istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Sync #15744 fixup Helm CRD docs into Chinese (#15771)

This commit is contained in:
Wilson Wu 2024-10-09 11:18:44 +08:00 committed by GitHub
parent 2f97d8549e
commit 1f1d21a2a9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 84 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
content/zh/boilerplates/crd-upgrade-123.md Normal file
View File

@ -0,0 +1,19 @@
---
---
{{< warning >}}
如果通过 Helm 从 Istio 1.23 或更早版本升级 CRD可能会遇到如下错误
`Error: rendered manifests contain a resource that already exists. Unable to continue with update: CustomResourceDefinition "wasmplugins.extensions.istio.io" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata`
您可以使用以下 `kubectl` 命令通过一次性迁移解决此问题:
{{< text syntax=bash snip_id=adopt_legacy_crds >}}
$ for crd in $(kubectl get crds -l chart=istio -o name && kubectl get crds -l app.kubernetes.io/part-of=istio -o name)
$ do
$ kubectl label "$crd" "app.kubernetes.io/managed-by=Helm"
$ kubectl annotate "$crd" "meta.helm.sh/release-name=istio-base" # 如果与文档默认值不同,请用实际的 Helm 版本名称替换
$ kubectl annotate "$crd" "meta.helm.sh/release-namespace=istio-system" # 用实际的 istio 命名空间替换
$ done
{{< /text >}}
{{< /warning >}}

6
content/zh/docs/ambient/upgrade/helm/index.md
View File

@ -95,10 +95,12 @@ $ export OLD_REVISION=istio-1-21-2
### 基本组件 {#base-components}
{{< boilerplate crd-upgrade-123 >}}
在部署新版本的控制平面之前,必须升级集群范围的 Custom Resource DefinitionsCRD
{{< text bash >}}
$ kubectl apply -f manifests/charts/base/crds
{{< text syntax=bash snip_id=upgrade_crds >}}
$ helm upgrade istio-base istio/base -n istio-system
{{< /text >}}
### istiod 控制平面 {#istiod-control-plane}

21
content/zh/docs/ops/configuration/traffic-management/network-topologies/index.md
View File

@ -162,25 +162,8 @@ $ export GATEWAY_URL=$(kubectl get gateways.gateway.networking.k8s.io httpbin-ga
7) 运行下面的 `curl` 命令,模拟在 `X-Forwarded-For` 头中包含代理地址的请求:
{{< text syntax=bash snip_id=curl_xff_headers >}}
$ curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL/get?show_env=true"
{
"args": {
"show_env": "true"
},
"headers": {
"Accept": ...
"Host": ...
"User-Agent": ...
"X-Envoy-Attempt-Count": ...
"X-Envoy-External-Address": "72.9.5.6",
"X-Forwarded-Client-Cert": ...
"X-Forwarded-For": "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1",
"X-Forwarded-Proto": ...
"X-Request-Id": ...
},
"origin": "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1",
"url": ...
}
$ curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL/get?show_env=true" | jq '.headers["X-Forwarded-For"][0]'
"56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1"
{{< /text >}}
{{< tip >}}

