diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html
index b12a94b6e8..dd8b244914 100644
--- a/content/en/docs/reference/commands/istioctl/index.html
+++ b/content/en/docs/reference/commands/istioctl/index.html
@@ -113,7 +113,7 @@ debug and diagnose their Istio mesh.
--output <string> |
-o |
-Output format: one of [yaml log json] (default `log`) |
+Output format: one of [log json yaml] (default `log`) |
--output-threshold <Level> |
@@ -2554,7 +2554,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--filename <stringSlice> |
-f |
-Path to file containing IstioControlPlane CustomResource (default `[]`) |
+Path to file containing IstioOperator custom resource (default `[]`) |
--force |
@@ -2867,7 +2867,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
--filename <stringSlice> |
-f |
-Path to file containing IstioOperator CustomResource
+ | Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`) |
@@ -3044,7 +3044,7 @@ e.g.
--filename <stringSlice> |
-f |
-Path to file containing IstioOperator CustomResource
+ | Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`) |
@@ -3276,7 +3276,7 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
--filename <string> |
-f |
-Path to file containing IstioOperator CustomResource
+ | Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``) |
@@ -3362,7 +3362,7 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
--filename <string> |
-f |
-Path to file containing IstioOperator CustomResource
+ | Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``) |
@@ -3480,6 +3480,10 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
+Examples
+istioctl profile list
+istioctl manifest apply --set profile=demo # Use a profile from the list
+
istioctl profile diff
The diff subcommand displays the differences between two Istio configuration profiles.
istioctl profile diff <file1.yaml> <file2.yaml> [flags]
@@ -3566,7 +3570,7 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
--filename <stringSlice> |
-f |
-Path to file containing IstioOperator CustomResource
+ | Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`) |
@@ -4391,7 +4395,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
--filename <stringSlice> |
-f |
-Path to file containing IstioControlPlane CustomResource (default `[]`) |
+Path to file containing IstioOperator custom resource (default `[]`) |
--force |
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index f543664fc1..4b7b6a7434 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -748,6 +748,12 @@ These environment variables affect the behavior of the pilot-discoveryLocation of a local or mounted CA root
+SERVICE_ACCOUNT |
+String |
+ |
+ |
+
+
TERMINATION_DRAIN_DURATION_SECONDS |
Integer |
5 |
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
index 1facf08302..bcca66c9bc 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
@@ -2517,12 +2517,12 @@ No
TypeInterface
-GOTYPE: interface{}
+GOTYPE: interface{}
TypeMapStringInterface
-GOTYPE: map[string]interface{}
+GOTYPE: map[string]interface{}
k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec
@@ -3073,7 +3073,7 @@ label selector matches no objects.
matchLabels |
map<string, string> |
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.
+optional
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index 6dab512ff0..c6828c0a16 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -17,6 +17,9 @@ detection settings to detect and evict unhealthy hosts from the load
balancing pool. For example, a simple load balancing policy for the
ratings service would look as follows:
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -28,12 +31,33 @@ spec:
simple: LEAST_CONN
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: bookinfo-ratings
+spec:
+ host: ratings.prod.svc.cluster.local
+ trafficPolicy:
+ loadBalancer:
+ simple: LEAST_CONN
+
+
+{{}}
+{{}}
+
Version specific policies can be specified by defining a named
subset and overriding the settings specified at the service level. The
following rule uses a round robin load balancing policy for all traffic
going to a subset named testversion that is composed of endpoints (e.g.,
pods) with labels (version:v3).
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -52,6 +76,31 @@ spec:
simple: ROUND_ROBIN
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: bookinfo-ratings
+spec:
+ host: ratings.prod.svc.cluster.local
+ trafficPolicy:
+ loadBalancer:
+ simple: LEAST_CONN
+ subsets:
+ - name: testversion
+ labels:
+ version: v3
+ trafficPolicy:
+ loadBalancer:
+ simple: ROUND_ROBIN
+
+
+{{}}
+{{}}
+
Note: Policies specified for subsets will not take effect until
a route rule explicitly sends traffic to this subset.
@@ -60,6 +109,9 @@ following rule uses the least connection load balancing policy for all
traffic to port 80, while uses a round robin load balancing setting for
traffic to the port 9080.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -78,6 +130,31 @@ spec:
simple: ROUND_ROBIN
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: bookinfo-ratings-port
+spec:
+ host: ratings.prod.svc.cluster.local
+ trafficPolicy: # Apply to all ports
+ portLevelSettings:
+ - port:
+ number: 80
+ loadBalancer:
+ simple: LEAST_CONN
+ - port:
+ number: 9080
+ loadBalancer:
+ simple: ROUND_ROBIN
+
+
+{{}}
+{{}}
+
ConnectionPoolSettings
Connection pool settings for an upstream host. The settings apply to
@@ -89,6 +166,9 @@ level as well as at HTTP level.
For example, the following rule sets a limit of 100 connections to redis
service called myredissrv with a connect timeout of 30ms
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -105,6 +185,29 @@ spec:
interval: 75s
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: bookinfo-redis
+spec:
+ host: myredissrv.prod.svc.cluster.local
+ trafficPolicy:
+ connectionPool:
+ tcp:
+ maxConnections: 100
+ connectTimeout: 30ms
+ tcpKeepalive:
+ time: 7200s
+ interval: 75s
+
+
+{{}}
+{{}}
+
@@ -477,6 +580,9 @@ for more details.
