istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bump master to next version (#15595) 

* Bump master to next version

* remove link to removed IstioOperator doc

* disable operator test

* improve test

* Add back operator doc

* fix version

* drop operator

* bump version

* snips

* fix

* fix lint

* Add redirect

* Kick GitHub

* fix lint

* I hope this isn't genchecked

* fix Gateway API test

* bump again

* fix cleanup

Signed-off-by: Faseela K <faseela.k@est.tech>

* fix cleanup

Signed-off-by: Faseela K <faseela.k@est.tech>

* fix multicluster cleanup

Signed-off-by: Faseela K <faseela.k@est.tech>

* disable skywalking test

Signed-off-by: Faseela K <faseela.k@est.tech>

* fix spire and multiple controlplane tests

Signed-off-by: Faseela K <faseela.k@est.tech>

---------

Signed-off-by: Faseela K <faseela.k@est.tech>
Co-authored-by: Craig Box <craig.box@gmail.com>
Co-authored-by: Faseela K <faseela.k@est.tech>
This commit is contained in:
John Howard 2024-09-12 08:00:36 -07:00 committed by GitHub
parent b747b29e7b
commit 9a980a9729
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
75 changed files with 877 additions and 11254 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile.core.mk
View File

@ -27,7 +27,7 @@ export IN_BUILD_CONTAINER := $(IN_BUILD_CONTAINER)
# ISTIO_IMAGE_VERSION stores the prefix used by default for the Docker images for Istio.
# For example, a value of 1.6-alpha will assume a default TAG value of 1.6-dev.<SHA>
ISTIO_IMAGE_VERSION ?= 1.23-alpha
ISTIO_IMAGE_VERSION ?= 1.24-alpha
export ISTIO_IMAGE_VERSION
# Determine the SHA for the Istio dependency by parsing the go.mod file.
@ -77,7 +77,7 @@ baseurl := "$(URL)"
endif
# Which branch of the Istio source code do we fetch stuff from
export SOURCE_BRANCH_NAME ?= release-1.23
export SOURCE_BRANCH_NAME ?= master
site:
@scripts/gen_site.sh

30
content/en/about/faq/setup/install-method-selection.md
View File

@ -16,12 +16,11 @@ The following lists some of the pros and cons of each of the available methods:
- Thorough configuration validation and health verification.
- Uses the `IstioOperator` API which provides extensive configuration/customization options.
- No in-cluster privileged pods needed. Changes are actuated by running the `istioctl` command.
Cons:
- Multiple binaries must be managed, one per Istio minor version.
- The `istioctl` command can set values like `JWT_POLICY` based on your running environment,
- The `istioctl` command can set values automatically based on your running environment,
thereby producing varying installations in different Kubernetes environments.
1. [istioctl manifest generate](/docs/setup/install/istioctl/#generate-a-manifest-before-installation)
@ -31,12 +30,12 @@ The following lists some of the pros and cons of each of the available methods:
Pros:
- Resources are generated from the same `IstioOperator` API as used in `istioctl install` and Operator.
- Resources are generated from the same `IstioOperator` API as used in `istioctl install`.
- Uses the `IstioOperator` API which provides extensive configuration/customization options.
Cons:
- Some checks performed in `istioctl install` and Operator are not done.
- Some checks performed in `istioctl install` are not done.
- UX is less streamlined compared to `istioctl install`.
- Error reporting is not as robust as `istioctl install` for the apply step.
@ -51,28 +50,7 @@ The following lists some of the pros and cons of each of the available methods:
Cons:
- Fewer checks and validations compared to `istioctl install` and Operator.
- Fewer checks and validations compared to `istioctl install`.
- Some administrative tasks require more steps and have higher complexity.
1. [Istio Operator](/docs/setup/install/operator/)
{{< warning >}}
Using the operator is not recommended for new installations. While the operator will continue to be supported,
new feature requests will not be prioritized.
{{< /warning >}}
The Istio operator provides an installation path without needing the `istioctl` binary.
This can be used for simplified upgrade workflows where running an in-cluster privileged controller is not a concern.
This method is suitable where strict auditing or augmentation of output manifests is not needed.
Pros:
- Same API as `istioctl install` but actuation is through a controller pod in the cluster with a fully declarative operation.
- Uses the `IstioOperator` API which provides extensive configuration/customization options.
- No need to manage multiple `istioctl` binaries.
Cons:
- High privilege controller running in the cluster poses security risks.
Installation instructions for all of these methods are available on the [Istio install page](/docs/setup/install).

2
content/en/blog/2019/introducing-istio-operator/index.md
View File

@ -108,7 +108,7 @@ resource and reacts to changes by updating the Istio installation configuration
In the 1.4 release, the Istio controller is in the alpha phase of development and not fully
integrated with `istioctl`. It is, however,
[available for experimentation](/docs/setup/install/operator/) using `kubectl` commands.
[available for experimentation](https://archive.istio.io/v1.23/docs/setup/install/operator/) using `kubectl` commands.
For example, to install the controller and a default version of Istio into your cluster,
run the following command:

2
content/en/blog/2024/in-cluster-operator-deprecation-announcement/index.md
View File

@ -10,7 +10,7 @@ Istios In-Cluster Operator has been deprecated in Istio 1.23. Users leveragi
## Does this affect you?
This deprecation only affects users of the [In-Cluster Operator](/docs/setup/install/operator/). **Users who install Istio with the <code>istioctl install</code> command and an `IstioOperator` YAML file are not affected**.
This deprecation only affects users of the [In-Cluster Operator](https://archive.istio.io/v1.23/docs/setup/install/operator/). **Users who install Istio with the <code>istioctl install</code> command and an `IstioOperator` YAML file are not affected**.
To determine if you are affected, run `kubectl get deployment -n istio-system istio-operator` and `kubectl get IstioOperator`. If both commands return non-empty values, your cluster will be affected. Based on recent polls, we expect that this will affect fewer than 10% of Istio users.

