istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Automator: update istio.io@master reference docs (#6385)

This commit is contained in:
Istio Automation 2020-02-03 07:31:25 -08:00 committed by GitHub
parent 65c2cc7594
commit 235e35dee4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 1672 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
content/en/docs/reference/commands/istioctl/index.html
View File

@ -113,7 +113,7 @@ debug and diagnose their Istio mesh.
<tr>
<td><code>--output &lt;string&gt;</code></td>
<td><code>-o</code></td>
<td>Output format: one of [yaml log json] (default `log`)</td>
<td>Output format: one of [log json yaml] (default `log`)</td>
</tr>
<tr>
<td><code>--output-threshold &lt;Level&gt;</code></td>
@ -2554,7 +2554,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioControlPlane CustomResource (default `[]`)</td>
<td>Path to file containing IstioOperator custom resource (default `[]`)</td>
</tr>
<tr>
<td><code>--force</code></td>
@ -2867,7 +2867,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)</td>
</tr>
<tr>
@ -3044,7 +3044,7 @@ e.g.
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)</td>
</tr>
<tr>
@ -3276,7 +3276,7 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<tr>
<td><code>--filename &lt;string&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)</td>
</tr>
<tr>
@ -3362,7 +3362,7 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<tr>
<td><code>--filename &lt;string&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)</td>
</tr>
<tr>
@ -3480,6 +3480,10 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
</tr>
</tbody>
</table>
<h3 id="istioctl-profile Examples">Examples</h3>
<pre class="language-bash"><code>istioctl profile list
istioctl manifest apply --set profile=demo # Use a profile from the list
</code></pre>
<h2 id="istioctl-profile-diff">istioctl profile diff</h2>
<p>The diff subcommand displays the differences between two Istio configuration profiles.</p>
<pre class="language-bash"><code>istioctl profile diff &lt;file1.yaml&gt; &lt;file2.yaml&gt; [flags]
@ -3566,7 +3570,7 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)</td>
</tr>
<tr>
@ -4391,7 +4395,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioControlPlane CustomResource (default `[]`)</td>
<td>Path to file containing IstioOperator custom resource (default `[]`)</td>
</tr>
<tr>
<td><code>--force</code></td>

6
content/en/docs/reference/commands/pilot-discovery/index.html
View File

@ -748,6 +748,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Location of a local or mounted CA root</td>
</tr>
<tr>
<td><code>SERVICE_ACCOUNT</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>

6
content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
View File

@ -2517,12 +2517,12 @@ No
</section>
<h2 id="TypeInterface">TypeInterface</h2>
<section>
<p>GOTYPE: interface&lbrace;}</p>
<p>GOTYPE: interface{}</p>
</section>
<h2 id="TypeMapStringInterface">TypeMapStringInterface</h2>
<section>
<p>GOTYPE: map[string]interface&lbrace;}</p>
<p>GOTYPE: map[string]interface{}</p>
</section>
<h2 id="k8s-io-api-autoscaling-v2beta1-HorizontalPodAutoscalerSpec">k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec</h2>
@ -3073,7 +3073,7 @@ label selector matches no objects.</p>
<td><code>matchLabels</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>matchLabels is a map of &lbrace;key,value} pairs. A single &lbrace;key,value} in the matchLabels
<p>matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is &ldquo;key&rdquo;, the
operator is &ldquo;In&rdquo;, and the values array contains only &ldquo;value&rdquo;. The requirements are ANDed.
+optional</p>

275
content/en/docs/reference/config/networking/destination-rule/index.html
View File