For example, the following rule uses a round robin load balancing policy
for all traffic going to the ratings service.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -488,10 +594,31 @@ spec:
simple: ROUND_ROBIN
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: bookinfo-ratings
+spec:
+ host: ratings.prod.svc.cluster.local
+ trafficPolicy:
+ loadBalancer:
+ simple: ROUND_ROBIN
+
+
+{{}}
+{{}}
+
The following example sets up sticky sessions for the ratings service
hashing-based load balancer for the same ratings service using the
the User cookie as the hash key.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -506,6 +633,27 @@ the User cookie as the hash key.
ttl: 0s
+{{}}
+
+{{}}
+
+ apiVersion: networking.istio.io/v1beta1
+ kind: DestinationRule
+ metadata:
+ name: bookinfo-ratings
+ spec:
+ host: ratings.prod.svc.cluster.local
+ trafficPolicy:
+ loadBalancer:
+ consistentHash:
+ httpCookie:
+ name: user
+ ttl: 0s
+
+
+{{}}
+{{}}
+
@@ -728,7 +876,7 @@ Envoy for further details.
distribution of traffic to endpoints based on the localities of where the
traffic originates and where it will terminate. These localities are
specified using arbitrary labels that designate a hierarchy of localities in
-{region}/{zone}/{sub-zone} form. For additional detail refer to
+{region}/{zone}/{sub-zone} form. For additional detail refer to
Locality Weight
The following example shows how to setup locality weights mesh-wide.
@@ -828,7 +976,7 @@ No
Describes how traffic originating in the ‘from’ zone or sub-zone is
distributed over a set of ‘to’ zones. Syntax for specifying a zone is
-{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
+{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
segment of the specification. Examples:
* - matches all localities
us-west/* - all zones and sub-zones within the us-west region
@@ -935,6 +1083,9 @@ it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
hosts to be scanned every 5 mins so that any host that fails 7 consecutive
times with a 502, 503, or 504 error code will be ejected for 15 minutes.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -954,6 +1105,32 @@ spec:
baseEjectionTime: 15m
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: reviews-cb-policy
+spec:
+ host: reviews.prod.svc.cluster.local
+ trafficPolicy:
+ connectionPool:
+ tcp:
+ maxConnections: 100
+ http:
+ http2MaxRequests: 1000
+ maxRequestsPerConnection: 10
+ outlierDetection:
+ consecutiveErrors: 7
+ interval: 5m
+ baseEjectionTime: 15m
+
+
+{{}}
+{{}}
+
@@ -1079,6 +1256,9 @@ uses a round robin load balancing policy for all traffic going to a
subset named testversion that is composed of endpoints (e.g., pods) with
labels (version:v3).
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -1097,6 +1277,31 @@ spec:
simple: ROUND_ROBIN
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: bookinfo-ratings
+spec:
+ host: ratings.prod.svc.cluster.local
+ trafficPolicy:
+ loadBalancer:
+ simple: LEAST_CONN
+ subsets:
+ - name: testversion
+ labels:
+ version: v3
+ trafficPolicy:
+ loadBalancer:
+ simple: ROUND_ROBIN
+
+
+{{}}
+{{}}
+
Note: Policies specified for subsets will not take effect until
a route rule explicitly sends traffic to this subset.
@@ -1166,6 +1371,9 @@ for more details. These settings are common to both HTTP and TCP upstreams.
For example, the following rule configures a client to use mutual TLS
for connections to upstream database cluster.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -1180,9 +1388,33 @@ spec:
caCertificates: /etc/certs/rootcacerts.pem
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: db-mtls
+spec:
+ host: mydbserver.prod.svc.cluster.local
+ trafficPolicy:
+ tls:
+ mode: MUTUAL
+ clientCertificate: /etc/certs/myclientcert.pem
+ privateKey: /etc/certs/client_private_key.pem
+ caCertificates: /etc/certs/rootcacerts.pem
+
+
+{{}}
+{{}}
+
The following rule configures a client to use TLS when talking to a
foreign service whose domain matches *.foo.com.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -1194,9 +1426,30 @@ spec:
mode: SIMPLE
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: tls-foo
+spec:
+ host: "*.foo.com"
+ trafficPolicy:
+ tls:
+ mode: SIMPLE
+
+
+{{}}
+{{}}
+
The following rule configures a client to use Istio mutual TLS when talking
to rating services.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -1208,6 +1461,24 @@ spec:
mode: ISTIO_MUTUAL
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: ratings-istio-mtls
+spec:
+ host: ratings.prod.svc.cluster.local
+ trafficPolicy:
+ tls:
+ mode: ISTIO_MUTUAL
+
+
+{{}}
+{{}}
+
diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index 79102910b2..eeb12b141a 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -126,7 +126,7 @@ spec:
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
- {
+ {
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html
index 528b5a5c7a..c2511618da 100644
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@@ -23,6 +23,9 @@ my-gateway-controller. While Istio will configure the proxy to listen
on these ports, it is the responsibility of the user to ensure that
external traffic to these ports are allowed into the mesh.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@@ -75,6 +78,65 @@ spec:
- "*"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: my-gateway
+ namespace: some-config-namespace
+spec:
+ selector:
+ app: my-gateway-controller
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - uk.bookinfo.com
+ - eu.bookinfo.com
+ tls:
+ httpsRedirect: true # sends 301 redirect for http requests
+ - port:
+ number: 443
+ name: https-443
+ protocol: HTTPS
+ hosts:
+ - uk.bookinfo.com
+ - eu.bookinfo.com
+ tls:
+ mode: SIMPLE # enables HTTPS on this port
+ serverCertificate: /etc/certs/servercert.pem
+ privateKey: /etc/certs/privatekey.pem
+ - port:
+ number: 9443
+ name: https-9443
+ protocol: HTTPS
+ hosts:
+ - "bookinfo-namespace/*.bookinfo.com"
+ tls:
+ mode: SIMPLE # enables HTTPS on this port
+ credentialName: bookinfo-secret # fetches certs from Kubernetes secret
+ - port:
+ number: 9080
+ name: http-wildcard
+ protocol: HTTP
+ hosts:
+ - "*"
+ - port:
+ number: 2379 # to expose internal service via external port 2379
+ name: mongo
+ protocol: MONGO
+ hosts:
+ - "*"
+
+
+{{}}
+{{}}
+
The Gateway specification above describes the L4-L6 properties of a load
balancer. A VirtualService can then be bound to a gateway to control
the forwarding of traffic arriving at a particular host or gateway port.
