From 8829fa3b2623be82f4bbeebc727e95b77b6e2679 Mon Sep 17 00:00:00 2001 From: Martin Taillefer Date: Tue, 15 Jan 2019 05:07:08 -0800 Subject: [PATCH] Updated reference docs. (#3088) --- .../reference/commands/istio_ca/index.html | 2 +- .../commands/pilot-discovery/index.html | 7 +- .../istio.rbac.v1alpha1/index.html | 36 ++- .../istio.networking.v1alpha3/index.html | 207 +++++++++++++++++- .../adapters/cloudwatch/index.html | 59 ++++- .../istio.policy.v1beta1/index.html | 4 + 6 files changed, 277 insertions(+), 38 deletions(-) diff --git a/content/docs/reference/commands/istio_ca/index.html b/content/docs/reference/commands/istio_ca/index.html index f5efc190c7..4e97a9d54d 100644 --- a/content/docs/reference/commands/istio_ca/index.html +++ b/content/docs/reference/commands/istio_ca/index.html @@ -155,7 +155,7 @@ number_of_entries: 4 --trust-domain <string> -The domain serves to identify the system with spiffe (default: cluster.local) (default `cluster.local`) +The domain serves to identify the system with spiffe (default ``) --upstream-ca-address <string> diff --git a/content/docs/reference/commands/pilot-discovery/index.html b/content/docs/reference/commands/pilot-discovery/index.html index 8952c91cd9..b2492979dd 100644 --- a/content/docs/reference/commands/pilot-discovery/index.html +++ b/content/docs/reference/commands/pilot-discovery/index.html @@ -249,7 +249,7 @@ number_of_entries: 5 --registries <stringSlice> -Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, Mock}) (default `[Kubernetes]`) +Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, MCP, Mock}) (default `[Kubernetes]`) --resync <duration> @@ -261,6 +261,11 @@ number_of_entries: 5 Discovery service grpc address, with https (default `:15012`) + +--trust-domain <string> + +The domain serves to identify the system with spiffe (default ``) +

pilot-discovery request

diff --git a/content/docs/reference/config/authorization/istio.rbac.v1alpha1/index.html b/content/docs/reference/config/authorization/istio.rbac.v1alpha1/index.html index c37ceef23e..edc324f0e8 100644 --- a/content/docs/reference/config/authorization/istio.rbac.v1alpha1/index.html +++ b/content/docs/reference/config/authorization/istio.rbac.v1alpha1/index.html @@ -106,11 +106,10 @@ If set to [“*”], it refers to all services in the namespace.

Optional. A list of HTTP paths or gRPC methods. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. -Exact match, prefix match, and suffix match are supported for paths. -For example, the path “/books/review” matches -“/books/review” (exact match), or “/books/” (prefix match), -or “/review” (suffix match). -If not specified, it applies to any path.

+Exact match, prefix match, and suffix match are supported. For example, +the path “/books/review” matches “/books/review” (exact match), +or “/books/” (prefix match), or “/review” (suffix match). +If not specified, it matches to any path.

@@ -120,7 +119,7 @@ If not specified, it applies to any path.

Optional. A list of HTTP methods (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. -If set to [“*”] or not specified, it applies to any method.

+If not specified, it matches to any methods.

@@ -128,8 +127,7 @@ If set to [“*”] or not specified, it applies to any method.

constraints AccessRule.Constraint[] -

Optional. Extra constraints in the ServiceRole specification. -The above ServiceRole example shows an example of constraint “version”.

+

Optional. Extra constraints in the ServiceRole specification.

@@ -162,10 +160,9 @@ The above ServiceRole example shows an example of constraint “version&rdqu string[]

List of valid values for the constraint. -Exact match, prefix match, and suffix match are supported for constraint values. -For example, the value “v1alpha2” matches -“v1alpha2” (exact match), or “v1” (prefix match), -or “alpha2” (suffix match).

+Exact match, prefix match, and suffix match are supported. +For example, the value “v1alpha2” matches “v1alpha2” (exact match), +or “v1” (prefix match), or “alpha2” (suffix match).

@@ -335,8 +332,7 @@ Currently, “ServiceRole” is the only supported value for “kind string

Required. The name of the ServiceRole object being referenced. -The ServiceRole object must be in the same namespace as the ServiceRoleBinding -object.

+The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.

@@ -345,9 +341,7 @@ object.

ServiceRole

-

ServiceRole specification contains a list of access rules (permissions). -This represent the “Spec” part of the ServiceRole object. The name and namespace -of the ServiceRole is specified in “metadata” section of the ServiceRole object.

+

ServiceRole specification contains a list of access rules (permissions).

