Updated reference docs. (#3088)

2019-01-15 05:07:08 -08:00 · 2019-01-15 05:07:08 -08:00 · 8829fa3b26
parent 94e6a73ba0
commit 8829fa3b26
6 changed files with 277 additions and 38 deletions
--- a/content/docs/reference/commands/istio_ca/index.html
+++ b/content/docs/reference/commands/istio_ca/index.html
@ -155,7 +155,7 @@ number_of_entries: 4
 </tr>
 <tr>
 <td><code>--trust-domain &lt;string&gt;</code></td>
-<td>The domain serves to identify the system with spiffe (default: cluster.local)  (default `cluster.local`)</td>
+<td>The domain serves to identify the system with spiffe   (default ``)</td>
 </tr>
 <tr>
 <td><code>--upstream-ca-address &lt;string&gt;</code></td>
--- a/content/docs/reference/commands/pilot-discovery/index.html
+++ b/content/docs/reference/commands/pilot-discovery/index.html
@ -249,7 +249,7 @@ number_of_entries: 5
 <tr>
 <td><code>--registries &lt;stringSlice&gt;</code></td>
 <td></td>
-<td>Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, Mock})  (default `[Kubernetes]`)</td>
+<td>Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, MCP, Mock})  (default `[Kubernetes]`)</td>
 </tr>
 <tr>
 <td><code>--resync &lt;duration&gt;</code></td>
@ -261,6 +261,11 @@ number_of_entries: 5
 <td></td>
 <td>Discovery service grpc address, with https  (default `:15012`)</td>
 </tr>
+<tr>
+<td><code>--trust-domain &lt;string&gt;</code></td>
+<td></td>
+<td>The domain serves to identify the system with spiffe  (default ``)</td>
+</tr>
 </tbody>
 </table>
 <h2 id="pilot-discovery-request">pilot-discovery request</h2>
--- a/content/docs/reference/config/authorization/istio.rbac.v1alpha1/index.html
+++ b/content/docs/reference/config/authorization/istio.rbac.v1alpha1/index.html
@ -106,11 +106,10 @@ If set to [&ldquo;*&rdquo;], it refers to all services in the namespace.</p>
 <p>Optional. A list of HTTP paths or gRPC methods.
 gRPC methods must be presented as fully-qualified name in the form of
 &ldquo;/packageName.serviceName/methodName&rdquo; and are case sensitive.
-Exact match, prefix match, and suffix match are supported for paths.
-For example, the path &ldquo;/books/review&rdquo; matches
-&ldquo;/books/review&rdquo; (exact match), or &ldquo;/books/<em>&rdquo; (prefix match),
-or &ldquo;</em>/review&rdquo; (suffix match).
-If not specified, it applies to any path.</p>
+Exact match, prefix match, and suffix match are supported. For example,
+the path &ldquo;/books/review&rdquo; matches &ldquo;/books/review&rdquo; (exact match),
+or &ldquo;/books/<em>&rdquo; (prefix match), or &ldquo;</em>/review&rdquo; (suffix match).
+If not specified, it matches to any path.</p>

 </td>
 </tr>
@ -120,7 +119,7 @@ If not specified, it applies to any path.</p>
 <td>
 <p>Optional. A list of HTTP methods (e.g., &ldquo;GET&rdquo;, &ldquo;POST&rdquo;).
 It is ignored in gRPC case because the value is always &ldquo;POST&rdquo;.
-If set to [&ldquo;*&rdquo;] or not specified, it applies to any method.</p>
+If not specified, it matches to any methods.</p>

 </td>
 </tr>
@ -128,8 +127,7 @@ If set to [&ldquo;*&rdquo;] or not specified, it applies to any method.</p>
 <td><code>constraints</code></td>
 <td><code><a href="#AccessRule-Constraint">AccessRule.Constraint[]</a></code></td>
 <td>
-<p>Optional. Extra constraints in the ServiceRole specification.
-The above ServiceRole example shows an example of constraint &ldquo;version&rdquo;.</p>
+<p>Optional. Extra constraints in the ServiceRole specification.</p>