@@ -90,6 +152,9 @@ requests to the “reviews.prod.svc.cluster.local” service. This rule
applicable across ports 443, 9080. Note that http://uk.bookinfo.com
gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -127,11 +192,58 @@ spec:
weight: 20
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: bookinfo-rule
+ namespace: bookinfo-namespace
+spec:
+ hosts:
+ - reviews.prod.svc.cluster.local
+ - uk.bookinfo.com
+ - eu.bookinfo.com
+ gateways:
+ - some-config-namespace/my-gateway
+ - mesh # applies to all the sidecars in the mesh
+ http:
+ - match:
+ - headers:
+ cookie:
+ exact: "user=dev-123"
+ route:
+ - destination:
+ port:
+ number: 7777
+ host: reviews.qa.svc.cluster.local
+ - match:
+ - uri:
+ prefix: /reviews/
+ route:
+ - destination:
+ port:
+ number: 9080 # can be omitted if it's the only port for reviews
+ host: reviews.prod.svc.cluster.local
+ weight: 80
+ - destination:
+ host: reviews.qa.svc.cluster.local
+ weight: 20
+
+
+{{}}
+{{}}
+
The following VirtualService forwards traffic arriving at (external)
port 27017 to internal Mongo server on port 5555. This rule is not
applicable internally in the mesh as the gateway list omits the
reserved name mesh.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -153,12 +265,43 @@ spec:
number: 5555
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: bookinfo-Mongo
+ namespace: bookinfo-namespace
+spec:
+ hosts:
+ - mongosvr.prod.svc.cluster.local # name of internal Mongo service
+ gateways:
+ - some-config-namespace/my-gateway # can omit the namespace if gateway is in same
+ namespace as virtual service.
+ tcp:
+ - match:
+ - port: 27017
+ route:
+ - destination:
+ host: mongo.prod.svc.cluster.local
+ port:
+ number: 5555
+
+
+{{}}
+{{}}
+
It is possible to restrict the set of virtual services that can bind to
a gateway server using the namespace/hostname syntax in the hosts field.
For example, the following Gateway allows any virtual service in the ns1
namespace to bind to it, while restricting only the virtual service with
foo.bar.com host in the ns2 namespace to bind to it.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@@ -177,6 +320,31 @@ spec:
- "ns2/foo.bar.com"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: my-gateway
+ namespace: some-config-namespace
+spec:
+ selector:
+ app: my-gateway-controller
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - "ns1/*"
+ - "ns2/foo.bar.com"
+
+
+{{}}
+{{}}
+
Gateway
Gateway describes a load balancer operating at the edge of the mesh
@@ -279,6 +447,9 @@ No
Server describes the properties of the proxy on a given load balancer
port. For example,
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@@ -295,8 +466,34 @@ spec:
- "*"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: my-ingress
+spec:
+ selector:
+ app: my-ingress-gateway
+ servers:
+ - port:
+ number: 80
+ name: http2
+ protocol: HTTP2
+ hosts:
+ - "*"
+
+
+{{}}
+{{}}
+
Another example
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@@ -313,8 +510,34 @@ spec:
- "*"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: my-tcp-ingress
+spec:
+ selector:
+ app: my-tcp-ingress-gateway
+ servers:
+ - port:
+ number: 27018
+ name: mongo
+ protocol: MONGO
+ hosts:
+ - "*"
+
+
+{{}}
+{{}}
+
The following is an example of TLS configuration for port 443
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@@ -335,6 +558,33 @@ spec:
privateKey: /etc/certs/privatekey.pem
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: my-tls-ingress
+spec:
+ selector:
+ app: my-tls-ingress-gateway
+ servers:
+ - port:
+ number: 443
+ name: https
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ mode: SIMPLE
+ serverCertificate: /etc/certs/server.pem
+ privateKey: /etc/certs/privatekey.pem
+
+
+{{}}
+{{}}
+
diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html
index c851fa49ea..cdf923f3a8 100644
--- a/content/en/docs/reference/config/networking/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/service-entry/index.html
@@ -22,6 +22,9 @@ service registry (e.g., a set of VMs talking to services in Kubernetes).