@ -17,6 +17,9 @@ detection settings to detect and evict unhealthy hosts from the load
balancing pool. For example, a simple load balancing policy for the
ratings service would look as follows:</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -28,12 +31,33 @@ spec:
simple: LEAST_CONN
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>Version specific policies can be specified by defining a named
<code>subset</code> and overriding the settings specified at the service level. The
following rule uses a round robin load balancing policy for all traffic
going to a subset named testversion that is composed of endpoints (e.g.,
pods) with labels (version:v3).</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -52,6 +76,31 @@ spec:
simple: ROUND_ROBIN
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
subsets:
- name: testversion
labels:
version: v3
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p><strong>Note:</strong> Policies specified for subsets will not take effect until
a route rule explicitly sends traffic to this subset.</p>
@ -60,6 +109,9 @@ following rule uses the least connection load balancing policy for all
traffic to port 80, while uses a round robin load balancing setting for
traffic to the port 9080.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -78,6 +130,31 @@ spec:
simple: ROUND_ROBIN
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: bookinfo-ratings-port
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy: # Apply to all ports
portLevelSettings:
- port:
number: 80
loadBalancer:
simple: LEAST_CONN
- port:
number: 9080
loadBalancer:
simple: ROUND_ROBIN
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<h2 id="ConnectionPoolSettings">ConnectionPoolSettings</h2>
<section>
<p>Connection pool settings for an upstream host. The settings apply to
@ -89,6 +166,9 @@ level as well as at HTTP level.</p>
<p>For example, the following rule sets a limit of 100 connections to redis
service called myredissrv with a connect timeout of 30ms</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -105,6 +185,29 @@ spec:
interval: 75s
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: bookinfo-redis
spec:
host: myredissrv.prod.svc.cluster.local
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
connectTimeout: 30ms
tcpKeepalive:
time: 7200s
interval: 75s
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -477,6 +580,9 @@ for more details.</p>
<p>For example, the following rule uses a round robin load balancing policy
for all traffic going to the ratings service.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -488,10 +594,31 @@ spec:
simple: ROUND_ROBIN
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following example sets up sticky sessions for the ratings service
hashing-based load balancer for the same ratings service using the
the User cookie as the hash key.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml"> apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -506,6 +633,27 @@ the User cookie as the hash key.</p>
ttl: 0s
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml"> apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
consistentHash:
httpCookie:
name: user
ttl: 0s
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -728,7 +876,7 @@ Envoy for further details.</p>
distribution of traffic to endpoints based on the localities of where the
traffic originates and where it will terminate. These localities are
specified using arbitrary labels that designate a hierarchy of localities in
&lbrace;region}/&lbrace;zone}/&lbrace;sub-zone} form. For additional detail refer to
{region}/{zone}/{sub-zone} form. For additional detail refer to
<a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight">Locality Weight</a>
The following example shows how to setup locality weights mesh-wide.</p>
@ -828,7 +976,7 @@ No
<section>
<p>Describes how traffic originating in the &lsquo;from&rsquo; zone or sub-zone is
distributed over a set of &lsquo;to&rsquo; zones. Syntax for specifying a zone is
&lbrace;region}/&lbrace;zone}/&lbrace;sub-zone} and terminal wildcards are allowed on any
{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
segment of the specification. Examples:
* - matches all localities
us-west/* - all zones and sub-zones within the us-west region
@ -935,6 +1083,9 @@ it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
hosts to be scanned every 5 mins so that any host that fails 7 consecutive
times with a 502, 503, or 504 error code will be ejected for 15 minutes.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -954,6 +1105,32 @@ spec:
baseEjectionTime: 15m
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews-cb-policy
spec:
host: reviews.prod.svc.cluster.local
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 10
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -1079,6 +1256,9 @@ uses a round robin load balancing policy for all traffic going to a
subset named testversion that is composed of endpoints (e.g., pods) with
labels (version:v3).</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -1097,6 +1277,31 @@ spec:
simple: ROUND_ROBIN
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
subsets:
- name: testversion
labels:
version: v3
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p><strong>Note:</strong> Policies specified for subsets will not take effect until
a route rule explicitly sends traffic to this subset.</p>
@ -1166,6 +1371,9 @@ for more details. These settings are common to both HTTP and TCP upstreams.</p>
<p>For example, the following rule configures a client to use mutual TLS
for connections to upstream database cluster.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -1180,9 +1388,33 @@ spec:
caCertificates: /etc/certs/rootcacerts.pem
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: db-mtls
spec:
host: mydbserver.prod.svc.cluster.local
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following rule configures a client to use TLS when talking to a
foreign service whose domain matches *.foo.com.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -1194,9 +1426,30 @@ spec:
mode: SIMPLE
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: tls-foo
spec:
host: &quot;*.foo.com&quot;
trafficPolicy:
tls:
mode: SIMPLE
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following rule configures a client to use Istio mutual TLS when talking
to rating services.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -1208,6 +1461,24 @@ spec:
mode: ISTIO_MUTUAL
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: ratings-istio-mtls
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>

2
content/en/docs/reference/config/networking/envoy-filter/index.html
View File

@ -126,7 +126,7 @@ spec:
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
&quot;lua_cluster&quot;,
&lbrace;
{
[&quot;:method&quot;] = &quot;POST&quot;,
[&quot;:path&quot;] = &quot;/acl&quot;,
[&quot;:authority&quot;] = &quot;internal.org.net&quot;