5
content/en/boilerplates/helm-preamble.md
View File

@ -2,6 +2,5 @@
---
The Helm charts for `base` and `istiod` used
in this guide are the same as those used when
installing Istio via [Istioctl](/docs/setup/install/istioctl/) or the
[Operator](/docs/setup/install/operator/).
However installations via Istioctl and the Operator use a different [gateway chart]({{< github_tree >}}/manifests/charts/gateways/istio-ingress) to the [chart]({{< github_tree >}}/manifests/charts/gateway) described in this guide
installing Istio via [Istioctl](/docs/setup/install/istioctl/).
However installations via Istioctl use a different [gateway chart]({{< github_tree >}}/manifests/charts/gateways/istio-ingress) to the [chart]({{< github_tree >}}/manifests/charts/gateway) described in this guide

4
content/en/boilerplates/snips/args.sh
View File

@ -25,9 +25,9 @@ v1.1.0
ENDSNIP
! IFS=$'\n' read -r -d '' bpsnip_args_istio_previous_version <<\ENDSNIP
1.22
1.23
ENDSNIP
! IFS=$'\n' read -r -d '' bpsnip_args_istio_full_version <<\ENDSNIP
1.23.0
1.24.0
ENDSNIP

6
content/en/boilerplates/snips/revision-tags-middle.sh
View File

@ -26,7 +26,7 @@ istioctl tag list
! IFS=$'\n' read -r -d '' bpsnip_revision_tags_middle__1_out <<\ENDSNIP
TAG REVISION NAMESPACES
default 1-22-1 ...
prod-canary 1-23-0 ...
prod-stable 1-22-1 ...
default 1-23-1 ...
prod-canary 1-24-0 ...
prod-stable 1-23-1 ...
ENDSNIP

6
content/en/docs/ambient/getting-started/cleanup/snips.sh
View File

@ -31,7 +31,7 @@ istioctl waypoint delete --all
}
snip_remove_the_sample_application_1() {
kubectl delete -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl delete -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo-versions.yaml
kubectl delete -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/sleep/sleep.yaml
kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo-versions.yaml
kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/sleep/sleep.yaml
}

6
content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh
View File

@ -21,12 +21,12 @@
####################################################################################################
snip_deploy_the_bookinfo_application_1() {
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo-versions.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo-versions.yaml
}
snip_deploy_bookinfo_gateway() {
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
}
snip_annotate_bookinfo_gateway() {

2
content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh
View File

@ -41,7 +41,7 @@ EOF
}
snip_deploy_sleep() {
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/sleep/sleep.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/sleep/sleep.yaml
}
snip_enforce_layer_4_authorization_policy_3() {

16
content/en/docs/ambient/install/helm/snips.sh
View File

@ -56,10 +56,10 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_show_components_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0 1.23.0
istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.23.0 1.23.0
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.23.0 1.23.0
ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.23.0 1.23.0
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0 1.24.0
istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.24.0 1.24.0
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.24.0 1.24.0
ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.24.0 1.24.0
ENDSNIP
snip_check_pods() {
@ -79,10 +79,10 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_uninstall_1_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0 1.23.0
istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.23.0 1.23.0
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.23.0 1.23.0
ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.23.0 1.23.0
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0 1.24.0
istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.24.0 1.24.0
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.24.0 1.24.0
ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.24.0 1.24.0
ENDSNIP
snip_delete_ingress() {

2
content/en/docs/ambient/usage/waypoint/index.md
View File

@ -52,6 +52,7 @@ default Active 24h ambient
{{< text syntax=bash snip_id=gen_waypoint_resource >}}
$ istioctl waypoint generate --for service -n default
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
@ -79,6 +80,7 @@ Or, you can deploy the generated Gateway resource:
{{< text syntax=bash >}}
$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:

2
content/en/docs/ambient/usage/waypoint/snips.sh
View File

@ -37,6 +37,7 @@ istioctl waypoint generate --for service -n default
}
! IFS=$'\n' read -r -d '' snip_gen_waypoint_resource_out <<\ENDSNIP
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
@ -61,6 +62,7 @@ ENDSNIP
snip_deploy_a_waypoint_proxy_4() {
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:

2
content/en/docs/examples/virtual-machines/snips.sh
View File

@ -39,7 +39,7 @@ sudo systemctl restart mysql
}
snip_running_mysql_on_the_vm_3() {
curl -LO https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/src/mysql/mysqldb-init.sql
curl -LO https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/src/mysql/mysqldb-init.sql
mysql -u root -ppassword < mysqldb-init.sql
}

4
content/en/docs/ops/diagnostic-tools/istioctl-analyze/snips.sh
View File

@ -48,7 +48,7 @@ istioctl analyze samples/bookinfo/networking/bookinfo-gateway.yaml samples/booki
Error [IST0101] (Gateway default/bookinfo-gateway samples/bookinfo/networking/bookinfo-gateway.yaml:9) Referenced selector not found: "istio=ingressgateway"
Error [IST0101] (VirtualService default/bookinfo samples/bookinfo/networking/bookinfo-gateway.yaml:41) Referenced host not found: "productpage"
Error: Analyzers found issues when analyzing namespace: default.
See https://istio.io/v1.23/docs/reference/config/analysis for more information about causes and resolutions.
See https://istio.io/v1.24/docs/reference/config/analysis for more information about causes and resolutions.
ENDSNIP
snip_analyze_networking_directory() {
@ -76,7 +76,7 @@ spec:
status:
observedGeneration: "1"
validationMessages:
- documentationUrl: https://istio.io/v1.23/docs/reference/config/analysis/ist0101/
- documentationUrl: https://istio.io/v1.24/docs/reference/config/analysis/ist0101/
level: ERROR
type:
code: IST0101

1
content/en/docs/ops/integrations/spire/index.md
View File

@ -162,7 +162,6 @@ Below are the equivalent manual registrations based off the automatic registrati
meshConfig:
trustDomain: example.org
values:
global:
# This is used to customize the sidecar template.
# It adds both the label to indicate that SPIRE should manage the
# identity of this pod, as well as the CSI driver mounts.