applications over HTTPS. The sidecar inspects the SNI value in the
ClientHello message to route to the appropriate external service.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -39,11 +42,38 @@ spec:
resolution: DNS
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: external-svc-https
+spec:
+ hosts:
+ - api.dropboxapi.com
+ - www.googleapis.com
+ - api.facebook.com
+ location: MESH_EXTERNAL
+ ports:
+ - number: 443
+ name: https
+ protocol: TLS
+ resolution: DNS
+
+
+{{}}
+{{}}
+
The following configuration adds a set of MongoDB instances running on
unmanaged VMs to Istio’s registry, so that these services can be treated
as any other service in the mesh. The associated DestinationRule is used
to initiate mTLS connections to the database instances.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -64,8 +94,38 @@ spec:
- address: 3.3.3.3
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: external-svc-mongocluster
+spec:
+ hosts:
+ - mymongodb.somedomain # not used
+ addresses:
+ - 192.192.192.192/24 # VIPs
+ ports:
+ - number: 27018
+ name: mongodb
+ protocol: MONGO
+ location: MESH_INTERNAL
+ resolution: STATIC
+ endpoints:
+ - address: 2.2.2.2
+ - address: 3.3.3.3
+
+
+{{}}
+{{}}
+
and the associated DestinationRule
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -80,10 +140,34 @@ spec:
caCertificates: /etc/certs/rootcacerts.pem
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: mtls-mongocluster
+spec:
+ host: mymongodb.somedomain
+ trafficPolicy:
+ tls:
+ mode: MUTUAL
+ clientCertificate: /etc/certs/myclientcert.pem
+ privateKey: /etc/certs/client_private_key.pem
+ caCertificates: /etc/certs/rootcacerts.pem
+
+
+{{}}
+{{}}
+
The following example uses a combination of service entry and TLS
routing in a virtual service to steer traffic based on the SNI value to
an internal egress firewall.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -100,8 +184,34 @@ spec:
resolution: NONE
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: external-svc-redirect
+spec:
+ hosts:
+ - wikipedia.org
+ - "*.wikipedia.org"
+ location: MESH_EXTERNAL
+ ports:
+ - number: 443
+ name: https
+ protocol: TLS
+ resolution: NONE
+
+
+{{}}
+{{}}
+
And the associated VirtualService to route based on the SNI value.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -120,6 +230,31 @@ spec:
host: internal-egress-firewall.ns1.svc.cluster.local
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: tls-routing
+spec:
+ hosts:
+ - wikipedia.org
+ - "*.wikipedia.org"
+ tls:
+ - match:
+ - sniHosts:
+ - wikipedia.org
+ - "*.wikipedia.org"
+ route:
+ - destination:
+ host: internal-egress-firewall.ns1.svc.cluster.local
+
+
+{{}}
+{{}}
+
The virtual service with TLS match serves to override the default SNI
match. In the absence of a virtual service, traffic will be forwarded to
the wikipedia domains.
@@ -132,6 +267,9 @@ to all namespaces. The following example restricts the visibility to the
current namespace, represented by “.”, so that it cannot be used by other
namespaces.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -150,8 +288,36 @@ spec:
resolution: DNS
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: external-svc-httpbin
+ namespace : egress
+spec:
+ hosts:
+ - httpbin.com
+ exportTo:
+ - "."
+ location: MESH_EXTERNAL
+ ports:
+ - number: 80
+ name: http
+ protocol: HTTP
+ resolution: DNS
+
+
+{{}}
+{{}}
+
Define a gateway to handle all egress traffic.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@@ -169,6 +335,30 @@ spec:
- "*"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: istio-egressgateway
+ namespace: istio-system
+spec:
+ selector:
+ istio: egressgateway
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - "*"
+
+
+{{}}
+{{}}
+
And the associated VirtualService to route from the sidecar to the
gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
well as route from the gateway to the external service. Note that the
@@ -176,6 +366,9 @@ virtual service is exported to all namespaces enabling them to route traffic
through the gateway to the external service. Forcing traffic to go through
a managed middle proxy like this is a common practice.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -206,11 +399,51 @@ spec:
host: httpbin.com
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: gateway-routing
+ namespace: egress
+spec:
+ hosts:
+ - httpbin.com
+ exportTo:
+ - "*"
+ gateways:
+ - mesh
+ - istio-egressgateway
+ http:
+ - match:
+ - port: 80
+ gateways:
+ - mesh
+ route:
+ - destination:
+ host: istio-egressgateway.istio-system.svc.cluster.local
+ - match:
+ - port: 80
+ gateways:
+ - istio-egressgateway
+ route:
+ - destination:
+ host: httpbin.com
+
+
+{{}}
+{{}}
+
The following example demonstrates the use of wildcards in the hosts for
external services. If the connection has to be routed to the IP address
requested by the application (i.e. application resolves DNS and attempts
to connect to a specific IP), the discovery mode must be set to NONE.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -226,10 +459,35 @@ spec:
resolution: NONE
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: external-svc-wildcard-example
+spec:
+ hosts:
+ - "*.bar.com"
+ location: MESH_EXTERNAL
+ ports:
+ - number: 80
+ name: http
+ protocol: HTTP
+ resolution: NONE
+
+
+{{}}
+{{}}
+
The following example demonstrates a service that is available via a
Unix Domain Socket on the host of the client. The resolution must be
set to STATIC to use Unix address endpoints.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -247,6 +505,30 @@ spec:
- address: unix:///var/run/example/socket
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: unix-domain-socket-example
+spec:
+ hosts:
+ - "example.unix.local"
+ location: MESH_EXTERNAL
+ ports:
+ - number: 80
+ name: http
+ protocol: HTTP
+ resolution: STATIC
+ endpoints:
+ - address: unix:///var/run/example/socket
+
+
+{{}}
+{{}}
+
For HTTP-based services, it is possible to create a VirtualService
backed by multiple DNS addressable endpoints. In such a scenario, the
application can use the HTTP_PROXY environment variable to transparently
@@ -255,6 +537,9 @@ example, the following configuration creates a non-existent external
service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
uk.foo.bar.com:9080, and in.foo.bar.com:7080
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -280,6 +565,38 @@ spec:
https: 7080
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: external-svc-dns
+spec:
+ hosts:
+ - foo.bar.com
+ location: MESH_EXTERNAL
+ ports:
+ - number: 80
+ name: http
+ protocol: HTTP
+ resolution: DNS
+ endpoints:
+ - address: us.foo.bar.com
+ ports:
+ https: 8080
+ - address: uk.foo.bar.com
+ ports:
+ https: 9080
+ - address: in.foo.bar.com
+ ports:
+ https: 7080
+
+
+{{}}
+{{}}
+
With HTTP_PROXY=http://localhost/, calls from the application to
http://foo.bar.com will be load balanced across the three domains
specified above. In other words, a call to http://foo.bar.com/baz would
@@ -289,6 +606,9 @@ be translated to http://uk.foo.bar.com/baz.