 </td>
 </tr>
@ -162,10 +160,9 @@ The above ServiceRole example shows an example of constraint &ldquo;version&rdqu
 <td><code>string[]</code></td>
 <td>
 <p>List of valid values for the constraint.
-Exact match, prefix match, and suffix match are supported for constraint values.
-For example, the value &ldquo;v1alpha2&rdquo; matches
-&ldquo;v1alpha2&rdquo; (exact match), or &ldquo;v1<em>&rdquo; (prefix match),
-or &ldquo;</em>alpha2&rdquo; (suffix match).</p>
+Exact match, prefix match, and suffix match are supported.
+For example, the value &ldquo;v1alpha2&rdquo; matches &ldquo;v1alpha2&rdquo; (exact match),
+or &ldquo;v1<em>&rdquo; (prefix match), or &ldquo;</em>alpha2&rdquo; (suffix match).</p>

 </td>
 </tr>
@ -335,8 +332,7 @@ Currently, &ldquo;ServiceRole&rdquo; is the only supported value for &ldquo;kind
 <td><code>string</code></td>
 <td>
 <p>Required. The name of the ServiceRole object being referenced.
-The ServiceRole object must be in the same namespace as the ServiceRoleBinding
-object.</p>
+The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.</p>

 </td>
 </tr>
@ -345,9 +341,7 @@ object.</p>
 </section>
 <h2 id="ServiceRole">ServiceRole</h2>
 <section>
-<p>ServiceRole specification contains a list of access rules (permissions).
-This represent the &ldquo;Spec&rdquo; part of the ServiceRole object. The name and namespace
-of the ServiceRole is specified in &ldquo;metadata&rdquo; section of the ServiceRole object.</p>
+<p>ServiceRole specification contains a list of access rules (permissions).</p>

 <table class="message-fields">
 <thead>
@ -371,10 +365,7 @@ of the ServiceRole is specified in &ldquo;metadata&rdquo; section of the Service
 </section>
 <h2 id="ServiceRoleBinding">ServiceRoleBinding</h2>
 <section>
-<p>ServiceRoleBinding assigns a ServiceRole to a list of subjects.
-This represents the &ldquo;Spec&rdquo; part of the ServiceRoleBinding object. The name and namespace
-of the ServiceRoleBinding is specified in &ldquo;metadata&rdquo; section of the ServiceRoleBinding
-object.</p>
+<p>ServiceRoleBinding assigns a ServiceRole to a list of subjects.</p>

 <table class="message-fields">
 <thead>
@ -430,8 +421,7 @@ The supported keys in <code>properties</code> are listed in &ldquo;constraint an
 <td><code>properties</code></td>
 <td><code>map&lt;string,&nbsp;string&gt;</code></td>
 <td>
-<p>Optional. The set of properties that identify the subject.
-The above ServiceRoleBinding example shows an example of property &ldquo;source.namespace&rdquo;.</p>
+<p>Optional. The set of properties that identify the subject.</p>

 </td>
 </tr>
--- a/content/docs/reference/config/istio.networking.v1alpha3/index.html
+++ b/content/docs/reference/config/istio.networking.v1alpha3/index.html
@ -6,7 +6,7 @@ layout: protoc-gen-docs
 generator: protoc-gen-docs
 aliases:
  - /docs/reference/config/istio.routing.v1alpha1/
-number_of_entries: 60
+number_of_entries: 62
 ---
 <p>Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.</p>
@ -37,6 +37,47 @@ actual choice of the version is determined by the proxy/sidecar, enabling the
 application code to decouple itself from the evolution of dependent
 services.</p>