250
content/en/docs/reference/config/networking/gateway/index.html
View File

@ -23,6 +23,9 @@ my-gateway-controller</code>. While Istio will configure the proxy to listen
on these ports, it is the responsibility of the user to ensure that
external traffic to these ports are allowed into the mesh.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@ -75,6 +78,65 @@ spec:
- &quot;*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-gateway
namespace: some-config-namespace
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
tls:
httpsRedirect: true # sends 301 redirect for http requests
- port:
number: 443
name: https-443
protocol: HTTPS
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
tls:
mode: SIMPLE # enables HTTPS on this port
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
- port:
number: 9443
name: https-9443
protocol: HTTPS
hosts:
- &quot;bookinfo-namespace/*.bookinfo.com&quot;
tls:
mode: SIMPLE # enables HTTPS on this port
credentialName: bookinfo-secret # fetches certs from Kubernetes secret
- port:
number: 9080
name: http-wildcard
protocol: HTTP
hosts:
- &quot;*&quot;
- port:
number: 2379 # to expose internal service via external port 2379
name: mongo
protocol: MONGO
hosts:
- &quot;*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The Gateway specification above describes the L4-L6 properties of a load
balancer. A <code>VirtualService</code> can then be bound to a gateway to control
the forwarding of traffic arriving at a particular host or gateway port.</p>
@ -90,6 +152,9 @@ requests to the &ldquo;reviews.prod.svc.cluster.local&rdquo; service. This rule
applicable across ports 443, 9080. Note that <code>http://uk.bookinfo.com</code>
gets redirected to <code>https://uk.bookinfo.com</code> (i.e. 80 redirects to 443).</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -127,11 +192,58 @@ spec:
weight: 20
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-rule
namespace: bookinfo-namespace
spec:
hosts:
- reviews.prod.svc.cluster.local
- uk.bookinfo.com
- eu.bookinfo.com
gateways:
- some-config-namespace/my-gateway
- mesh # applies to all the sidecars in the mesh
http:
- match:
- headers:
cookie:
exact: &quot;user=dev-123&quot;
route:
- destination:
port:
number: 7777
host: reviews.qa.svc.cluster.local
- match:
- uri:
prefix: /reviews/
route:
- destination:
port:
number: 9080 # can be omitted if it's the only port for reviews
host: reviews.prod.svc.cluster.local
weight: 80
- destination:
host: reviews.qa.svc.cluster.local
weight: 20
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following VirtualService forwards traffic arriving at (external)
port 27017 to internal Mongo server on port 5555. This rule is not
applicable internally in the mesh as the gateway list omits the
reserved name <code>mesh</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -153,12 +265,43 @@ spec:
number: 5555
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-Mongo
namespace: bookinfo-namespace
spec:
hosts:
- mongosvr.prod.svc.cluster.local # name of internal Mongo service
gateways:
- some-config-namespace/my-gateway # can omit the namespace if gateway is in same
namespace as virtual service.
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.prod.svc.cluster.local
port:
number: 5555
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>It is possible to restrict the set of virtual services that can bind to
a gateway server using the namespace/hostname syntax in the hosts field.
For example, the following Gateway allows any virtual service in the ns1
namespace to bind to it, while restricting only the virtual service with
foo.bar.com host in the ns2 namespace to bind to it.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@ -177,6 +320,31 @@ spec:
- &quot;ns2/foo.bar.com&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-gateway
namespace: some-config-namespace
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &quot;ns1/*&quot;
- &quot;ns2/foo.bar.com&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<h2 id="Gateway">Gateway</h2>
<section>
<p>Gateway describes a load balancer operating at the edge of the mesh
@ -279,6 +447,9 @@ No
<p><code>Server</code> describes the properties of the proxy on a given load balancer
port. For example,</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@ -295,8 +466,34 @@ spec:
- &quot;*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-ingress
spec:
selector:
app: my-ingress-gateway
servers:
- port:
number: 80
name: http2
protocol: HTTP2
hosts:
- &quot;*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>Another example</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@ -313,8 +510,34 @@ spec:
- &quot;*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-tcp-ingress
spec:
selector:
app: my-tcp-ingress-gateway
servers:
- port:
number: 27018
name: mongo
protocol: MONGO
hosts:
- &quot;*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following is an example of TLS configuration for port 443</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@ -335,6 +558,33 @@ spec:
privateKey: /etc/certs/privatekey.pem
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-tls-ingress
spec:
selector:
app: my-tls-ingress-gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- &quot;*&quot;
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>

