From 1f1d21a2a9fc6fe951cba2875baa9a28da3dab0f Mon Sep 17 00:00:00 2001 From: Wilson Wu Date: Wed, 9 Oct 2024 11:18:44 +0800 Subject: [PATCH] Sync #15744 fixup Helm CRD docs into Chinese (#15771) --- content/zh/boilerplates/crd-upgrade-123.md | 19 +++++++ content/zh/docs/ambient/upgrade/helm/index.md | 6 ++- .../network-topologies/index.md | 21 +------- content/zh/docs/setup/upgrade/helm/index.md | 42 +++++++-------- .../observability/logs/access-log/index.md | 12 ++--- .../observability/logs/otel-provider/index.md | 12 ++--- .../authentication/authn-policy/index.md | 4 +- .../authentication/claim-to-header/index.md | 4 +- .../authorization/authz-custom/index.md | 22 +++----- .../egress/http-proxy/index.md | 1 + .../ingress/gateway-api/index.md | 11 ++-- .../ingress/ingress-control/index.md | 2 + .../ingress/kubernetes-ingress/index.md | 2 + .../ingress/secure-ingress/index.md | 52 ++++++------------- 14 files changed, 84 insertions(+), 126 deletions(-) create mode 100644 content/zh/boilerplates/crd-upgrade-123.md diff --git a/content/zh/boilerplates/crd-upgrade-123.md b/content/zh/boilerplates/crd-upgrade-123.md new file mode 100644 index 0000000000..45f481a7a7 --- /dev/null +++ b/content/zh/boilerplates/crd-upgrade-123.md @@ -0,0 +1,19 @@ +--- +--- +{{< warning >}} +如果通过 Helm 从 Istio 1.23 或更早版本升级 CRD,可能会遇到如下错误 + +`Error: rendered manifests contain a resource that already exists. Unable to continue with update: CustomResourceDefinition "wasmplugins.extensions.istio.io" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata` + +您可以使用以下 `kubectl` 命令通过一次性迁移解决此问题: + + {{< text syntax=bash snip_id=adopt_legacy_crds >}} + $ for crd in $(kubectl get crds -l chart=istio -o name && kubectl get crds -l app.kubernetes.io/part-of=istio -o name) + $ do + $ kubectl label "$crd" "app.kubernetes.io/managed-by=Helm" + $ kubectl annotate "$crd" "meta.helm.sh/release-name=istio-base" # 如果与文档默认值不同,请用实际的 Helm 版本名称替换 + $ kubectl annotate "$crd" "meta.helm.sh/release-namespace=istio-system" # 用实际的 istio 命名空间替换 + $ done + {{< /text >}} + +{{< /warning >}} diff --git a/content/zh/docs/ambient/upgrade/helm/index.md b/content/zh/docs/ambient/upgrade/helm/index.md index 5bf6d2441b..58fa074279 100644 --- a/content/zh/docs/ambient/upgrade/helm/index.md +++ b/content/zh/docs/ambient/upgrade/helm/index.md @@ -95,10 +95,12 @@ $ export OLD_REVISION=istio-1-21-2 ### 基本组件 {#base-components} +{{< boilerplate crd-upgrade-123 >}} + 在部署新版本的控制平面之前,必须升级集群范围的 Custom Resource Definitions(CRD): -{{< text bash >}} -$ kubectl apply -f manifests/charts/base/crds +{{< text syntax=bash snip_id=upgrade_crds >}} +$ helm upgrade istio-base istio/base -n istio-system {{< /text >}} ### istiod 控制平面 {#istiod-control-plane} diff --git a/content/zh/docs/ops/configuration/traffic-management/network-topologies/index.md b/content/zh/docs/ops/configuration/traffic-management/network-topologies/index.md index 878ca88a04..428c5cf50b 100644 --- a/content/zh/docs/ops/configuration/traffic-management/network-topologies/index.md +++ b/content/zh/docs/ops/configuration/traffic-management/network-topologies/index.md @@ -162,25 +162,8 @@ $ export GATEWAY_URL=$(kubectl get gateways.gateway.networking.k8s.io