containing a subject alternate name
whose format conforms to the SPIFFE standard:
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -310,6 +630,34 @@ spec:
- "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: httpbin
+ namespace : httpbin-ns
+spec:
+ hosts:
+ - httpbin.com
+ location: MESH_INTERNAL
+ ports:
+ - number: 80
+ name: http
+ protocol: HTTP
+ resolution: STATIC
+ endpoints:
+ - address: 2.2.2.2
+ - address: 3.3.3.3
+ subjectAltNames:
+ - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
+
+
+{{}}
+{{}}
+
ServiceEntry
ServiceEntry enables adding additional entries into Istio’s internal
diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index 4abc8d3d94..1c76b6dc18 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -48,6 +48,9 @@ root namespace called istio-config, that configures sidecars in
all namespaces to allow egress traffic only to other workloads in
the same namespace, and to services in the istio-system namespace.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@@ -60,12 +63,34 @@ spec:
- "istio-system/*"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+ name: default
+ namespace: istio-config
+spec:
+ egress:
+ - hosts:
+ - "./*"
+ - "istio-system/*"
+
+
+{{}}
+{{}}
+
The example below declares a Sidecar configuration in the prod-us1
namespace that overrides the global default defined above, and
configures the sidecars in the namespace to allow egress traffic to
public services in the prod-us1, prod-apis, and the istio-system
namespaces.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@@ -79,6 +104,26 @@ spec:
- "istio-system/*"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+ name: default
+ namespace: prod-us1
+spec:
+ egress:
+ - hosts:
+ - "prod-us1/*"
+ - "prod-apis/*"
+ - "istio-system/*"
+
+
+{{}}
+{{}}
+
The example below declares a Sidecar configuration in the prod-us1 namespace
that accepts inbound HTTP traffic on port 9080 and forwards
it to the attached workload instance listening on a Unix domain socket. In the
@@ -86,6 +131,9 @@ egress direction, in addition to the istio-system namespace, the si
proxies only HTTP traffic bound for port 9080 for services in the
prod-us1 namespace.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@@ -109,6 +157,36 @@ spec:
- "istio-system/*"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+ name: default
+ namespace: prod-us1
+spec:
+ ingress:
+ - port:
+ number: 9080
+ protocol: HTTP
+ name: somename
+ defaultEndpoint: unix:///var/run/someuds.sock
+ egress:
+ - port:
+ number: 9080
+ protocol: HTTP
+ name: egresshttp
+ hosts:
+ - "prod-us1/*"
+ - hosts:
+ - "istio-system/*"
+
+
+{{}}
+{{}}
+
If the workload is deployed without IPTables-based traffic capture, the
Sidecar configuration is the only way to configure the ports on the proxy
attached to the workload instance. The following example declares a Sidecar
@@ -122,6 +200,9 @@ on port 9080 and forward it to the application listening on
backing MySQL database on 127.0.0.1:3306, that then gets proxied to the
externally hosted MySQL service at mysql.foo.com:3306.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@@ -149,8 +230,45 @@ spec:
- "*/mysql.foo.com"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+ name: no-ip-tables
+ namespace: prod-us1
+spec:
+ workloadSelector:
+ labels:
+ app: productpage
+ ingress:
+ - port:
+ number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
+ protocol: HTTP
+ name: somename
+ defaultEndpoint: 127.0.0.1:8080
+ captureMode: NONE # not needed if metadata is set for entire proxy
+ egress:
+ - port:
+ number: 3306
+ protocol: MYSQL
+ name: egressmysql
+ captureMode: NONE # not needed if metadata is set for entire proxy
+ bind: 127.0.0.1
+ hosts:
+ - "*/mysql.foo.com"
+
+
+{{}}
+{{}}
+
And the associated service entry for routing to mysql.foo.com:3306
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -167,6 +285,29 @@ spec:
resolution: DNS
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: external-svc-mysql
+ namespace: ns1
+spec:
+ hosts:
+ - mysql.foo.com
+ ports:
+ - number: 3306
+ name: mysql
+ protocol: MYSQL
+ location: MESH_EXTERNAL
+ resolution: DNS
+
+
+{{}}
+{{}}
+
It is also possible to mix and match traffic capture modes in a single
proxy. For example, consider a setup where internal services are on the
192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
@@ -179,6 +320,9 @@ listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving
contain REDIRECT or TPROXY as its value, implying that IP tables
based traffic capture is active.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
@@ -206,6 +350,40 @@ spec:
- "*/*"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+ name: partial-ip-tables
+ namespace: prod-us1
+spec:
+ workloadSelector:
+ labels:
+ app: productpage
+ ingress:
+ - bind: 172.16.1.32
+ port:
+ number: 80 # binds to 172.16.1.32:80
+ protocol: HTTP
+ name: somename
+ defaultEndpoint: 127.0.0.1:8080
+ captureMode: NONE
+ egress:
+ # use the system detected defaults
+ # sets up configuration to handle outbound traffic to services
+ # in 192.168.0.0/16 subnet, based on information provided by the
+ # service registry
+ - captureMode: IPTABLES
+ hosts:
+ - "*/*"
+
+
+{{}}
+{{}}
+
CaptureMode
CaptureMode describes how traffic to a listener is expected to be
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index f71bc2ce78..dabc32c19a 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -52,6 +52,9 @@ pods of the reviews service with label “version: v1”. In addition,
HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
be rewritten to /newcatalog and sent to pods with label “version: v2”.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -79,10 +82,47 @@ spec:
subset: v1
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: reviews-route
+spec:
+ hosts:
+ - reviews.prod.svc.cluster.local
+ http:
+ - name: "reviews-v2-routes"
+ match:
+ - uri:
+ prefix: "/wpcatalog"
+ - uri:
+ prefix: "/consumercatalog"
+ rewrite:
+ uri: "/newcatalog"
+ route:
+ - destination:
+ host: reviews.prod.svc.cluster.local
+ subset: v2
+ - name: "reviews-v1-route"
+ route:
+ - destination:
+ host: reviews.prod.svc.cluster.local
+ subset: v1
+
+
+{{}}
+{{}}
+
A subset/version of a route destination is identified with a reference
to a named service subset which must be declared in a corresponding
DestinationRule.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -98,6 +138,28 @@ spec:
version: v2
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: reviews-destination
+spec:
+ host: reviews.prod.svc.cluster.local
+ subsets:
+ - name: v1
+ labels:
+ version: v1
+ - name: v2
+ labels:
+ version: v2
+
+
+{{}}
+{{}}
+
CorsPolicy
Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
@@ -108,6 +170,9 @@ from example.com domain using HTTP POST/GET, and sets the
Access-Control-Allow-Credentials header to false. In addition, it only
exposes X-Foo-bar header and sets an expiry period of 1 day.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -132,6 +197,37 @@ spec:
maxAge: "24h"
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: ratings-route
+spec:
+ hosts:
+ - ratings.prod.svc.cluster.local
+ http:
+ - route:
+ - destination:
+ host: ratings.prod.svc.cluster.local
+ subset: v1
+ corsPolicy:
+ allowOrigin:
+ - example.com
+ allowMethods:
+ - POST
+ - GET
+ allowCredentials: false
+ allowHeaders:
+ - X-Foo-Bar
+ maxAge: "24h"
+
+
+{{}}
+{{}}
+
@@ -242,6 +338,9 @@ domain names over short names.
of the reviews service with label “version: v1” (i.e., subset v1), and
some to subset v2, in a Kubernetes environment.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -268,8 +367,44 @@ spec:
subset: v1
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: reviews-route
+ namespace: foo
+spec:
+ hosts:
+ - reviews # interpreted as reviews.foo.svc.cluster.local
+ http:
+ - match:
+ - uri:
+ prefix: "/wpcatalog"
+ - uri:
+ prefix: "/consumercatalog"
+ rewrite:
+ uri: "/newcatalog"
+ route:
+ - destination:
+ host: reviews # interpreted as reviews.foo.svc.cluster.local
+ subset: v2
+ - route:
+ - destination:
+ host: reviews # interpreted as reviews.foo.svc.cluster.local
+ subset: v1
+
+
+{{}}
+{{}}
+
And the associated DestinationRule
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -286,6 +421,29 @@ spec:
version: v2
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: reviews-destination
+ namespace: foo
+spec:
+ host: reviews # interpreted as reviews.foo.svc.cluster.local
+ subsets:
+ - name: v1
+ labels:
+ version: v1
+ - name: v2
+ labels:
+ version: v2
+
+
+{{}}
+{{}}
+
The following VirtualService sets a timeout of 5s for all calls to
productpage.prod.svc.cluster.local service in Kubernetes. Notice that
there are no subsets defined in this rule. Istio will fetch all
@@ -296,6 +454,9 @@ qualified domain name of the productpage service,
productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
not have an impact in resolving the name of the productpage service.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -311,12 +472,37 @@ spec:
host: productpage.prod.svc.cluster.local
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: my-productpage-rule
+ namespace: istio-system
+spec:
+ hosts:
+ - productpage.prod.svc.cluster.local # ignores rule namespace
+ http:
+ - timeout: 5s
+ route:
+ - destination:
+ host: productpage.prod.svc.cluster.local
+
+
+{{}}
+{{}}
+
To control routing for traffic bound to services outside the mesh, external
services must first be added to Istio’s internal service registry using the
ServiceEntry resource. VirtualServices can then be defined to control traffic
bound to these external services. For example, the following rules define a
Service for wikipedia.org and set a timeout of 5s for HTTP requests.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
@@ -345,6 +531,41 @@ spec:
host: wikipedia.org
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+ name: external-svc-wikipedia
+spec:
+ hosts:
+ - wikipedia.org
+ location: MESH_EXTERNAL
+ ports:
+ - number: 80
+ name: example-http
+ protocol: HTTP
+ resolution: DNS
+
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: my-wiki-rule
+spec:
+ hosts:
+ - wikipedia.org
+ http:
+ - timeout: 5s
+ route:
+ - destination:
+ host: wikipedia.org
+
+
+{{}}
+{{}}
+
@@ -462,6 +683,9 @@ No
pre-specified error code. The following example will return an HTTP 400
error code for 1 out of every 1000 requests to the “ratings” service “v1”.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -481,6 +705,32 @@ spec:
httpStatus: 400
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: ratings-route
+spec:
+ hosts:
+ - ratings.prod.svc.cluster.local
+ http:
+ - route:
+ - destination:
+ host: ratings.prod.svc.cluster.local
+ subset: v1
+ fault:
+ abort:
+ percentage:
+ value: 0.1
+ httpStatus: 400
+
+
+{{}}
+{{}}
+
The httpStatus field is used to indicate the HTTP status code to
return to the caller. The optional percentage field can be used to only
abort a certain percentage of requests. If not specified, all requests are
@@ -528,6 +778,9 @@ forwarding path. The following example will introduce a 5 second delay
in 1 out of every 1000 requests to the “v1” version of the “reviews”
service from all pods with label env: prod
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -550,6 +803,35 @@ spec:
fixedDelay: 5s
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: reviews-route
+spec:
+ hosts:
+ - reviews.prod.svc.cluster.local
+ http:
+ - match:
+ - sourceLabels:
+ env: prod
+ route:
+ - destination:
+ host: reviews.prod.svc.cluster.local
+ subset: v1
+ fault:
+ delay:
+ percentage:
+ value: 0.1
+ fixedDelay: 5s
+
+
+{{}}
+{{}}
+
The fixedDelay field is used to indicate the amount of delay in seconds.