1
content/en/docs/ops/integrations/spire/snips.sh
View File

@ -104,7 +104,6 @@ spec:
meshConfig:
trustDomain: example.org
values:
global:
# This is used to customize the sidecar template.
# It adds both the label to indicate that SPIRE should manage the
# identity of this pod, as well as the CSI driver mounts.

212
content/en/docs/reference/commands/install-cni/index.html
View File

@ -76,22 +76,6 @@ remove_toc_prefix: 'install-cni '
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -198,22 +182,6 @@ See each sub-command&#39;s help for details on how to use the generated script.
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -228,14 +196,13 @@ See each sub-command&#39;s help for details on how to use the generated script.
<p>This script depends on the &#39;bash-completion&#39; package.
If it is not installed already, you can install it via your OS&#39;s package manager.</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(install-cni completion bash)</p>
<pre class="language-bash"><code>source &lt;(install-cni completion bash)</code></pre>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> install-cni completion bash &gt; /etc/bash_completion.d/install-cni</p>
<p>#### macOS:</p>
<p> install-cni completion bash &gt; $(brew --prefix)/etc/bash_completion.d/install-cni</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>install-cni completion bash &gt; /etc/bash_completion.d/install-cni</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>install-cni completion bash &gt; /usr/local/etc/bash_completion.d/install-cni</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>install-cni completion bash
</code></pre>
<table class="command-flags">
@ -267,22 +234,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -299,11 +250,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
<h3 id="install-cni-completion-fish">install-cni completion fish</h3>
<p>Generate the autocompletion script for the fish shell.</p>
<p>To load completions in your current shell session:</p>
<p> install-cni completion fish | source</p>
<pre class="language-bash"><code>install-cni completion fish | source</code></pre>
<p>To load completions for every new session, execute once:</p>
<p> install-cni completion fish &gt; ~/.config/fish/completions/install-cni.fish</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<pre class="language-bash"><code>install-cni completion bash &gt; ~/.config/fish/completions/install-cni.fish</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>install-cni completion fish [flags]
</code></pre>
<table class="command-flags">
@ -335,22 +285,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -365,12 +299,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
</tbody>
</table>
<h3 id="install-cni-completion-powershell">install-cni completion powershell</h3>
<p>Generate the autocompletion script for powershell.</p>
<p>Generate the autocompletion script for PowerShell.</p>
<p>To load completions in your current shell session:</p>
<p> install-cni completion powershell | Out-String | Invoke-Expression</p>
<p>To load completions for every new session, add the output of the above command
to your powershell profile.
</p>
<pre class="language-bash"><code>install-cni completion powershell | Out-String | Invoke-Expression</code></pre>
<p>To load completions for every new session, add the output of the above command to your powershell profile.</p>
<pre class="language-bash"><code>install-cni completion powershell [flags]
</code></pre>
<table class="command-flags">
@ -402,22 +334,6 @@ to your powershell profile.
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -433,18 +349,16 @@ to your powershell profile.
</table>
<h3 id="install-cni-completion-zsh">install-cni completion zsh</h3>
<p>Generate the autocompletion script for the zsh shell.</p>
<p>If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:</p>
<p> echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(install-cni completion zsh)</p>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> install-cni completion zsh &gt; &#34;${fpath[1]}/_install-cni&#34;</p>
<p>#### macOS:</p>
<p> install-cni completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_install-cni</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<p>If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:</p>
<pre class="language-bash"><code>echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</code></pre>
<p>To load completions in your current shell session:</p>
<pre class="language-bash"><code>source &lt;(install-cni completion zsh)</code></pre>
<p>To load completions for every new session, execute once:</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>install-cni completion zsh &gt; &#34;${fpath[1]}/_install-cni&#34;</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>install-cni completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_install-cni</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>install-cni completion zsh [flags]
</code></pre>
<table class="command-flags">
@ -476,22 +390,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -544,26 +442,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -586,7 +464,7 @@ to enable it. You can execute the following once:</p>
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>install-cni</code> command. Please use with caution as these environment variables are experimental and can change anytime.
These environment variables affect the behavior of the <code>install-cni</code> command.
<table class="envvars">
<thead>
<tr>
@ -706,6 +584,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and &gt; 1 worker thread</td>
</tr>
<tr>
<td><code>ENABLE_DEFERRED_STATS_CREATION</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Istio will lazily initialize a subset of the stats</td>
</tr>
<tr>
<td><code>ENABLE_DELIMITED_STATS_TAG_REGEX</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -718,12 +602,6 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.</td>
</tr>
<tr>
<td><code>ENABLE_EXTERNAL_NAME_ALIAS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.</td>
</tr>
<tr>
<td><code>ENABLE_HCM_INTERNAL_NETWORKS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -732,7 +610,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<tr>
<td><code>ENABLE_INBOUND_RETRY_POLICY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.</td>
</tr>
<tr>
@ -808,6 +686,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>Envoy proxy username</td>
</tr>
<tr>
<td><code>EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, excludes unsafe retry on 503 from default retry policy.</td>
</tr>
<tr>
<td><code>EXTERNAL_ISTIOD</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1046,12 +930,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td></td>
</tr>
<tr>
<td><code>PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)</td>
</tr>
<tr>
<td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1268,12 +1146,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If enabled, HBONE support can be configured for proxies.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TELEMETRY_LABEL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -1490,6 +1362,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>pod&#39;s namespace</td>
</tr>
<tr>
<td><code>PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.</td>
</tr>
<tr>
<td><code>REPAIR_BROKEN_POD_LABEL_KEY</code></td>
<td>String</td>
<td><code>cni.istio.io/uninitialized</code></td>
@ -1628,12 +1506,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.</td>
</tr>
<tr>
<td><code>VERIFY_CERTIFICATE_AT_CLIENT</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.</td>
</tr>
<tr>
<td><code>XDS_AUTH</code></td>
<td>Boolean</td>
<td><code>true</code></td>