httpbin-ga 7) 运行下面的 `curl` 命令,模拟在 `X-Forwarded-For` 头中包含代理地址的请求: {{< text syntax=bash snip_id=curl_xff_headers >}} - $ curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL/get?show_env=true" - { - "args": { - "show_env": "true" - }, - "headers": { - "Accept": ... - "Host": ... - "User-Agent": ... - "X-Envoy-Attempt-Count": ... - "X-Envoy-External-Address": "72.9.5.6", - "X-Forwarded-Client-Cert": ... - "X-Forwarded-For": "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1", - "X-Forwarded-Proto": ... - "X-Request-Id": ... - }, - "origin": "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1", - "url": ... - } + $ curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL/get?show_env=true" | jq '.headers["X-Forwarded-For"][0]' + "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1" {{< /text >}} {{< tip >}} diff --git a/content/zh/docs/setup/upgrade/helm/index.md b/content/zh/docs/setup/upgrade/helm/index.md index 9fb866c5bf..fa518f4ec4 100644 --- a/content/zh/docs/setup/upgrade/helm/index.md +++ b/content/zh/docs/setup/upgrade/helm/index.md @@ -14,7 +14,7 @@ test: yes {{< boilerplate helm-prereqs >}} -## 升级步骤{#upgrade-steps} +## 升级步骤 {#upgrade-steps} 升级 Istio 之前,推荐运行 `istioctl x precheck` 命令以确保升级能与您的环境兼容。 @@ -24,22 +24,20 @@ $ istioctl x precheck To get started, check out {{< /text >}} -{{< warning >}} -执行升级时 [Helm 不支持升级或删除 CRD](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations)。因为有这个限制,所以在用 Helm 升级 Istio 时需要一个额外的步骤。 -{{< /warning >}} - -### 金丝雀升级(推荐){#canary-upgrade} +### 金丝雀升级(推荐) {#canary-upgrade} 您可以使用以下步骤,安装金丝雀版本的 Istio 控制平面来校验新版本是否与您现有的配置和数据平面兼容: {{< warning >}} -请注意,当您安装一个金丝雀版本的 `istiod` 服务时,可以在主要安装和金丝雀安装之间共享来自基础 Chart 的底层集群范围资源。 +请注意,当您安装一个金丝雀版本的 `istiod` 服务时,可以在主要安装和金丝雀安装之间共享来自 Base Chart 的底层集群范围资源。 {{< /warning >}} -1. 升级 Kubernetes {{< gloss >}}CRD{{}}: +{{< boilerplate crd-upgrade-123 >}} + +1. 升级 Istio Base Chart,以确保所有集群范围的资源都是最新的: {{< text bash >}} - $ kubectl apply -f manifests/charts/base/crds + $ helm upgrade istio-base istio/base -n istio-system {{< /text >}} 1. 通过设置修订版的值来安装金丝雀版本的 Istio 发现 Chart: @@ -87,17 +85,17 @@ $ istioctl x precheck $ helm delete istiod -n istio-system {{< /text >}} -1. 升级 Istio base chart,将新的修订版作为默认值。 +1. 再次升级 Istio Base Chart,这次将新的 `canary` 修订版本设为集群范围的默认版本。 {{< text bash >}} - $ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system --skip-crds + $ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system {{< /text >}} -### 稳定修订标签(实验特性){#stable-revision-labels} +### 稳定修订标签(实验特性) {#stable-revision-labels} {{< boilerplate revision-tags-preamble >}} -#### 用法{#usage} +#### 用法 {#usage} {{< boilerplate revision-tags-usage >}} @@ -119,7 +117,7 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi {{< boilerplate revision-tags-prologue >}} -#### 默认标记{#default-tag} +#### 默认标记 {#default-tag} {{< boilerplate revision-tags-default-intro >}} @@ -129,7 +127,7 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi {{< boilerplate revision-tags-default-outro >}} -### 原地升级{#in-place-upgrade} +### 原地升级 {#in-place-upgrade} 您可以使用 Helm 升级工作流在您的集群中对 Istio 执行原地升级。 @@ -137,16 +135,12 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi 将您的重载值文件或自定义选项添加到以下命令,以在 Helm 升级期间保留您的自定义配置。 {{< /warning >}} -1. 升级 Kubernetes {{< gloss >}}CRD{{}}: +{{< boilerplate crd-upgrade-123 >}} + +1. 升级 Istio Base Chart: {{< text bash >}} - $ kubectl apply -f manifests/charts/base/crds - {{< /text >}} - -1. 升级 Istio base chart: - - {{< text bash >}} - $ helm upgrade istio-base manifests/charts/base -n istio-system --skip-crds + $ helm upgrade istio-base istio/base -n istio-system {{< /text >}} 1. 升级 Istio discovery chart: @@ -161,6 +155,6 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi $ helm upgrade istio-ingress istio/gateway -n istio-ingress {{< /text >}} -## 卸载{#uninstall} +## 卸载 {#uninstall} 请参阅 [Helm 安装指南](/zh/docs/setup/install/helm/#uninstall)中的卸载章节。 diff --git a/content/zh/docs/tasks/observability/logs/access-log/index.md b/content/zh/docs/tasks/observability/logs/access-log/index.md index 20d969097e..41b691f498 100644 --- a/content/zh/docs/tasks/observability/logs/access-log/index.md +++ b/content/zh/docs/tasks/observability/logs/access-log/index.md @@ -117,18 +117,12 @@ $ istioctl install --set meshConfig.accessLogF $ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v httpbin:8000/status/418 ... < HTTP/1.1 418 Unknown + ... < server: envoy ... - -=[ teapot ]=- - - _...._ - .' _ _ `. - | ."` ^ `". _, - \_;`"---"`|// - | ;/ - \_ _/ - `"""` + I'm a teapot! + ... {{< /text >}} 1. 检查 `sleep` 的日志: diff --git a/content/zh/docs/tasks/observability/logs/otel-provider/index.md b/content/zh/docs/tasks/observability/logs/otel-provider/index.md index 35087ef6a4..634e654507 100644 --- a/content/zh/docs/tasks/observability/logs/otel-provider/index.md +++ b/content/zh/docs/tasks/observability/logs/otel-provider/index.md @@ -157,17 +157,11 @@ $ istioctl install -f $ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v httpbin:8000/status/418 ... < HTTP/1.1 418 Unknown + ... < server: envoy ... - -=[ teapot ]=- - - _...._ - .' _ _ `. - | ."` ^ `". _, - \_;`"---"`|// - | ;/ - \_ _/ - `"""` + I'm a teapot! + ... {{< /text >}} 1. 检查 `otel-collector` 的日志: diff --git a/content/zh/docs/tasks/security/authentication/authn-policy/index.md b/content/zh/docs/tasks/security/authentication/authn-policy/index.md index f51f8b5502..9c241c4775 100644 --- a/content/zh/docs/tasks/security/authentication/authn-policy/index.md +++ b/content/zh/docs/tasks/security/authentication/authn-policy/index.md @@ -99,8 +99,8 @@ TLS 流量自动发送到这些工作负载,并将明文流量发送到没有 这个标头的存在就是启用双向 TLS 的证据。例如: {{< text bash >}} -$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl -s http://httpbin.foo:8000/headers -s | grep X-Forwarded-Client-Cert | sed 's/Hash=[a-z0-9]*;/Hash=;/' - "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/sleep" +$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl -s http://httpbin.foo:8000/headers -s | jq '.headers["X-Forwarded-Client-Cert"][0]' | sed 's/Hash=[a-z0-9]*;/Hash=;/' + "By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/sleep" {{< /text >}} 当服务器没有 Sidecar 时,`X-Forwarded-Client-Cert` 标头将不会存在, diff --git a/content/zh/docs/tasks/security/authentication/claim-to-header/index.md b/content/zh/docs/tasks/security/authentication/claim-to-header/index.md index 528951ad7c..9a2065606d 100644 --- a/content/zh/docs/tasks/security/authentication/claim-to-header/index.md +++ b/content/zh/docs/tasks/security/authentication/claim-to-header/index.md @@ -99,8 +99,8 @@ JWT 声明复制到 HTTP 头。 