The optional percentage field can be used to only delay a certain
percentage of requests. If left unspecified, all request will be delayed.
@@ -611,6 +893,9 @@ restricts the rule to match only requests where the URL path
starts with /ratings/v2/ and the request contains a custom end-user header
with value jason.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -631,6 +916,33 @@ spec:
host: ratings.prod.svc.cluster.local
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: ratings-route
+spec:
+ hosts:
+ - ratings.prod.svc.cluster.local
+ http:
+ - match:
+ - headers:
+ end-user:
+ exact: jason
+ uri:
+ prefix: "/ratings/v2/"
+ ignoreUriCase: true
+ route:
+ - destination:
+ host: ratings.prod.svc.cluster.local
+
+
+{{}}
+{{}}
+
HTTPMatchRequest CANNOT be empty.
@@ -863,6 +1175,9 @@ the specified values. For example, the following rule redirects
requests for /v1/getProductRatings API on the ratings service to
/v1/bookRatings provided by the bookratings service.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -880,6 +1195,30 @@ spec:
...
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: ratings-route
+spec:
+ hosts:
+ - ratings.prod.svc.cluster.local
+ http:
+ - match:
+ - uri:
+ exact: /v1/getProductRatings
+ redirect:
+ uri: /v1/bookRatings
+ authority: newratings.default.svc.cluster.local
+ ...
+
+
+{{}}
+{{}}
+
@@ -936,6 +1275,9 @@ No
example, the following rule sets the maximum number of retries to 3 when
calling ratings:v1 service, with a 2s timeout per retry attempt.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -954,6 +1296,31 @@ spec:
retryOn: gateway-error,connect-failure,refused-stream
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: ratings-route
+spec:
+ hosts:
+ - ratings.prod.svc.cluster.local
+ http:
+ - route:
+ - destination:
+ host: ratings.prod.svc.cluster.local
+ subset: v1
+ retries:
+ attempts: 3
+ perTryTimeout: 2s
+ retryOn: gateway-error,connect-failure,refused-stream
+
+
+{{}}
+{{}}
+
@@ -1014,6 +1381,9 @@ be used only with HTTPRouteDestination. The following example
demonstrates how to rewrite the URL prefix for api call (/ratings) to
ratings service before making the actual API call.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -1033,6 +1403,32 @@ spec:
subset: v1
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: ratings-route
+spec:
+ hosts:
+ - ratings.prod.svc.cluster.local
+ http:
+ - match:
+ - uri:
+ prefix: /ratings
+ rewrite:
+ uri: /v1/bookRatings
+ route:
+ - destination:
+ host: ratings.prod.svc.cluster.local
+ subset: v1
+
+
+{{}}
+{{}}
+
@@ -1266,6 +1662,9 @@ following rule will route 25% of traffic for the “reviews” service t
instances with the “v2” tag and the remaining traffic (i.e., 75%) to
“v1”.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -1285,8 +1684,37 @@ spec:
weight: 75
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: reviews-route
+spec:
+ hosts:
+ - reviews.prod.svc.cluster.local
+ http:
+ - route:
+ - destination:
+ host: reviews.prod.svc.cluster.local
+ subset: v2
+ weight: 25
+ - destination:
+ host: reviews.prod.svc.cluster.local
+ subset: v1
+ weight: 75
+
+
+{{}}
+{{}}
+
And the associated DestinationRule
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
@@ -1302,10 +1730,35 @@ spec:
version: v2
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: reviews-destination
+spec:
+ host: reviews.prod.svc.cluster.local
+ subsets:
+ - name: v1
+ labels:
+ version: v1
+ - name: v2
+ labels:
+ version: v2
+
+
+{{}}
+{{}}
+
Traffic can also be split across two entirely different services without
having to define new subsets. For example, the following rule forwards 25% of
traffic to reviews.com to dev.reviews.com
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -1323,6 +1776,30 @@ spec:
weight: 75
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: reviews-route-two-domains
+spec:
+ hosts:
+ - reviews.com
+ http:
+ - route:
+ - destination:
+ host: dev.reviews.com
+ weight: 25
+ - destination:
+ host: reviews.com
+ weight: 75
+
+
+{{}}
+{{}}
+
@@ -1375,41 +1852,6 @@ No
-Message headers can be manipulated when Envoy forwards requests to,
-or responses from, a destination service. Header manipulation rules can
-be specified for a specific route destination or for all destinations.
-The following VirtualService adds a test header with the value true
-to requests that are routed to any reviews service destination.
