then use `$INGRESS_HOST:$INGRESS_PORT` (e.g., `192.168.99.100:31380`) in the browser URL. For example, `http://192.168.99.100:31380/headers` should display the request headers sent by your browser.

 ## Understanding what happened

@ -256,9 +258,8 @@ The `Gateway` configuration resources allow external traffic to enter the
 Istio service mesh and make the traffic management and policy features of Istio
 available for edge services.

-In the preceding steps we created a service inside the service mesh
-and showed how to expose an HTTP endpoint of the service to
-external traffic.
+In the preceding steps, you created a service inside the service mesh
+and exposed an HTTP endpoint of the service to external traffic.

 ## Cleanup