1. 确认请求包含有效的 HTTP 头且这个头具有 JWT 声明值: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -H "Authorization: Bearer $TOKEN" | grep "X-Jwt-Claim-Foo" | sed -e 's/^[ \t]*//' - "X-Jwt-Claim-Foo": "bar" + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -H "Authorization: Bearer $TOKEN" | jq '.headers["X-Jwt-Claim-Foo"][0]' + "bar" {{< /text >}} ## 清理 {#clean-up} diff --git a/content/zh/docs/tasks/security/authorization/authz-custom/index.md b/content/zh/docs/tasks/security/authorization/authz-custom/index.md index cf60e60bd9..3feb93799f 100644 --- a/content/zh/docs/tasks/security/authorization/authz-custom/index.md +++ b/content/zh/docs/tasks/security/authorization/authz-custom/index.md @@ -189,22 +189,12 @@ spec: 1. 验证 `ext_authz` 示例服务器是否允许头部为 `x-ext-authz:low` 的路径 `/headers` 的请求: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -H "x-ext-authz: allow" -s - { - "headers": { - "Accept": "*/*", - "Host": "httpbin:8000", - "User-Agent": "curl/7.76.0-DEV", - "X-B3-Parentspanid": "430f770aeb7ef215", - "X-B3-Sampled": "0", - "X-B3-Spanid": "60ff95c5acdf5288", - "X-B3-Traceid": "fba72bb5765daf5a430f770aeb7ef215", - "X-Envoy-Attempt-Count": "1", - "X-Ext-Authz": "allow", - "X-Ext-Authz-Check-Result": "allowed", - "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=e5178ee79066bfbafb1d98044fcd0cf80db76be8714c7a4b630c7922df520bf2;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/sleep" - } - } + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -H "x-ext-authz: allow" -s | jq '.headers' + ... + "X-Ext-Authz-Check-Result": [ + "allowed" + ], + ... {{< /text >}} 1. 确认允许 `/ip` 路径请求且不触发外部授权: diff --git a/content/zh/docs/tasks/traffic-management/egress/http-proxy/index.md b/content/zh/docs/tasks/traffic-management/egress/http-proxy/index.md index 0e3d3bdaee..640f1dea56 100644 --- a/content/zh/docs/tasks/traffic-management/egress/http-proxy/index.md +++ b/content/zh/docs/tasks/traffic-management/egress/http-proxy/index.md @@ -154,6 +154,7 @@ test: yes name: tcp protocol: TCP location: MESH_EXTERNAL + resolution: NONE EOF {{< /text >}} diff --git a/content/zh/docs/tasks/traffic-management/ingress/gateway-api/index.md b/content/zh/docs/tasks/traffic-management/ingress/gateway-api/index.md index c89b053ae9..55444d3ba9 100644 --- a/content/zh/docs/tasks/traffic-management/ingress/gateway-api/index.md +++ b/content/zh/docs/tasks/traffic-management/ingress/gateway-api/index.md @@ -122,7 +122,9 @@ Gateway API 与 Istio API(如 Gateway 和 VirtualService)有很多相似之 {{< text bash >}} $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST/get" + ... HTTP/1.1 200 OK + ... server: istio-envoy ... {{< /text >}} @@ -176,12 +178,9 @@ Gateway API 与 Istio API(如 Gateway 和 VirtualService)有很多相似之 1. 