-It also romoves the foo response header, but only from responses
-coming from the v1 subset (version) of the reviews service.
-
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: reviews-route
-spec:
- hosts:
- - reviews.prod.svc.cluster.local
- http:
- - headers:
- request:
- set:
- test: true
- route:
- - destination:
- host: reviews.prod.svc.cluster.local
- subset: v2
- weight: 25
- - destination:
- host: reviews.prod.svc.cluster.local
- subset: v1
- headers:
- response:
- remove:
- - foo
- weight: 75
-
-
@@ -1722,6 +2164,9 @@ Yes
following routing rule forwards traffic arriving at port 27017 for
mongo.prod.svc.cluster.local to another Mongo server on port 5555.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -1739,6 +2184,30 @@ spec:
number: 5555
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: bookinfo-Mongo
+spec:
+ hosts:
+ - mongo.prod.svc.cluster.local
+ tcp:
+ - match:
+ - port: 27017
+ route:
+ - destination:
+ host: mongo.backup.svc.cluster.local
+ port:
+ number: 5555
+
+
+{{}}
+{{}}
+
@@ -1868,6 +2337,9 @@ traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
traffic arriving at port 443 of gateway called “mygateway” to internal
services in the mesh based on the SNI value.
+{{}}
+{{}}
+
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@@ -1894,6 +2366,39 @@ spec:
host: reviews.prod.svc.cluster.local
+{{}}
+
+{{}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: bookinfo-sni
+spec:
+ hosts:
+ - "*.bookinfo.com"
+ gateways:
+ - mygateway
+ tls:
+ - match:
+ - port: 443
+ sniHosts:
+ - login.bookinfo.com
+ route:
+ - destination:
+ host: login.prod.svc.cluster.local
+ - match:
+ - port: 443
+ sniHosts:
+ - reviews.bookinfo.com
+ route:
+ - destination:
+ host: reviews.prod.svc.cluster.local
+
+
+{{}}
+{{}}
+
diff --git a/content/en/docs/reference/config/policy-and-telemetry/adapters/layer5/index.html b/content/en/docs/reference/config/policy-and-telemetry/adapters/layer5/index.html
new file mode 100644
index 0000000000..3940b6c4de
--- /dev/null
+++ b/content/en/docs/reference/config/policy-and-telemetry/adapters/layer5/index.html
@@ -0,0 +1,51 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/layer5io/layer5-istio-adapter' REPO
+source_repo: https://github.com/layer5io/layer5-istio-adapter
+title: Layer5 adapter
+description: Adapter to deliver metrics to Layer5.
+location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/layer5.html
+layout: partner-component
+generator: protoc-gen-docs
+provider: Layer5, Inc.
+contact_email: community@layer5.io
+support_link:
+source_link: https://github.com/layer5io/layer5-istio-adapter
+latest_release_link: https://github.com/layer5io/layer5-istio-adapter/releases
+helm_chart_link:
+istio_versions: "1.1+"
+supported_templates: metric
+logo_link: https://github.com/layer5io/layer5-istio-adapter/blob/master/layer5.svg
+number_of_entries: 1
+---
+The layer5 adapter collects metrics
+
+This adapter supports the metric template.
+
+Params
+
+config for layer5 adapter
+
+
+
+
+| Field |
+Type |
+Description |
+Required |
+
+
+
+
+filePath |
+string |
+
+ Path of the file to save the information about runtime requests.
+
+ |
+
+No
+ |
+
+
+
+
diff --git a/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html b/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
index 2cea3271ad..dab4adb58b 100644
--- a/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
+++ b/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
@@ -174,13 +174,13 @@ spec:
api.operation:
stringValue: findPetById
httpMethod: GET
- uriTemplate: /api/pets/{id}
+ uriTemplate: /api/pets/{id}
- attributes:
attributes:
api.operation:
stringValue: deletePet
httpMethod: DELETE
- uriTemplate: /api/pets/{id}
+ uriTemplate: /api/pets/{id}
apiKeys:
- query: api-key
@@ -358,9 +358,9 @@ No
following are valid URI templates:
/pets
-/pets/{id}
-/dictionary/{term:1}/{term}
-/search{?q*,lang}
+/pets/{id}
+/dictionary/{term:1}/{term}
+/search{?q*,lang}
@@ -375,7 +375,7 @@ Yes
EXPERIMENTAL:
ecmascript style regex-based match as defined by
-EDCA-262. For
+EDCA-262. For
example,
"^/pets/(.*?)?"
diff --git a/content/en/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html b/content/en/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html
index f2833229ec..7721011fc1 100644
--- a/content/en/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html
+++ b/content/en/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html
@@ -121,7 +121,7 @@ Yes
We map from attribute name to the attribute’s specification. The name of an attribute,
which is how attributes are referred to in aspect configuration, must conform to:
-Name = IDENT { SEPARATOR IDENT };
+Name = IDENT { SEPARATOR IDENT };
Where IDENT must match the regular expression *a-z*+ and SEPARATOR must
diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html
index 8a89f46cd8..00b0286b6f 100644
--- a/content/en/docs/reference/config/security/authorization-policy/index.html
+++ b/content/en/docs/reference/config/security/authorization-policy/index.html
@@ -124,7 +124,7 @@ metadata:
name: policy
namespace: foo
spec:
- {}
+ {}
The following authorization policy applies to workloads containing label
@@ -155,7 +155,7 @@ metadata:
name: deny-all
namespace: foo
spec:
- {}
+ {}
The following authorization policy allows all requests to workloads in namespace
@@ -168,7 +168,7 @@ metadata:
namespace: foo
spec:
rules:
- - {}
+ - {}
|