@@ -371,10 +365,7 @@ of the ServiceRole is specified in “metadata” section of the Service

ServiceRoleBinding

-

ServiceRoleBinding assigns a ServiceRole to a list of subjects. -This represents the “Spec” part of the ServiceRoleBinding object. The name and namespace -of the ServiceRoleBinding is specified in “metadata” section of the ServiceRoleBinding -object.

+

ServiceRoleBinding assigns a ServiceRole to a list of subjects.

@@ -430,8 +421,7 @@ The supported keys in properties are listed in “constraint an diff --git a/content/docs/reference/config/istio.networking.v1alpha3/index.html b/content/docs/reference/config/istio.networking.v1alpha3/index.html index 1face7462e..18540c5d6d 100644 --- a/content/docs/reference/config/istio.networking.v1alpha3/index.html +++ b/content/docs/reference/config/istio.networking.v1alpha3/index.html @@ -6,7 +6,7 @@ layout: protoc-gen-docs generator: protoc-gen-docs aliases: - /docs/reference/config/istio.routing.v1alpha1/ -number_of_entries: 60 +number_of_entries: 62 ---

Configuration affecting traffic routing. Here are a few terms useful to define in the context of traffic routing.

@@ -37,6 +37,47 @@ actual choice of the version is determined by the proxy/sidecar, enabling the application code to decouple itself from the evolution of dependent services.

+

CaptureMode

+
+

CaptureMode describes how traffic to a listener is expected to be +captured. Applicable only when the listener is bound to an IP.

+ +
properties map<string, string> -

Optional. The set of properties that identify the subject. -The above ServiceRoleBinding example shows an example of property “source.namespace”.

+

Optional. The set of properties that identify the subject.
+ + + + + + + + + + + + + + + + + + + + +
NameDescription
DEFAULT +

The default capture mode defined by the environment

+ +
IPTABLES +

Capture traffic using IPtables redirection

+ +
NONE +

No traffic capture. When used in egress listener, the application is +expected to explicitly communicate with the listener port/unix +domain socket. When used in ingress listener, care needs to be taken +to ensure that the listener port is not in use by other processes on +the host.

+ +
+

ConfigScope

ConfigScope defines the visibility of an Istio configuration artifact in @@ -2151,12 +2192,43 @@ listener on the sidecar proxy attached to a workload.

+ +port +Port + +

The port associated with the listener. If using unix domain socket, +use 0 as the port number, with a valid protocol. The port if +specified, will be used as the default destination port associated +with the imported hosts. If the port is omitted, Istio will infer the +listener ports based on the imported hosts. Note that when multiple +egress listeners are specified, where one or more listeners have +specific ports while others have no port, the hosts exposed on a +listener port will be based on the listener with the most specific +port.

+ + + + +bind +string + +

The ip or the unix domain socket to which the listener should be bound +to. Port MUST be specified if bind is not empty. Format: x.x.x.x or +unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If +omitted, Istio will autoconfigure the defaults based on imported +services, the workload to which this configuration is applied to and +the captureMode. If captureMode is NONE, bind will default to +127.0.0.1.

+ + + captureMode CaptureMode

When the bind address is an IP, the captureMode option dictates -how traffic to the listener is expected to be captured (or not).

+how traffic to the listener is expected to be captured (or not). +captureMode must be DEFAULT or NONE for unix domain socket binds.

@@ -2164,8 +2236,8 @@ how traffic to the listener is expected to be captured (or not).

hosts string[] -

One or more services/virtualServices exposed by the listener in -namespace/dnsName format. Publicly scoped services and +

REQUIRED: One or more services/virtualServices exposed by the listener +in namespace/dnsName format. Publicly scoped services and VirtualServices from remote namespaces corresponding to the specified hosts will be imported. The service in a namespace can be a service in the service registry (e.g., a kubernetes or cloud foundry service) or @@ -2183,6 +2255,67 @@ namespace can be imported. Private services/configuration will not be imported. Refer to the scope setting associated with VirtualService, DestinationRule, ServiceEntry, etc. for details.

+ + + + +
+

IstioIngressListener

+
+

IstioIngressListener specifies the properties of an inbound +traffic listener on the sidecar proxy attached to a workload.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3652,8 +3785,9 @@ behavior of the system is undefined if two or more Sidecar resources with a workload selector select the same workload.

The example below delcares a Sidecar resource in the prod-us1 namespace -that configures the sidecar to allow egress traffic to public services -in the prod-us1, prod-apis, and the istio-system namespaces.

+that configures the sidecars in the namespace to allow egress traffic to +public services in the prod-us1, prod-apis, and the istio-system +namespaces.

apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
@@ -3668,6 +3802,36 @@ spec:
     - "istio-system/*"
+

The example below delcares a Sidecar resource in the prod-us1 namespace +that accepts inbound HTTP traffic on port 9080 and forwards +it to the attached workload listening on a unix domain socket. In the +egress direction, in addition to the istio-system namespace, the sidecar +proxies only HTTP traffic bound for port 9080 for services in the +prod-us1 namespace.