42
content/zh/docs/setup/upgrade/helm/index.md
View File

@ -14,7 +14,7 @@ test: yes
{{< boilerplate helm-prereqs >}}
## 升级步骤{#upgrade-steps}
## 升级步骤 {#upgrade-steps}
升级 Istio 之前,推荐运行 `istioctl x precheck` 命令以确保升级能与您的环境兼容。
@ -24,22 +24,20 @@ $ istioctl x precheck
To get started, check out <https://istio.io/latest/docs/setup/getting-started/>
{{< /text >}}
{{< warning >}}
执行升级时 [Helm 不支持升级或删除 CRD](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations)。因为有这个限制,所以在用 Helm 升级 Istio 时需要一个额外的步骤。
{{< /warning >}}
### 金丝雀升级(推荐){#canary-upgrade}
### 金丝雀升级(推荐) {#canary-upgrade}
您可以使用以下步骤,安装金丝雀版本的 Istio 控制平面来校验新版本是否与您现有的配置和数据平面兼容:
{{< warning >}}
请注意,当您安装一个金丝雀版本的 `istiod` 服务时,可以在主要安装和金丝雀安装之间共享来自基础 Chart 的底层集群范围资源。
请注意,当您安装一个金丝雀版本的 `istiod` 服务时,可以在主要安装和金丝雀安装之间共享来自 Base Chart 的底层集群范围资源。
{{< /warning >}}
1. 升级 Kubernetes {{< gloss >}}CRD{{</ gloss >}}
{{< boilerplate crd-upgrade-123 >}}
1. 升级 Istio Base Chart以确保所有集群范围的资源都是最新的
{{< text bash >}}
$ kubectl apply -f manifests/charts/base/crds
$ helm upgrade istio-base istio/base -n istio-system
{{< /text >}}
1. 通过设置修订版的值来安装金丝雀版本的 Istio 发现 Chart
@ -87,17 +85,17 @@ $ istioctl x precheck
$ helm delete istiod -n istio-system
{{< /text >}}
1. 升级 Istio base chart将新的修订版作为默认值
1. 再次升级 Istio Base Chart这次将新的 `canary` 修订版本设为集群范围的默认版本
{{< text bash >}}
$ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system --skip-crds
$ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system
{{< /text >}}
### 稳定修订标签(实验特性){#stable-revision-labels}
### 稳定修订标签(实验特性) {#stable-revision-labels}
{{< boilerplate revision-tags-preamble >}}
#### 用法{#usage}
#### 用法 {#usage}
{{< boilerplate revision-tags-usage >}}
@ -119,7 +117,7 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi
{{< boilerplate revision-tags-prologue >}}
#### 默认标记{#default-tag}
#### 默认标记 {#default-tag}
{{< boilerplate revision-tags-default-intro >}}
@ -129,7 +127,7 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi
{{< boilerplate revision-tags-default-outro >}}
### 原地升级{#in-place-upgrade}
### 原地升级 {#in-place-upgrade}
您可以使用 Helm 升级工作流在您的集群中对 Istio 执行原地升级。
@ -137,16 +135,12 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi
将您的重载值文件或自定义选项添加到以下命令,以在 Helm 升级期间保留您的自定义配置。
{{< /warning >}}
1. 升级 Kubernetes {{< gloss >}}CRD{{</ gloss >}}
{{< boilerplate crd-upgrade-123 >}}
1. 升级 Istio Base Chart
{{< text bash >}}
$ kubectl apply -f manifests/charts/base/crds
{{< /text >}}
1. 升级 Istio base chart
{{< text bash >}}
$ helm upgrade istio-base manifests/charts/base -n istio-system --skip-crds
$ helm upgrade istio-base istio/base -n istio-system
{{< /text >}}
1. 升级 Istio discovery chart
@ -161,6 +155,6 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi
$ helm upgrade istio-ingress istio/gateway -n istio-ingress
{{< /text >}}
## 卸载{#uninstall}
## 卸载 {#uninstall}
请参阅 [Helm 安装指南](/zh/docs/setup/install/helm/#uninstall)中的卸载章节。

12
content/zh/docs/tasks/observability/logs/access-log/index.md
View File

@ -117,18 +117,12 @@ $ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogF
$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v httpbin:8000/status/418
...
< HTTP/1.1 418 Unknown
...
< server: envoy
...
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
I'm a teapot!
...
{{< /text >}}
1. 检查 `sleep` 的日志:

12
content/zh/docs/tasks/observability/logs/otel-provider/index.md
View File

@ -157,17 +157,11 @@ $ istioctl install -f <your-istio-operator-config-file>
$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v httpbin:8000/status/418
...
< HTTP/1.1 418 Unknown
...
< server: envoy
...
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
I'm a teapot!
...
{{< /text >}}
1. 检查 `otel-collector` 的日志:

4
content/zh/docs/tasks/security/authentication/authn-policy/index.md
View File

@ -99,8 +99,8 @@ TLS 流量自动发送到这些工作负载,并将明文流量发送到没有
这个标头的存在就是启用双向 TLS 的证据。例如:
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl -s http://httpbin.foo:8000/headers -s | grep X-Forwarded-Client-Cert | sed 's/Hash=[a-z0-9]*;/Hash=<redacted>;/'
"X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=<redacted>;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/sleep"
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl -s http://httpbin.foo:8000/headers -s | jq '.headers["X-Forwarded-Client-Cert"][0]' | sed 's/Hash=[a-z0-9]*;/Hash=<redacted>;/'
"By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=<redacted>;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/sleep"
{{< /text >}}
当服务器没有 Sidecar 时,`X-Forwarded-Client-Cert` 标头将不会存在,

4
content/zh/docs/tasks/security/authentication/claim-to-header/index.md
View File

@ -99,8 +99,8 @@ JWT 声明复制到 HTTP 头。
1. 确认请求包含有效的 HTTP 头且这个头具有 JWT 声明值:
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -H "Authorization: Bearer $TOKEN" | grep "X-Jwt-Claim-Foo" | sed -e 's/^[ \t]*//'
"X-Jwt-Claim-Foo": "bar"
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -H "Authorization: Bearer $TOKEN" | jq '.headers["X-Jwt-Claim-Foo"][0]'
"bar"
{{< /text >}}
## 清理 {#clean-up}