348
content/en/docs/reference/config/networking/service-entry/index.html
View File

@ -22,6 +22,9 @@ service registry (e.g., a set of VMs talking to services in Kubernetes).</p>
applications over HTTPS. The sidecar inspects the SNI value in the
ClientHello message to route to the appropriate external service.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -39,11 +42,38 @@ spec:
resolution: DNS
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-https
spec:
hosts:
- api.dropboxapi.com
- www.googleapis.com
- api.facebook.com
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following configuration adds a set of MongoDB instances running on
unmanaged VMs to Istio&rsquo;s registry, so that these services can be treated
as any other service in the mesh. The associated DestinationRule is used
to initiate mTLS connections to the database instances.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -64,8 +94,38 @@ spec:
- address: 3.3.3.3
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-mongocluster
spec:
hosts:
- mymongodb.somedomain # not used
addresses:
- 192.192.192.192/24 # VIPs
ports:
- number: 27018
name: mongodb
protocol: MONGO
location: MESH_INTERNAL
resolution: STATIC
endpoints:
- address: 2.2.2.2
- address: 3.3.3.3
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>and the associated DestinationRule</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -80,10 +140,34 @@ spec:
caCertificates: /etc/certs/rootcacerts.pem
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: mtls-mongocluster
spec:
host: mymongodb.somedomain
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following example uses a combination of service entry and TLS
routing in a virtual service to steer traffic based on the SNI value to
an internal egress firewall.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -100,8 +184,34 @@ spec:
resolution: NONE
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-redirect
spec:
hosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: NONE
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>And the associated VirtualService to route based on the SNI value.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -120,6 +230,31 @@ spec:
host: internal-egress-firewall.ns1.svc.cluster.local
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: tls-routing
spec:
hosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
tls:
- match:
- sniHosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
route:
- destination:
host: internal-egress-firewall.ns1.svc.cluster.local
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The virtual service with TLS match serves to override the default SNI
match. In the absence of a virtual service, traffic will be forwarded to
the wikipedia domains.</p>
@ -132,6 +267,9 @@ to all namespaces. The following example restricts the visibility to the
current namespace, represented by &ldquo;.&rdquo;, so that it cannot be used by other
namespaces.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -150,8 +288,36 @@ spec:
resolution: DNS
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-httpbin
namespace : egress
spec:
hosts:
- httpbin.com
exportTo:
- &quot;.&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>Define a gateway to handle all egress traffic.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@ -169,6 +335,30 @@ spec:
- &quot;*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &quot;*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>And the associated <code>VirtualService</code> to route from the sidecar to the
gateway service (<code>istio-egressgateway.istio-system.svc.cluster.local</code>), as
well as route from the gateway to the external service. Note that the
@ -176,6 +366,9 @@ virtual service is exported to all namespaces enabling them to route traffic
through the gateway to the external service. Forcing traffic to go through
a managed middle proxy like this is a common practice.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -206,11 +399,51 @@ spec:
host: httpbin.com
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: gateway-routing
namespace: egress
spec:
hosts:
- httpbin.com
exportTo:
- &quot;*&quot;
gateways:
- mesh
- istio-egressgateway
http:
- match:
- port: 80
gateways:
- mesh
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
- match:
- port: 80
gateways:
- istio-egressgateway
route:
- destination:
host: httpbin.com
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following example demonstrates the use of wildcards in the hosts for
external services. If the connection has to be routed to the IP address
requested by the application (i.e. application resolves DNS and attempts
to connect to a specific IP), the discovery mode must be set to <code>NONE</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -226,10 +459,35 @@ spec:
resolution: NONE
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-wildcard-example
spec:
hosts:
- &quot;*.bar.com&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: NONE
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following example demonstrates a service that is available via a
Unix Domain Socket on the host of the client. The resolution must be
set to STATIC to use Unix address endpoints.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -247,6 +505,30 @@ spec:
- address: unix:///var/run/example/socket
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: unix-domain-socket-example
spec:
hosts:
- &quot;example.unix.local&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
endpoints:
- address: unix:///var/run/example/socket
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>For HTTP-based services, it is possible to create a <code>VirtualService</code>
backed by multiple DNS addressable endpoints. In such a scenario, the
application can use the <code>HTTP_PROXY</code> environment variable to transparently
@ -255,6 +537,9 @@ example, the following configuration creates a non-existent external
service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
uk.foo.bar.com:9080, and in.foo.bar.com:7080</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -280,6 +565,38 @@ spec:
https: 7080
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-dns
spec:
hosts:
- foo.bar.com
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
endpoints:
- address: us.foo.bar.com
ports:
https: 8080
- address: uk.foo.bar.com
ports:
https: 9080
- address: in.foo.bar.com
ports:
https: 7080
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>With <code>HTTP_PROXY=http://localhost/</code>, calls from the application to
<code>http://foo.bar.com</code> will be load balanced across the three domains
specified above. In other words, a call to <code>http://foo.bar.com/baz</code> would
@ -289,6 +606,9 @@ be translated to <code>http://uk.foo.bar.com/baz</code>.</p>
containing a subject alternate name
whose format conforms to the <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md">SPIFFE standard</a>:</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -310,6 +630,34 @@ spec:
- &quot;spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: httpbin
namespace : httpbin-ns
spec:
hosts:
- httpbin.com
location: MESH_INTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
endpoints:
- address: 2.2.2.2
- address: 3.3.3.3
subjectAltNames:
- &quot;spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<h2 id="ServiceEntry">ServiceEntry</h2>
<section>
<p>ServiceEntry enables adding additional entries into Istio&rsquo;s internal