+ +
apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: default
+  namespace: prod-us1
+spec:
+  ingress:
+  - port:
+      number: 9080
+      protocol: HTTP
+      name: somename
+    defaultEndpoint: unix:///var/run/someuds.sock
+  egress:
+  - hosts:
+    - "istio-system/*"
+  - port:
+      number: 9080
+      protocol: HTTP
+      name: egresshttp
+    hosts:
+    - "prod-us1/*"
+
+
FieldTypeDescription
portPort +

REQUIRED. The port associated with the listener. If using +unix domain socket, use 0 as the port number, with a valid +protocol.

+ +
bindstring +

The ip or the unix domain socket to which the listener should be bound +to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux +abstract namespace). If omitted, Istio will autoconfigure the defaults +based on imported services and the workload to which this +configuration is applied to.

+ +
captureModeCaptureMode +

When the bind address is an IP, the captureMode option dictates +how traffic to the listener is expected to be captured (or not). +captureMode must be DEFAULT or NONE for unix domain socket binds.

+ +
defaultEndpointstring +

REQUIRED: The loopback IP endpoint or unix domain socket to which +traffic should be forwarded to. This configuration can be used to +redirect traffic arriving at the bind point on the sidecar to a port +or unix domain socket where the application workload is listening for +connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket

+
@@ -3677,6 +3841,29 @@ spec: + + + + + + + + + + @@ -4479,10 +4666,10 @@ selected. Currently, only label based selection mechanism is supported.

diff --git a/content/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/index.html b/content/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/index.html index e70a38ee6e..8c357f3c21 100644 --- a/content/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/index.html +++ b/content/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/index.html @@ -4,17 +4,23 @@ description: Adapter for cloudwatch metrics. location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/cloudwatch.html layout: protoc-gen-docs generator: protoc-gen-docs +supported_templates: logentry supported_templates: metric aliases: - /docs/reference/config/adapters/cloudwatch.html -number_of_entries: 3 +number_of_entries: 4 ---

The CloudWatch adapter enables Istio to deliver metrics to -Amazon CloudWatch.

+Amazon CloudWatch. +Amazon CloudWatch and logs to +Amazon CloudWatchLogs.

-

To push metrics to CloudWatch using this adapter you must provide AWS credentials the AWS SDK. +

To push metrics and logs to CloudWatch using this adapter you must provide AWS credentials to the AWS SDK. (see AWS docs).

+

To activate the CloudWatch adapter, operators need to provide configuration for the +cloudwatch adapter.

+

The handler configuration must contain the same metrics as the instance configuration. The metrics specified in both instance and handler configurations will be sent to CloudWatch.

@@ -47,6 +53,53 @@ The metrics specified in both instance and handler configurations will be sent t + + + + + + + + + + + + + + + + + +
workloadSelectorWorkloadSelector +

Criteria used to select the specific set of pods/VMs on which this +sidecar configuration should be applied. If omitted, the sidecar +configuration will be applied to all workloads in the same config +namespace.

+ +
ingressIstioIngressListener[] +

Ingress specifies the configuration of the sidecar for processing +inbound traffic to the attached workload. If omitted, Istio will +autoconfigure the sidecar based on the information about the workload +obtained from the orchestration platform (e.g., exposed ports, services, +etc.).

+ +
egress IstioEgressListener[] labels map<string, string> -

One or more labels that indicate a specific set of pods/VMs on which -this sidecar configuration should be applied. The scope of label -search is restricted to the configuration namespace in which the the -resource is present.

+

REQUIRED: One or more labels that indicate a specific set of pods/VMs +on which this sidecar configuration should be applied. The scope of +label search is restricted to the configuration namespace in which the +the resource is present.

A map of Istio metric name to CloudWatch metric info.

+
logGroupNamestring +

The name of the log group in cloudwatchlogs.

+ +
logStreamNamestring +

The name of the log stream in cloudwatchlogs.

+ +
logsmap<string, Params.LogInfo> +

A map of Istio logentry name to CloudWatch logentry info.

+ +
+
+

Params.LogInfo

+
+ + + + + + + + + + + + + diff --git a/content/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html b/content/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html index 0ca8ab344c..39c716a87e 100644 --- a/content/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html +++ b/content/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html @@ -809,6 +809,10 @@ the field value:

- x.output.f +

If the header value expression evaluates to an empty string, and the operation is to either replace +or append a header, then the operation is not applied. This permits conditional behavior on behalf of the +adapter to optionally modify the headers.

+
FieldTypeDescription
payloadTemplatestring +

A golang text/template template that will be executed to construct the payload for this log entry. +It will be given the full set of variables for the log to use to construct its result.

+