838
content/en/docs/reference/commands/istioctl/index.html
View File

File diff suppressed because it is too large Load Diff

1347
content/en/docs/reference/commands/operator/index.html
View File

File diff suppressed because it is too large Load Diff

306
content/en/docs/reference/commands/pilot-agent/index.html
View File

@ -30,22 +30,6 @@ remove_toc_prefix: 'pilot-agent '
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -84,22 +68,6 @@ See each sub-command&#39;s help for details on how to use the generated script.
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -118,14 +86,13 @@ See each sub-command&#39;s help for details on how to use the generated script.
<p>This script depends on the &#39;bash-completion&#39; package.
If it is not installed already, you can install it via your OS&#39;s package manager.</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(pilot-agent completion bash)</p>
<pre class="language-bash"><code>source &lt;(pilot-agent completion bash)</code></pre>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> pilot-agent completion bash &gt; /etc/bash_completion.d/pilot-agent</p>
<p>#### macOS:</p>
<p> pilot-agent completion bash &gt; $(brew --prefix)/etc/bash_completion.d/pilot-agent</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>pilot-agent completion bash &gt; /etc/bash_completion.d/pilot-agent</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>pilot-agent completion bash &gt; /usr/local/etc/bash_completion.d/pilot-agent</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-agent completion bash
</code></pre>
<table class="command-flags">
@ -149,22 +116,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -185,11 +136,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
<h3 id="pilot-agent-completion-fish">pilot-agent completion fish</h3>
<p>Generate the autocompletion script for the fish shell.</p>
<p>To load completions in your current shell session:</p>
<p> pilot-agent completion fish | source</p>
<pre class="language-bash"><code>pilot-agent completion fish | source</code></pre>
<p>To load completions for every new session, execute once:</p>
<p> pilot-agent completion fish &gt; ~/.config/fish/completions/pilot-agent.fish</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<pre class="language-bash"><code>pilot-agent completion bash &gt; ~/.config/fish/completions/pilot-agent.fish</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-agent completion fish [flags]
</code></pre>
<table class="command-flags">
@ -213,22 +163,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -247,12 +181,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
</tbody>
</table>
<h3 id="pilot-agent-completion-powershell">pilot-agent completion powershell</h3>
<p>Generate the autocompletion script for powershell.</p>
<p>Generate the autocompletion script for PowerShell.</p>
<p>To load completions in your current shell session:</p>
<p> pilot-agent completion powershell | Out-String | Invoke-Expression</p>
<p>To load completions for every new session, add the output of the above command
to your powershell profile.
</p>
<pre class="language-bash"><code>pilot-agent completion powershell | Out-String | Invoke-Expression</code></pre>
<p>To load completions for every new session, add the output of the above command to your powershell profile.</p>
<pre class="language-bash"><code>pilot-agent completion powershell [flags]
</code></pre>
<table class="command-flags">
@ -276,22 +208,6 @@ to your powershell profile.
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -311,18 +227,16 @@ to your powershell profile.
</table>
<h3 id="pilot-agent-completion-zsh">pilot-agent completion zsh</h3>
<p>Generate the autocompletion script for the zsh shell.</p>
<p>If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:</p>
<p> echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(pilot-agent completion zsh)</p>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> pilot-agent completion zsh &gt; &#34;${fpath[1]}/_pilot-agent&#34;</p>
<p>#### macOS:</p>
<p> pilot-agent completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_pilot-agent</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<p>If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:</p>
<pre class="language-bash"><code>echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</code></pre>
<p>To load completions in your current shell session:</p>
<pre class="language-bash"><code>source &lt;(pilot-agent completion zsh)</code></pre>
<p>To load completions for every new session, execute once:</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>pilot-agent completion zsh &gt; &#34;${fpath[1]}/_pilot-agent&#34;</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>pilot-agent completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_pilot-agent</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-agent completion zsh [flags]
</code></pre>
<table class="command-flags">
@ -346,22 +260,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -428,26 +326,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -613,26 +491,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -722,22 +580,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -816,22 +658,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -874,26 +700,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -945,22 +751,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -991,7 +781,7 @@ to enable it. You can execute the following once:</p>
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>pilot-agent</code> command. Please use with caution as these environment variables are experimental and can change anytime.
These environment variables affect the behavior of the <code>pilot-agent</code> command.
<table class="envvars">
<thead>
<tr>
@ -1141,6 +931,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and &gt; 1 worker thread</td>
</tr>
<tr>
<td><code>ENABLE_DEFERRED_STATS_CREATION</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Istio will lazily initialize a subset of the stats</td>
</tr>
<tr>
<td><code>ENABLE_DELIMITED_STATS_TAG_REGEX</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -1153,12 +949,6 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.</td>
</tr>
<tr>
<td><code>ENABLE_EXTERNAL_NAME_ALIAS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.</td>
</tr>
<tr>
<td><code>ENABLE_HCM_INTERNAL_NETWORKS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1167,7 +957,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<tr>
<td><code>ENABLE_INBOUND_RETRY_POLICY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.</td>
</tr>
<tr>
@ -1261,6 +1051,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>Envoy proxy username</td>
</tr>
<tr>
<td><code>EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, excludes unsafe retry on 503 from default retry policy.</td>
</tr>
<tr>
<td><code>EXIT_ON_ZERO_ACTIVE_CONNECTIONS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1595,12 +1391,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If set to true, enable the peer metadata discovery extension in Envoy</td>
</tr>
<tr>
<td><code>PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)</td>
</tr>
<tr>
<td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1817,12 +1607,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If enabled, HBONE support can be configured for proxies.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TELEMETRY_LABEL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -2045,6 +1829,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td></td>
</tr>
<tr>
<td><code>PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.</td>
</tr>
<tr>
<td><code>PROV_CERT</code></td>
<td>String</td>
<td><code></code></td>
@ -2099,6 +1889,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>The grace period ratio for the cert rotation, by default 0.5.</td>
</tr>
<tr>
<td><code>SECRET_GRACE_PERIOD_RATIO_JITTER</code></td>
<td>Floating-Point</td>
<td><code>0.01</code></td>
<td>Randomize the grace period ratio up or down by this amount to stagger cert renewals, by default .01 (~15 minutes over 24 hours).</td>
</tr>
<tr>
<td><code>SECRET_TTL</code></td>
<td>Time Duration</td>
<td><code>24h0m0s</code></td>
@ -2165,12 +1961,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.</td>
</tr>
<tr>
<td><code>VERIFY_CERTIFICATE_AT_CLIENT</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.</td>
</tr>
<tr>
<td><code>WASM_HTTP_REQUEST_MAX_RETRIES</code></td>
<td>Integer</td>
<td><code>5</code></td>