178
content/en/docs/reference/config/networking/sidecar/index.html
View File

@ -48,6 +48,9 @@ root namespace called <code>istio-config</code>, that configures sidecars in
all namespaces to allow egress traffic only to other workloads in
the same namespace, and to services in the <code>istio-system</code> namespace.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@ -60,12 +63,34 @@ spec:
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- &quot;./*&quot;
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The example below declares a <code>Sidecar</code> configuration in the <code>prod-us1</code>
namespace that overrides the global default defined above, and
configures the sidecars in the namespace to allow egress traffic to
public services in the <code>prod-us1</code>, <code>prod-apis</code>, and the <code>istio-system</code>
namespaces.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@ -79,6 +104,26 @@ spec:
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: prod-us1
spec:
egress:
- hosts:
- &quot;prod-us1/*&quot;
- &quot;prod-apis/*&quot;
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The example below declares a <code>Sidecar</code> configuration in the <code>prod-us1</code> namespace
that accepts inbound HTTP traffic on port 9080 and forwards
it to the attached workload instance listening on a Unix domain socket. In the
@ -86,6 +131,9 @@ egress direction, in addition to the <code>istio-system</code> namespace, the si
proxies only HTTP traffic bound for port 9080 for services in the
<code>prod-us1</code> namespace.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@ -109,6 +157,36 @@ spec:
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: prod-us1
spec:
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- &quot;prod-us1/*&quot;
- hosts:
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>If the workload is deployed without IPTables-based traffic capture, the
<code>Sidecar</code> configuration is the only way to configure the ports on the proxy
attached to the workload instance. The following example declares a <code>Sidecar</code>
@ -122,6 +200,9 @@ on port 9080 and forward it to the application listening on
backing MySQL database on <code>127.0.0.1:3306</code>, that then gets proxied to the
externally hosted MySQL service at <code>mysql.foo.com:3306</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@ -149,8 +230,45 @@ spec:
- &quot;*/mysql.foo.com&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: no-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- port:
number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE # not needed if metadata is set for entire proxy
egress:
- port:
number: 3306
protocol: MYSQL
name: egressmysql
captureMode: NONE # not needed if metadata is set for entire proxy
bind: 127.0.0.1
hosts:
- &quot;*/mysql.foo.com&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>And the associated service entry for routing to <code>mysql.foo.com:3306</code></p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -167,6 +285,29 @@ spec:
resolution: DNS
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-mysql
namespace: ns1
spec:
hosts:
- mysql.foo.com
ports:
- number: 3306
name: mysql
protocol: MYSQL
location: MESH_EXTERNAL
resolution: DNS
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>It is also possible to mix and match traffic capture modes in a single
proxy. For example, consider a setup where internal services are on the
<code>192.168.0.0/16</code> subnet. So, IP tables are setup on the VM to capture all
@ -179,6 +320,9 @@ listener on <code>172.16.1.32:80</code> (the VM&rsquo;s IP) for traffic arriving
contain <code>REDIRECT</code> or <code>TPROXY</code> as its value, implying that IP tables
based traffic capture is active.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@ -206,6 +350,40 @@ spec:
- &quot;*/*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: partial-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- bind: 172.16.1.32
port:
number: 80 # binds to 172.16.1.32:80
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE
egress:
# use the system detected defaults
# sets up configuration to handle outbound traffic to services
# in 192.168.0.0/16 subnet, based on information provided by the
# service registry
- captureMode: IPTABLES
hosts:
- &quot;*/*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<h2 id="CaptureMode">CaptureMode</h2>
<section>
<p><code>CaptureMode</code> describes how traffic to a listener is expected to be