+<h2 id="CaptureMode">CaptureMode</h2>
+<section>
+<p>CaptureMode describes how traffic to a listener is expected to be
+captured. Applicable only when the listener is bound to an IP.</p>
+
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="CaptureMode-DEFAULT">
+<td><code>DEFAULT</code></td>
+<td>
+<p>The default capture mode defined by the environment</p>
+
+</td>
+</tr>
+<tr id="CaptureMode-IPTABLES">
+<td><code>IPTABLES</code></td>
+<td>
+<p>Capture traffic using IPtables redirection</p>
+
+</td>
+</tr>
+<tr id="CaptureMode-NONE">
+<td><code>NONE</code></td>
+<td>
+<p>No traffic capture. When used in egress listener, the application is
+expected to explicitly communicate with the listener port/unix
+domain socket. When used in ingress listener, care needs to be taken
+to ensure that the listener port is not in use by other processes on
+the host.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
 <h2 id="ConfigScope">ConfigScope</h2>
 <section>
 <p>ConfigScope defines the visibility of an Istio configuration artifact in
@ -2151,12 +2192,43 @@ listener on the sidecar proxy attached to a workload.</p>
 </tr>
 </thead>
 <tbody>
+<tr id="IstioEgressListener-port">
+<td><code>port</code></td>
+<td><code><a href="#Port">Port</a></code></td>
+<td>
+<p>The port associated with the listener. If using unix domain socket,
+use 0 as the port number, with a valid protocol. The port if
+specified, will be used as the default destination port associated
+with the imported hosts. If the port is omitted, Istio will infer the
+listener ports based on the imported hosts. Note that when multiple
+egress listeners are specified, where one or more listeners have
+specific ports while others have no port, the hosts exposed on a
+listener port will be based on the listener with the most specific
+port.</p>
+
+</td>
+</tr>
+<tr id="IstioEgressListener-bind">
+<td><code>bind</code></td>
+<td><code>string</code></td>
+<td>
+<p>The ip or the unix domain socket to which the listener should be bound
+to. Port MUST be specified if bind is not empty. Format: x.x.x.x or
+unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If
+omitted, Istio will autoconfigure the defaults based on imported
+services, the workload to which this configuration is applied to and
+the captureMode. If captureMode is NONE, bind will default to
+127.0.0.1.</p>
+
+</td>
+</tr>
 <tr id="IstioEgressListener-capture_mode">
 <td><code>captureMode</code></td>
 <td><code><a href="#CaptureMode">CaptureMode</a></code></td>
 <td>
 <p>When the bind address is an IP, the captureMode option dictates
-how traffic to the listener is expected to be captured (or not).</p>
+how traffic to the listener is expected to be captured (or not).
+captureMode must be DEFAULT or NONE for unix domain socket binds.</p>

 </td>
 </tr>
@ -2164,8 +2236,8 @@ how traffic to the listener is expected to be captured (or not).</p>
 <td><code>hosts</code></td>
 <td><code>string[]</code></td>
 <td>
-<p>One or more services/virtualServices exposed by the listener in
-namespace/dnsName format.  Publicly scoped services and
+<p>REQUIRED: One or more services/virtualServices exposed by the listener
+in namespace/dnsName format.  Publicly scoped services and
 VirtualServices from remote namespaces corresponding to the specified
 hosts will be imported. The service in a namespace can be a service in
 the service registry (e.g., a kubernetes or cloud foundry service) or
@ -2183,6 +2255,67 @@ namespace can be imported. Private services/configuration will not be
 imported. Refer to the scope setting associated with VirtualService,
 DestinationRule, ServiceEntry, etc. for details.</p>