124
content/en/docs/reference/commands/pilot-discovery/index.html
View File

@ -46,14 +46,13 @@ See each sub-command&#39;s help for details on how to use the generated script.
<p>This script depends on the &#39;bash-completion&#39; package.
If it is not installed already, you can install it via your OS&#39;s package manager.</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(pilot-discovery completion bash)</p>
<pre class="language-bash"><code>source &lt;(pilot-discovery completion bash)</code></pre>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> pilot-discovery completion bash &gt; /etc/bash_completion.d/pilot-discovery</p>
<p>#### macOS:</p>
<p> pilot-discovery completion bash &gt; $(brew --prefix)/etc/bash_completion.d/pilot-discovery</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>pilot-discovery completion bash &gt; /etc/bash_completion.d/pilot-discovery</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>pilot-discovery completion bash &gt; /usr/local/etc/bash_completion.d/pilot-discovery</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-discovery completion bash
</code></pre>
<table class="command-flags">
@ -77,11 +76,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
<h3 id="pilot-discovery-completion-fish">pilot-discovery completion fish</h3>
<p>Generate the autocompletion script for the fish shell.</p>
<p>To load completions in your current shell session:</p>
<p> pilot-discovery completion fish | source</p>
<pre class="language-bash"><code>pilot-discovery completion fish | source</code></pre>
<p>To load completions for every new session, execute once:</p>
<p> pilot-discovery completion fish &gt; ~/.config/fish/completions/pilot-discovery.fish</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<pre class="language-bash"><code>pilot-discovery completion bash &gt; ~/.config/fish/completions/pilot-discovery.fish</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-discovery completion fish [flags]
</code></pre>
<table class="command-flags">
@ -103,12 +101,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
</tbody>
</table>
<h3 id="pilot-discovery-completion-powershell">pilot-discovery completion powershell</h3>
<p>Generate the autocompletion script for powershell.</p>
<p>Generate the autocompletion script for PowerShell.</p>
<p>To load completions in your current shell session:</p>
<p> pilot-discovery completion powershell | Out-String | Invoke-Expression</p>
<p>To load completions for every new session, add the output of the above command
to your powershell profile.
</p>
<pre class="language-bash"><code>pilot-discovery completion powershell | Out-String | Invoke-Expression</code></pre>
<p>To load completions for every new session, add the output of the above command to your powershell profile.</p>
<pre class="language-bash"><code>pilot-discovery completion powershell [flags]
</code></pre>
<table class="command-flags">
@ -131,18 +127,16 @@ to your powershell profile.
</table>
<h3 id="pilot-discovery-completion-zsh">pilot-discovery completion zsh</h3>
<p>Generate the autocompletion script for the zsh shell.</p>
<p>If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:</p>
<p> echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(pilot-discovery completion zsh)</p>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> pilot-discovery completion zsh &gt; &#34;${fpath[1]}/_pilot-discovery&#34;</p>
<p>#### macOS:</p>
<p> pilot-discovery completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_pilot-discovery</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<p>If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:</p>
<pre class="language-bash"><code>echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</code></pre>
<p>To load completions in your current shell session:</p>
<pre class="language-bash"><code>source &lt;(pilot-discovery completion zsh)</code></pre>
<p>To load completions for every new session, execute once:</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>pilot-discovery completion zsh &gt; &#34;${fpath[1]}/_pilot-discovery&#34;</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>pilot-discovery completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_pilot-discovery</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-discovery completion zsh [flags]
</code></pre>
<table class="command-flags">
@ -282,26 +276,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, ip-autoallocate, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, ip-autoallocate, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -424,7 +398,7 @@ Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_R
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>pilot-discovery</code> command. Please use with caution as these environment variables are experimental and can change anytime.
These environment variables affect the behavior of the <code>pilot-discovery</code> command.
<table class="envvars">
<thead>
<tr>
@ -550,6 +524,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and &gt; 1 worker thread</td>
</tr>
<tr>
<td><code>ENABLE_DEFERRED_STATS_CREATION</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Istio will lazily initialize a subset of the stats</td>
</tr>
<tr>
<td><code>ENABLE_DELIMITED_STATS_TAG_REGEX</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -562,12 +542,6 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.</td>
</tr>
<tr>
<td><code>ENABLE_EXTERNAL_NAME_ALIAS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.</td>
</tr>
<tr>
<td><code>ENABLE_HCM_INTERNAL_NETWORKS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -576,7 +550,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<tr>
<td><code>ENABLE_INBOUND_RETRY_POLICY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.</td>
</tr>
<tr>
@ -652,6 +626,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.</td>
</tr>
<tr>
<td><code>EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, excludes unsafe retry on 503 from default retry policy.</td>
</tr>
<tr>
<td><code>EXTERNAL_CA</code></td>
<td>String</td>
<td><code></code></td>
@ -920,12 +900,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
</tr>
<tr>
<td><code>PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)</td>
</tr>
<tr>
<td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1142,12 +1116,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If enabled, HBONE support can be configured for proxies.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TELEMETRY_LABEL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -1370,6 +1338,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td></td>
</tr>
<tr>
<td><code>PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.</td>
</tr>
<tr>
<td><code>REQUIRE_3P_TOKEN</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1460,12 +1434,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.</td>
</tr>
<tr>
<td><code>VERIFY_CERTIFICATE_AT_CLIENT</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.</td>
</tr>
<tr>
<td><code>XDS_AUTH</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -1491,14 +1459,14 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<tr><td><code>auto_registration_unregister_total</code></td><td><code>Sum</code></td><td>Total number of unregistrations.</td></tr>
<tr><td><code>auto_registration_updates_total</code></td><td><code>Sum</code></td><td>Total number of auto registration updates.</td></tr>
<tr><td><code>citadel_server_authentication_failure_count</code></td><td><code>Sum</code></td><td>The number of authentication failures.</td></tr>
<tr><td><code>citadel_server_cert_chain_expiry_seconds</code></td><td><code>LastValue</code></td><td>The time remaining, in seconds, before the certificate chain will expire. A negative value indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_cert_chain_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_cert_chain_expiry_seconds</code></td><td><code>LastValue</code></td><td>The time remaining, in seconds, before the Istio Generated cert chain will expire. A negative value indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_cert_chain_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Istio generated cert chain will expire.</td></tr>
<tr><td><code>citadel_server_csr_count</code></td><td><code>Sum</code></td><td>The number of CSRs received by Citadel server.</td></tr>
<tr><td><code>citadel_server_csr_parsing_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when parsing the CSR.</td></tr>
<tr><td><code>citadel_server_csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
<tr><td><code>citadel_server_id_extraction_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when extracting the ID from CSR.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_seconds</code></td><td><code>LastValue</code></td><td>The time remaining, in seconds, before the root certificate will expire. A negative value indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_seconds</code></td><td><code>LastValue</code></td><td>The time remaining, in seconds, before the root cert will expire. A negative value indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when the root cert will expire.</td></tr>
<tr><td><code>citadel_server_success_cert_issuance_count</code></td><td><code>Sum</code></td><td>The number of certificates issuances that have succeeded.</td></tr>
<tr><td><code>controller_sync_errors_total</code></td><td><code>Sum</code></td><td>Total number of errorMetric syncing controllers.</td></tr>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>