22
content/zh/docs/tasks/security/authorization/authz-custom/index.md
View File

@ -189,22 +189,12 @@ spec:
1. 验证 `ext_authz` 示例服务器是否允许头部为 `x-ext-authzlow` 的路径 `/headers` 的请求:
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -H "x-ext-authz: allow" -s
{
"headers": {
"Accept": "*/*",
"Host": "httpbin:8000",
"User-Agent": "curl/7.76.0-DEV",
"X-B3-Parentspanid": "430f770aeb7ef215",
"X-B3-Sampled": "0",
"X-B3-Spanid": "60ff95c5acdf5288",
"X-B3-Traceid": "fba72bb5765daf5a430f770aeb7ef215",
"X-Envoy-Attempt-Count": "1",
"X-Ext-Authz": "allow",
"X-Ext-Authz-Check-Result": "allowed",
"X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=e5178ee79066bfbafb1d98044fcd0cf80db76be8714c7a4b630c7922df520bf2;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/sleep"
}
}
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -H "x-ext-authz: allow" -s | jq '.headers'
...
"X-Ext-Authz-Check-Result": [
"allowed"
],
...
{{< /text >}}
1. 确认允许 `/ip` 路径请求且不触发外部授权:

1
content/zh/docs/tasks/traffic-management/egress/http-proxy/index.md
View File

@ -154,6 +154,7 @@ test: yes
name: tcp
protocol: TCP
location: MESH_EXTERNAL
resolution: NONE
EOF
{{< /text >}}

11
content/zh/docs/tasks/traffic-management/ingress/gateway-api/index.md
View File

@ -122,7 +122,9 @@ Gateway API 与 Istio API如 Gateway 和 VirtualService有很多相似之
{{< text bash >}}
$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST/get"
...
HTTP/1.1 200 OK
...
server: istio-envoy
...
{{< /text >}}
@ -176,12 +178,9 @@ Gateway API 与 Istio API如 Gateway 和 VirtualService有很多相似之
1. 再次访问 `/headers`,注意到 `My-Added-Header` 标头已被添加到请求:
{{< text bash >}}
$ curl -s -HHost:httpbin.example.com "http://$INGRESS_HOST/headers"
{
"headers": {
"Accept": "*/*",
"Host": "httpbin.example.com",
"My-Added-Header": "added-value",
$ curl -s -HHost:httpbin.example.com "http://$INGRESS_HOST/headers" | jq '.headers["My-Added-Header"][0]'
...
"added-value"
...
{{< /text >}}

2
content/zh/docs/tasks/traffic-management/ingress/ingress-control/index.md
View File

@ -293,7 +293,9 @@ $ export SECURE_INGRESS_PORT=$(kubectl get gtw my-gateway -o jsonpath='{.spec.li
{{< text bash >}}
$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
...
HTTP/1.1 200 OK
...
server: istio-envoy
...
{{< /text >}}

2
content/zh/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md
View File

@ -59,7 +59,9 @@ test: yes
{{< text bash >}}
$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
...
HTTP/1.1 200 OK
...
server: istio-envoy
...
{{< /text >}}

52
content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md
View File

@ -246,15 +246,8 @@ $ export SECURE_INGRESS_PORT=$(kubectl get gtw mygateway -n istio-system -o json
...
HTTP/2 418
...
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
I'm a teapot!
...
{{< /text >}}
`httpbin` 服务将返回 [418 I'm a Teapot](https://tools.ietf.org/html/rfc7168#section-2.3.3) 代码。
@ -276,15 +269,8 @@ $ export SECURE_INGRESS_PORT=$(kubectl get gtw mygateway -n istio-system -o json
...
HTTP/2 418
...
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
I'm a teapot!
...
{{< /text >}}
1) 如果您使用之前的证书链来访问 `httpbin`,则会失败:
@ -480,21 +466,16 @@ EOF
...
{{< /text >}}
1) 向 `httpbin.example.com` 发送一个 HTTPS 请求,仍然返回一个茶壶
1) 向 `httpbin.example.com` 发送一个 HTTPS 请求,仍然返回一个 [HTTP 418](https://datatracker.ietf.org/doc/html/rfc2324)
{{< text bash >}}
$ curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
--cacert example_certs1/example.com.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
...
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
HTTP/2 418
...
server: istio-envoy
...
{{< /text >}}
### 配置双向 TLS 入口网关 {#configure-a-mutual-tls-ingress-gateway}
@ -618,15 +599,12 @@ EOF
--cacert example_certs1/example.com.crt --cert example_certs1/client.example.com.crt --key example_certs1/client.example.com.key \
"https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
...
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
HTTP/2 418
...
server: istio-envoy
...
I'm a teapot!
...
{{< /text >}}
## 更多信息 {#more-info}