575
content/en/docs/reference/config/networking/virtual-service/index.html
View File

@ -52,6 +52,9 @@ pods of the reviews service with label &ldquo;version: v1&rdquo;. In addition,
HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
be rewritten to /newcatalog and sent to pods with label &ldquo;version: v2&rdquo;.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -79,10 +82,47 @@ spec:
subset: v1
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- name: &quot;reviews-v2-routes&quot;
match:
- uri:
prefix: &quot;/wpcatalog&quot;
- uri:
prefix: &quot;/consumercatalog&quot;
rewrite:
uri: &quot;/newcatalog&quot;
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
- name: &quot;reviews-v1-route&quot;
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>A subset/version of a route destination is identified with a reference
to a named service subset which must be declared in a corresponding
<code>DestinationRule</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -98,6 +138,28 @@ spec:
version: v2
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: reviews.prod.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<h2 id="CorsPolicy">CorsPolicy</h2>
<section>
<p>Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
@ -108,6 +170,9 @@ from example.com domain using HTTP POST/GET, and sets the
<code>Access-Control-Allow-Credentials</code> header to false. In addition, it only
exposes <code>X-Foo-bar</code> header and sets an expiry period of 1 day.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -132,6 +197,37 @@ spec:
maxAge: &quot;24h&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
corsPolicy:
allowOrigin:
- example.com
allowMethods:
- POST
- GET
allowCredentials: false
allowHeaders:
- X-Foo-Bar
maxAge: &quot;24h&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -242,6 +338,9 @@ domain names over short names.</em></p>
of the reviews service with label &ldquo;version: v1&rdquo; (i.e., subset v1), and
some to subset v2, in a Kubernetes environment.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -268,8 +367,44 @@ spec:
subset: v1
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
namespace: foo
spec:
hosts:
- reviews # interpreted as reviews.foo.svc.cluster.local
http:
- match:
- uri:
prefix: &quot;/wpcatalog&quot;
- uri:
prefix: &quot;/consumercatalog&quot;
rewrite:
uri: &quot;/newcatalog&quot;
route:
- destination:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subset: v2
- route:
- destination:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subset: v1
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>And the associated DestinationRule</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -286,6 +421,29 @@ spec:
version: v2
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews-destination
namespace: foo
spec:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following VirtualService sets a timeout of 5s for all calls to
productpage.prod.svc.cluster.local service in Kubernetes. Notice that
there are no subsets defined in this rule. Istio will fetch all
@ -296,6 +454,9 @@ qualified domain name of the productpage service,
productpage.prod.svc.cluster.local. Therefore the rule&rsquo;s namespace does
not have an impact in resolving the name of the productpage service.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -311,12 +472,37 @@ spec:
host: productpage.prod.svc.cluster.local
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-productpage-rule
namespace: istio-system
spec:
hosts:
- productpage.prod.svc.cluster.local # ignores rule namespace
http:
- timeout: 5s
route:
- destination:
host: productpage.prod.svc.cluster.local
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>To control routing for traffic bound to services outside the mesh, external
services must first be added to Istio&rsquo;s internal service registry using the
ServiceEntry resource. VirtualServices can then be defined to control traffic
bound to these external services. For example, the following rules define a
Service for wikipedia.org and set a timeout of 5s for HTTP requests.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@ -345,6 +531,41 @@ spec:
host: wikipedia.org
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-wikipedia
spec:
hosts:
- wikipedia.org
location: MESH_EXTERNAL
ports:
- number: 80
name: example-http
protocol: HTTP
resolution: DNS
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-wiki-rule
spec:
hosts:
- wikipedia.org
http:
- timeout: 5s
route:
- destination:
host: wikipedia.org
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -462,6 +683,9 @@ No
pre-specified error code. The following example will return an HTTP 400
error code for 1 out of every 1000 requests to the &ldquo;ratings&rdquo; service &ldquo;v1&rdquo;.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -481,6 +705,32 @@ spec:
httpStatus: 400
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
fault:
abort:
percentage:
value: 0.1
httpStatus: 400
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The <em>httpStatus</em> field is used to indicate the HTTP status code to
return to the caller. The optional <em>percentage</em> field can be used to only
abort a certain percentage of requests. If not specified, all requests are
@ -528,6 +778,9 @@ forwarding path. The following example will introduce a 5 second delay
in 1 out of every 1000 requests to the &ldquo;v1&rdquo; version of the &ldquo;reviews&rdquo;
service from all pods with label env: prod</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -550,6 +803,35 @@ spec:
fixedDelay: 5s
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- match:
- sourceLabels:
env: prod
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
fault:
delay:
percentage:
value: 0.1
fixedDelay: 5s