+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="IstioIngressListener">IstioIngressListener</h2>
+<section>
+<p>IstioIngressListener specifies the properties of an inbound
+traffic listener on the sidecar proxy attached to a workload.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="IstioIngressListener-port">
+<td><code>port</code></td>
+<td><code><a href="#Port">Port</a></code></td>
+<td>
+<p>REQUIRED. The port associated with the listener. If using
+unix domain socket, use 0 as the port number, with a valid
+protocol.</p>
+
+</td>
+</tr>
+<tr id="IstioIngressListener-bind">
+<td><code>bind</code></td>
+<td><code>string</code></td>
+<td>
+<p>The ip or the unix domain socket to which the listener should be bound
+to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux
+abstract namespace). If omitted, Istio will autoconfigure the defaults
+based on imported services and the workload to which this
+configuration is applied to.</p>
+
+</td>
+</tr>
+<tr id="IstioIngressListener-capture_mode">
+<td><code>captureMode</code></td>
+<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
+<td>
+<p>When the bind address is an IP, the captureMode option dictates
+how traffic to the listener is expected to be captured (or not).
+captureMode must be DEFAULT or NONE for unix domain socket binds.</p>
+
+</td>
+</tr>
+<tr id="IstioIngressListener-default_endpoint">
+<td><code>defaultEndpoint</code></td>
+<td><code>string</code></td>
+<td>
+<p>REQUIRED: The loopback IP endpoint or unix domain socket to which
+traffic should be forwarded to. This configuration can be used to
+redirect traffic arriving at the bind point on the sidecar to a port
+or unix domain socket where the application workload is listening for
+connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket</p>
+
 </td>
 </tr>
 </tbody>
@ -3652,8 +3785,9 @@ behavior of the system is undefined if two or more Sidecar resources
 with a workload selector select the same workload.</p>

 <p>The example below delcares a Sidecar resource in the prod-us1 namespace
-that configures the sidecar to allow egress traffic to public services
-in the prod-us1, prod-apis, and the istio-system namespaces.</p>
+that configures the sidecars in the namespace to allow egress traffic to
+public services in the prod-us1, prod-apis, and the istio-system
+namespaces.</p>

 <pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
@ -3668,6 +3802,36 @@ spec:
    - &quot;istio-system/*&quot;
 </code></pre>

+<p>The example below delcares a Sidecar resource in the prod-us1 namespace
+that accepts inbound HTTP traffic on port 9080 and forwards
+it to the attached workload listening on a unix domain socket. In the
+egress direction, in addition to the istio-system namespace, the sidecar
+proxies only HTTP traffic bound for port 9080 for services in the
+prod-us1 namespace.</p>
+
+<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: default
+  namespace: prod-us1
+spec:
+  ingress:
+  - port:
+      number: 9080
+      protocol: HTTP
+      name: somename
+    defaultEndpoint: unix:///var/run/someuds.sock
+  egress:
+  - hosts:
+    - &quot;istio-system/*&quot;
+  - port:
+      number: 9080
+      protocol: HTTP
+      name: egresshttp
+    hosts:
+    - &quot;prod-us1/*&quot;
+</code></pre>
+
 <table class="message-fields">
 <thead>
 <tr>
@ -3677,6 +3841,29 @@ spec:
 </tr>
 </thead>
 <tbody>
+<tr id="Sidecar-workload_selector">
+<td><code>workloadSelector</code></td>
+<td><code><a href="#WorkloadSelector">WorkloadSelector</a></code></td>
+<td>
+<p>Criteria used to select the specific set of pods/VMs on which this
+sidecar configuration should be applied. If omitted, the sidecar
+configuration will be applied to all workloads in the same config
+namespace.</p>
+
+</td>
+</tr>
+<tr id="Sidecar-ingress">
+<td><code>ingress</code></td>
+<td><code><a href="#IstioIngressListener">IstioIngressListener[]</a></code></td>
+<td>
+<p>Ingress specifies the configuration of the sidecar for processing
+inbound traffic to the attached workload. If omitted, Istio will
+autoconfigure the sidecar based on the information about the workload
+obtained from the orchestration platform (e.g., exposed ports, services,
+etc.).</p>
+
+</td>
+</tr>
 <tr id="Sidecar-egress">
 <td><code>egress</code></td>
 <td><code><a href="#IstioEgressListener">IstioEgressListener[]</a></code></td>
@ -4479,10 +4666,10 @@ selected. Currently, only label based selection mechanism is supported.</p>
 <td><code>labels</code></td>
 <td><code>map&lt;string,&nbsp;string&gt;</code></td>
 <td>
-<p>One or more labels that indicate a specific set of pods/VMs on which
-this sidecar configuration should be applied. The scope of label
-search is restricted to the configuration namespace in which the the
-resource is present.</p>
+<p>REQUIRED: One or more labels that indicate a specific set of pods/VMs
+on which this sidecar configuration should be applied. The scope of
+label search is restricted to the configuration namespace in which the
+the resource is present.</p>