37
content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -231,17 +231,10 @@ No
<td><code><a href="#MeshConfig-OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td>
<p>Set the default behavior of the sidecar for handling outbound
traffic from the application. If your application uses one or
more external services that are not known apriori, setting the
policy to <code>ALLOW_ANY</code> will cause the sidecars to route any unknown
traffic originating from the application to its requested
destination. Users are strongly encouraged to use ServiceEntries
to explicitly declare any external dependencies, instead of using
<code>ALLOW_ANY</code>, so that traffic to these services can be
monitored. Can be overridden at a Sidecar level by setting the
<code>OutboundTrafficPolicy</code> in the <a href="/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy">Sidecar
API</a>.
Default mode is <code>ALLOW_ANY</code> which means outbound traffic to unknown destinations will be allowed.</p>
traffic from the application.</p>
<p>Can be overridden at a Sidecar level by setting the <code>OutboundTrafficPolicy</code> in the
<a href="/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy">Sidecar API</a>.</p>
<p>Default mode is <code>ALLOW_ANY</code>, which means outbound traffic to unknown destinations will be allowed.</p>
</td>
<td>
@ -464,7 +457,8 @@ By default, Istio emits statistics with the pattern <code>inbound|&lt;port&gt;|&
For example <code>inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p>
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p>
<ul>
<li><code>%SERVICE%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE%</code> - Will be substituted with short hostname of the service.</li>
<li><code>%SERVICE_NAME%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li>
<li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li>
<li><code>%TARGET_PORT%</code> - Will be substituted with the target port of the service.</li>
@ -491,7 +485,8 @@ By default, Istio emits statistics with the pattern <code>outbound|&lt;port&gt;|
For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p>
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p>
<ul>
<li><code>%SERVICE%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE%</code> - Will be substituted with short hostname of the service.</li>
<li><code>%SERVICE_NAME%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li>
<li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li>
<li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li>
@ -815,6 +810,9 @@ No
</section>
<h2 id="MeshConfig-OutboundTrafficPolicy">MeshConfig.OutboundTrafficPolicy</h2>
<section>
<p><code>OutboundTrafficPolicy</code> sets the default behavior of the sidecar for
handling unknown outbound traffic from the application.</p>
<table class="message-fields">
<thead>
<tr>
@ -4406,16 +4404,21 @@ No
<tr id="MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
<td><code>REGISTRY_ONLY</code></td>
<td>
<p>outbound traffic will be restricted to services defined in the
service registry as well as those defined through ServiceEntries</p>
<p>In <code>REGISTRY_ONLY</code> mode, unknown outbound traffic will be dropped.
Traffic destinations must be explicitly declared into the service registry through <code>ServiceEntry</code> configurations.</p>
<p>Note: Istio <a href="/docs/ops/best-practices/security/#understand-traffic-capture-limitations">does not offer an outbound traffic security policy</a>.
This option does not act as one, or as any form of an outbound firewall.
Instead, this option exists primarily to offer users a way to detect missing <code>ServiceEntry</code> configurations by explicitly failing.</p>
</td>
</tr>
<tr id="MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY">
<td><code>ALLOW_ANY</code></td>
<td>
<p>outbound traffic to unknown destinations will be allowed, in case
there are no services or ServiceEntries for the destination port</p>
<p>In <code>ALLOW_ANY</code> mode, any traffic to unknown destinations will be allowed.
Unknown destination traffic will have limited functionality, however, such as reduced observability.
This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
to arbitrary destinations.</p>
</td>
</tr>