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The <em>fixedDelay</em> field is used to indicate the amount of delay in seconds.
The optional <em>percentage</em> field can be used to only delay a certain
percentage of requests. If left unspecified, all request will be delayed.</p>
@ -611,6 +893,9 @@ restricts the rule to match only requests where the URL path
starts with /ratings/v2/ and the request contains a custom <code>end-user</code> header
with value <code>jason</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -631,6 +916,33 @@ spec:
host: ratings.prod.svc.cluster.local
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- headers:
end-user:
exact: jason
uri:
prefix: &quot;/ratings/v2/&quot;
ignoreUriCase: true
route:
- destination:
host: ratings.prod.svc.cluster.local
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>HTTPMatchRequest CANNOT be empty.</p>
<table class="message-fields">
@ -863,6 +1175,9 @@ the specified values. For example, the following rule redirects
requests for /v1/getProductRatings API on the ratings service to
/v1/bookRatings provided by the bookratings service.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -880,6 +1195,30 @@ spec:
...
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- uri:
exact: /v1/getProductRatings
redirect:
uri: /v1/bookRatings
authority: newratings.default.svc.cluster.local
...
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -936,6 +1275,9 @@ No
example, the following rule sets the maximum number of retries to 3 when
calling ratings:v1 service, with a 2s timeout per retry attempt.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -954,6 +1296,31 @@ spec:
retryOn: gateway-error,connect-failure,refused-stream
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
retries:
attempts: 3
perTryTimeout: 2s
retryOn: gateway-error,connect-failure,refused-stream
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -1014,6 +1381,9 @@ be used only with HTTPRouteDestination. The following example
demonstrates how to rewrite the URL prefix for api call (/ratings) to
ratings service before making the actual API call.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -1033,6 +1403,32 @@ spec:
subset: v1
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- uri:
prefix: /ratings
rewrite:
uri: /v1/bookRatings
route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -1266,6 +1662,9 @@ following rule will route 25% of traffic for the &ldquo;reviews&rdquo; service t
instances with the &ldquo;v2&rdquo; tag and the remaining traffic (i.e., 75%) to
&ldquo;v1&rdquo;.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -1285,8 +1684,37 @@ spec:
weight: 75
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
weight: 25
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
weight: 75
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>And the associated DestinationRule</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@ -1302,10 +1730,35 @@ spec:
version: v2
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: reviews.prod.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>Traffic can also be split across two entirely different services without
having to define new subsets. For example, the following rule forwards 25% of
traffic to reviews.com to dev.reviews.com</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -1323,6 +1776,30 @@ spec:
weight: 75
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route-two-domains
spec:
hosts:
- reviews.com
http:
- route:
- destination:
host: dev.reviews.com
weight: 25
- destination:
host: reviews.com
weight: 75
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -1375,41 +1852,6 @@ No
</section>
<h2 id="Headers">Headers</h2>
<section>
<p>Message headers can be manipulated when Envoy forwards requests to,
or responses from, a destination service. Header manipulation rules can
be specified for a specific route destination or for all destinations.
The following VirtualService adds a <code>test</code> header with the value <code>true</code>
to requests that are routed to any <code>reviews</code> service destination.
It also romoves the <code>foo</code> response header, but only from responses
coming from the <code>v1</code> subset (version) of the <code>reviews</code> service.</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- headers:
request:
set:
test: true
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
weight: 25
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
headers:
response:
remove:
- foo
weight: 75
</code></pre>
<table class="message-fields">
<thead>
<tr>
@ -1722,6 +2164,9 @@ Yes
following routing rule forwards traffic arriving at port 27017 for
mongo.prod.svc.cluster.local to another Mongo server on port 5555.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -1739,6 +2184,30 @@ spec:
number: 5555
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-Mongo
spec:
hosts:
- mongo.prod.svc.cluster.local
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.backup.svc.cluster.local
port:
number: 5555
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
@ -1868,6 +2337,9 @@ traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
traffic arriving at port 443 of gateway called &ldquo;mygateway&rdquo; to internal
services in the mesh based on the SNI value.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -1894,6 +2366,39 @@ spec:
host: reviews.prod.svc.cluster.local
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-sni
spec:
hosts:
- &quot;*.bookinfo.com&quot;
gateways:
- mygateway
tls:
- match:
- port: 443
sniHosts:
- login.bookinfo.com
route:
- destination:
host: login.prod.svc.cluster.local
- match:
- port: 443
sniHosts:
- reviews.bookinfo.com
route:
- destination:
host: reviews.prod.svc.cluster.local
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>