 </td>
 </tr>
--- a/content/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/index.html
+++ b/content/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/index.html
@ -4,17 +4,23 @@ description: Adapter for cloudwatch metrics.
 location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/cloudwatch.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
+supported_templates: logentry
 supported_templates: metric
 aliases:
  - /docs/reference/config/adapters/cloudwatch.html
-number_of_entries: 3
+number_of_entries: 4
 ---
 <p>The CloudWatch adapter enables Istio to deliver metrics to
-<a href="https://aws.amazon.com/cloudwatch/">Amazon CloudWatch</a>.</p>
+<a href="https://aws.amazon.com/cloudwatch/">Amazon CloudWatch</a>.
+<a href="https://aws.amazon.com/cloudwatch/">Amazon CloudWatch</a> and logs to
+<a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html/">Amazon CloudWatchLogs</a>.</p>

-<p>To push metrics to CloudWatch using this adapter you must provide AWS credentials the AWS SDK.
+<p>To push metrics and logs to CloudWatch using this adapter you must provide AWS credentials to the AWS SDK.
 (see <a href="https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html">AWS docs</a>).</p>

+<p>To activate the CloudWatch adapter, operators need to provide configuration for the
+<a href="/docs/reference/config/adapters/cloudwatch.html">cloudwatch adapter</a>.</p>
+
 <p>The handler configuration must contain the same metrics as the instance configuration.
 The metrics specified in both instance and handler configurations will be sent to CloudWatch.</p>

@ -47,6 +53,53 @@ The metrics specified in both instance and handler configurations will be sent t
 <td>
 <p>A map of Istio metric name to CloudWatch metric info.</p>

+</td>
+</tr>
+<tr id="Params-log_group_name">
+<td><code>logGroupName</code></td>
+<td><code>string</code></td>
+<td>
+<p>The name of the log group in cloudwatchlogs.</p>
+
+</td>
+</tr>
+<tr id="Params-log_stream_name">
+<td><code>logStreamName</code></td>
+<td><code>string</code></td>
+<td>
+<p>The name of the log stream in cloudwatchlogs.</p>
+
+</td>
+</tr>
+<tr id="Params-logs">
+<td><code>logs</code></td>
+<td><code>map&lt;string,&nbsp;<a href="#Params-LogInfo">Params.LogInfo</a>&gt;</code></td>
+<td>
+<p>A map of Istio logentry name to CloudWatch logentry info.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="Params-LogInfo">Params.LogInfo</h2>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="Params-LogInfo-payload_template">
+<td><code>payloadTemplate</code></td>
+<td><code>string</code></td>
+<td>
+<p>A golang text/template template that will be executed to construct the payload for this log entry.
+It will be given the full set of variables for the log to use to construct its result.</p>
+
 </td>
 </tr>
 </tbody>
--- a/content/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html
+++ b/content/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html
@ -809,6 +809,10 @@ the field value:</p>
  - x.output.f
 </code></pre>

+<p>If the header value expression evaluates to an empty string, and the operation is to either replace
+or append a header, then the operation is not applied. This permits conditional behavior on behalf of the
+adapter to optionally modify the headers.</p>
+
 <table class="message-fields">
 <thead>
 <tr>