264
content/en/docs/reference/config/istio.operator.v1alpha1/index.html
View File

@ -1,5 +1,4 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: IstioOperator Options
description: Configuration affecting Istio control plane installation version and shape.
@ -9,11 +8,9 @@ generator: protoc-gen-docs
weight: 20
number_of_entries: 74
---
<p>Configuration affecting Istio control plane installation version and shape.
Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
Without camelCase, the <code>json</code> tag on the Go struct will not match the user&rsquo;s JSON representation.
This leads to Kubernetes merge libraries, which rely on this tag, to fail.
All other usages use jsonpb which does not use the <code>json</code> tag.</p>
<p>Configuration affecting Istio control plane installation version and shape. This resource is passed as a file input
to <code>istioctl install</code> and <code>istioctl manifest generate</code>; while it has a similar format as Kubernetes objects, it is not applied to the cluster.
</p>
<h2 id="IstioOperatorSpec">IstioOperatorSpec</h2>
<section>
@ -181,19 +178,6 @@ No
<td>
<p>Unvalidated overrides for default <code>values.yaml</code>. Used for custom templates where new parameters are added.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioOperatorSpec-addonComponents" class="deprecated ">
<td><code>addonComponents</code></td>
<td><code>map&lt;string,&nbsp;<a href="#ExternalComponentSpec">ExternalComponentSpec</a>&gt;</code></td>
<td>
<p>Deprecated.
Users should manage the installation of addon components on their own.
Refer to samples/addons for demo installation of addon components.</p>
</td>
<td>
No
@ -202,65 +186,7 @@ No
</tbody>
</table>
</section>
<h2 id="InstallStatus">InstallStatus</h2>
<section>
<p>Observed state of IstioOperator</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="InstallStatus-status">
<td><code>status</code></td>
<td><code><a href="#InstallStatus-Status">Status</a></code></td>
<td>
<p>Overall status of all components controlled by the operator.</p>
<ul>
<li>If all components have status <code>NONE</code>, overall status is <code>NONE</code>.</li>
<li>If all components are <code>HEALTHY</code>, overall status is <code>HEALTHY</code>.</li>
<li>If one or more components are <code>RECONCILING</code> and others are <code>HEALTHY</code>, overall status is <code>RECONCILING</code>.</li>
<li>If one or more components are <code>UPDATING</code> and others are <code>HEALTHY</code>, overall status is <code>UPDATING</code>.</li>
<li>If components are a mix of <code>RECONCILING</code>, <code>UPDATING</code> and <code>HEALTHY</code>, overall status is <code>UPDATING</code>.</li>
<li>If any component is in <code>ERROR</code> state, overall status is <code>ERROR</code>.</li>
<li>If further action is needed for reconciliation to proceed, overall status is <code>ACTION_REQUIRED</code>.</li>
</ul>
</td>
<td>
No
</td>
</tr>
<tr id="InstallStatus-message">
<td><code>message</code></td>
<td><code>string</code></td>
<td>
<p>Optional message providing additional information about the existing overall status.</p>
</td>
<td>
No
</td>
</tr>
<tr id="InstallStatus-componentStatus">
<td><code>componentStatus</code></td>
<td><code>map&lt;string,&nbsp;<a href="#InstallStatus-VersionStatus">VersionStatus</a>&gt;</code></td>
<td>
<p>Individual status of each component controlled by the operator. The map key is the name of the component.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="IstioComponentSetSpec">IstioComponentSetSpec</h2>
<section>
<p>IstioComponentSpec defines the desired installed state of Istio components.</p>
@ -465,89 +391,7 @@ No
</tbody>
</table>
</section>
<h2 id="ExternalComponentSpec">ExternalComponentSpec</h2>
<section>
<p>Configuration for external components.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ExternalComponentSpec-enabled">
<td><code>enabled</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
<p>Selects whether this component is installed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ExternalComponentSpec-namespace">
<td><code>namespace</code></td>
<td><code>string</code></td>
<td>
<p>Namespace for the component.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ExternalComponentSpec-spec">
<td><code>spec</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td>
<p>Arbitrary install time configuration for the component.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ExternalComponentSpec-chartPath">
<td><code>chartPath</code></td>
<td><code>string</code></td>
<td>
<p>Chart path for addon components.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ExternalComponentSpec-schema">
<td><code>schema</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#any">Any</a></code></td>
<td>
<p>Optional schema to validate spec against.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ExternalComponentSpec-k8s">
<td><code>k8s</code></td>
<td><code><a href="#KubernetesResourcesSpec">KubernetesResourcesSpec</a></code></td>
<td>
<p>Kubernetes resource spec.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="GatewaySpec">GatewaySpec</h2>
<section>
<p>Configuration for gateways.</p>
@ -3699,50 +3543,7 @@ No
</tbody>
</table>
</section>
<h2 id="InstallStatus-VersionStatus">InstallStatus.VersionStatus</h2>
<section>
<p>VersionStatus is the status and version of a component.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="InstallStatus-VersionStatus-version">
<td><code>version</code></td>
<td><code>string</code></td>
<td>
</td>
<td>
No
</td>
</tr>
<tr id="InstallStatus-VersionStatus-status">
<td><code>status</code></td>
<td><code><a href="#InstallStatus-Status">Status</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
<tr id="InstallStatus-VersionStatus-error">
<td><code>error</code></td>
<td><code>string</code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="K8sObjectOverlay-PathValue">K8sObjectOverlay.PathValue</h2>
<section>
<table class="message-fields">
@ -4052,62 +3853,3 @@ No
</tbody>
</table>
</section>
<h2 id="InstallStatus-Status">InstallStatus.Status</h2>
<section>
<p>Status describes the current state of a component.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="InstallStatus-Status-NONE">
<td><code>NONE</code></td>
<td>
<p>Component is not present.</p>
</td>
</tr>
<tr id="InstallStatus-Status-UPDATING">
<td><code>UPDATING</code></td>
<td>
<p>Component is being updated to a different version.</p>
</td>
</tr>
<tr id="InstallStatus-Status-RECONCILING">
<td><code>RECONCILING</code></td>
<td>
<p>Controller has started but not yet completed reconciliation loop for the component.</p>
</td>
</tr>
<tr id="InstallStatus-Status-HEALTHY">
<td><code>HEALTHY</code></td>
<td>
<p>Component is healthy.</p>
</td>
</tr>
<tr id="InstallStatus-Status-ERROR">
<td><code>ERROR</code></td>
<td>
<p>Component is in an error state.</p>
</td>
</tr>
<tr id="InstallStatus-Status-ACTION_REQUIRED">
<td><code>ACTION_REQUIRED</code></td>
<td>
<p>Overall status only and would not be set as a component status.
Action is needed from the user for reconciliation to proceed
e.g. There are proxies still pointing to the control plane revision when try to remove an <code>IstioOperator</code> CR.</p>
</td>
</tr>
</tbody>
</table>
</section>