51
content/en/docs/reference/config/policy-and-telemetry/adapters/layer5/index.html Normal file
View File

@ -0,0 +1,51 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/layer5io/layer5-istio-adapter' REPO
source_repo: https://github.com/layer5io/layer5-istio-adapter
title: Layer5 adapter
description: Adapter to deliver metrics to Layer5.
location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/layer5.html
layout: partner-component
generator: protoc-gen-docs
provider: Layer5, Inc.
contact_email: community@layer5.io
support_link:
source_link: https://github.com/layer5io/layer5-istio-adapter
latest_release_link: https://github.com/layer5io/layer5-istio-adapter/releases
helm_chart_link:
istio_versions: "1.1+"
supported_templates: metric
logo_link: https://github.com/layer5io/layer5-istio-adapter/blob/master/layer5.svg
number_of_entries: 1
---
<p>The <code>layer5</code> adapter collects metrics</p>
<p>This adapter supports the <a href="/docs/reference/config/policy-and-telemetry/templates/metric/">metric template</a>.</p>
<h2 id="Params">Params</h2>
<section>
<p>config for layer5 adapter</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Params-file_path">
<td><code>filePath</code></td>
<td><code>string</code></td>
<td>
<p>Path of the file to save the information about runtime requests.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>

12
content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
View File

@ -174,13 +174,13 @@ spec:
api.operation:
stringValue: findPetById
httpMethod: GET
uriTemplate: /api/pets/&lbrace;id}
uriTemplate: /api/pets/{id}
- attributes:
attributes:
api.operation:
stringValue: deletePet
httpMethod: DELETE
uriTemplate: /api/pets/&lbrace;id}
uriTemplate: /api/pets/{id}
apiKeys:
- query: api-key
</code></pre>
@ -358,9 +358,9 @@ No
following are valid URI templates:</p>
<pre><code>/pets
/pets/&lbrace;id}
/dictionary/&lbrace;term:1}/&lbrace;term}
/search&lbrace;?q*,lang}
/pets/{id}
/dictionary/{term:1}/{term}
/search{?q*,lang}
</code></pre>
</td>
@ -375,7 +375,7 @@ Yes
<p>EXPERIMENTAL:</p>
<p>ecmascript style regex-based match as defined by
<a href="http://en.cppreference.com/w/cpp/regex">EDCA-262</a>. For
<a href="http://en.cppreference.com/w/cpp/regex/ecmascript">EDCA-262</a>. For
example,</p>
<pre><code>&quot;^/pets/(.*?)?&quot;

2
content/en/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html
View File

@ -121,7 +121,7 @@ Yes
We map from attribute name to the attribute&rsquo;s specification. The name of an attribute,
which is how attributes are referred to in aspect configuration, must conform to:</p>
<pre><code>Name = IDENT &lbrace; SEPARATOR IDENT };
<pre><code>Name = IDENT { SEPARATOR IDENT };
</code></pre>
<p>Where <code>IDENT</code> must match the regular expression <code>*a-z*+</code> and <code>SEPARATOR</code> must

6
content/en/docs/reference/config/security/authorization-policy/index.html
View File

@ -124,7 +124,7 @@ metadata:
name: policy
namespace: foo
spec:
&lbrace;}
{}
</code></pre>
<p>The following authorization policy applies to workloads containing label
@ -155,7 +155,7 @@ metadata:
name: deny-all
namespace: foo
spec:
&lbrace;}
{}
</code></pre>
<p>The following authorization policy allows all requests to workloads in namespace
@ -168,7 +168,7 @@ metadata:
namespace: foo
spec:
rules:
- &lbrace;}
- {}
</code></pre>
<table class="message-fields">