再次访问 `/headers`,注意到 `My-Added-Header` 标头已被添加到请求: {{< text bash >}} - $ curl -s -HHost:httpbin.example.com "http://$INGRESS_HOST/headers" - { - "headers": { - "Accept": "*/*", - "Host": "httpbin.example.com", - "My-Added-Header": "added-value", + $ curl -s -HHost:httpbin.example.com "http://$INGRESS_HOST/headers" | jq '.headers["My-Added-Header"][0]' + ... + "added-value" ... {{< /text >}} diff --git a/content/zh/docs/tasks/traffic-management/ingress/ingress-control/index.md b/content/zh/docs/tasks/traffic-management/ingress/ingress-control/index.md index 7f40d8ad4f..b46eee948c 100644 --- a/content/zh/docs/tasks/traffic-management/ingress/ingress-control/index.md +++ b/content/zh/docs/tasks/traffic-management/ingress/ingress-control/index.md @@ -293,7 +293,9 @@ $ export SECURE_INGRESS_PORT=$(kubectl get gtw my-gateway -o jsonpath='{.spec.li {{< text bash >}} $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200" + ... HTTP/1.1 200 OK + ... server: istio-envoy ... {{< /text >}} diff --git a/content/zh/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md b/content/zh/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md index c90a8e8923..2164aff386 100644 --- a/content/zh/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md +++ b/content/zh/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md @@ -59,7 +59,9 @@ test: yes {{< text bash >}} $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200" + ... HTTP/1.1 200 OK + ... server: istio-envoy ... {{< /text >}} diff --git a/content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md b/content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md index daf8a7c5b9..6a9ec9d29f 100644 --- a/content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md +++ b/content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md @@ -246,15 +246,8 @@ $ export SECURE_INGRESS_PORT=$(kubectl get gtw mygateway -n istio-system -o json ... HTTP/2 418 ... - -=[ teapot ]=- - - _...._ - .' _ _ `. - | ."` ^ `". _, - \_;`"---"`|// - | ;/ - \_ _/ - `"""` + I'm a teapot! + ... {{< /text >}} `httpbin` 服务将返回 [418 I'm a Teapot](https://tools.ietf.org/html/rfc7168#section-2.3.3) 代码。 @@ -276,15 +269,8 @@ $ export SECURE_INGRESS_PORT=$(kubectl get gtw mygateway -n istio-system -o json ... HTTP/2 418 ... - -=[ teapot ]=- - - _...._ - .' _ _ `. - | ."` ^ `". _, - \_;`"---"`|// - | ;/ - \_ _/ - `"""` + I'm a teapot! + ... {{< /text >}} 1) 如果您使用之前的证书链来访问 `httpbin`,则会失败: @@ -480,21 +466,16 @@ EOF ... {{< /text >}} -1) 向 `httpbin.example.com` 发送一个 HTTPS 请求,仍然返回一个茶壶: +1) 向 `httpbin.example.com` 发送一个 HTTPS 请求,仍然返回一个 [HTTP 418](https://datatracker.ietf.org/doc/html/rfc2324): {{< text bash >}} $ curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \ --cacert example_certs1/example.com.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418" ... - -=[ teapot ]=- - - _...._ - .' _ _ `. - | ."` ^ `". _, - \_;`"---"`|// - | ;/ - \_ _/ - `"""` + HTTP/2 418 + ... + server: istio-envoy + ... {{< /text >}} ### 配置双向 TLS 入口网关 {#configure-a-mutual-tls-ingress-gateway} @@ -618,15 +599,12 @@ EOF --cacert example_certs1/example.com.crt --cert example_certs1/client.example.com.crt --key example_certs1/client.example.com.key \ "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418" ... - -=[ teapot ]=- - - _...._ - .' _ _ `. - | ."` ^ `". _, - \_;`"---"`|// - | ;/ - \_ _/ - `"""` + HTTP/2 418 + ... + server: istio-envoy + ... + I'm a teapot! + ... {{< /text >}} ## 更多信息 {#more-info}