32
content/en/docs/reference/config/networking/sidecar/index.html
View File

@ -397,13 +397,9 @@ No
<td><code>outboundTrafficPolicy</code></td>
<td><code><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td>
<p>Configuration for the outbound traffic policy. If your
application uses one or more external services that are not known
apriori, setting the policy to <code>ALLOW_ANY</code> will cause the
sidecars to route any unknown traffic originating from the
application to its requested destination. If not specified,
inherits the system detected defaults from the namespace-wide or
the global default Sidecar.</p>
<p>Set the default behavior of the sidecar for handling outbound
traffic from the application.</p>
<p>Default mode is <code>ALLOW_ANY</code>, which means outbound traffic to unknown destinations will be allowed.</p>
</td>
<td>
@ -661,14 +657,7 @@ No
<h2 id="OutboundTrafficPolicy">OutboundTrafficPolicy</h2>
<section>
<p><code>OutboundTrafficPolicy</code> sets the default behavior of the sidecar for
handling outbound traffic from the application.
If your application uses one or more external
services that are not known apriori, setting the policy to <code>ALLOW_ANY</code>
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination. Users are strongly
encouraged to use <code>ServiceEntry</code> configurations to explicitly declare any external
dependencies, instead of using <code>ALLOW_ANY</code>, so that traffic to these
services can be monitored.</p>
handling unknown outbound traffic from the application.</p>
<table class="message-fields">
<thead>
@ -758,16 +747,21 @@ No
<tr id="OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
<td><code>REGISTRY_ONLY</code></td>
<td>
<p>Outbound traffic will be restricted to services defined in the
service registry as well as those defined through <code>ServiceEntry</code> configurations.</p>
<p>In <code>REGISTRY_ONLY</code> mode, unknown outbound traffic will be dropped.
Traffic destinations must be explicitly declared into the service registry through <code>ServiceEntry</code> configurations.</p>
<p>Note: Istio <a href="/docs/ops/best-practices/security/#understand-traffic-capture-limitations">does not offer an outbound traffic security policy</a>.
This option does not act as one, or as any form of an outbound firewall.
Instead, this option exists primarily to offer users a way to detect missing <code>ServiceEntry</code> configurations by explicitly failing.</p>
</td>
</tr>
<tr id="OutboundTrafficPolicy-Mode-ALLOW_ANY">
<td><code>ALLOW_ANY</code></td>
<td>
<p>Outbound traffic to unknown destinations will be allowed, in case
there are no services or <code>ServiceEntry</code> configurations for the destination port.</p>
<p>In <code>ALLOW_ANY</code> mode, any traffic to unknown destinations will be allowed.
Unknown destination traffic will have limited functionality, however, such as reduced observability.
This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
to arbitrary destinations.</p>
</td>
</tr>

2
content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
View File

@ -211,7 +211,7 @@ the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

2
content/en/docs/reference/config/security/authorization-policy/index.html
View File

@ -235,7 +235,7 @@ the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

2
content/en/docs/reference/config/security/request_authentication/index.html
View File

@ -240,7 +240,7 @@ the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

2
content/en/docs/reference/config/telemetry/index.html
View File

@ -229,7 +229,7 @@ the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

2
content/en/docs/setup/_index.md
View File

@ -8,6 +8,8 @@ aliases:
- /docs/setup/kubernetes/quick-start.html
- /docs/setup/kubernetes/download-release/
- /docs/setup/kubernetes/download/
- /docs/setup/install/operator/
- /latest/docs/setup/install/operator/
keywords: [kubernetes,install,quick-start,setup,installation]
test: table-of-contents
---

2
content/en/docs/setup/additional-setup/getting-started-istio-apis/snips.sh
View File

@ -26,7 +26,7 @@ curl -L https://istio.io/downloadIstio | sh -
}
snip_download_istio_2() {
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.23.0 TARGET_ARCH=x86_64 sh -
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.24.0 TARGET_ARCH=x86_64 sh -
}
snip_download_istio_4() {

2
content/en/docs/setup/getting-started/snips.sh
View File

@ -54,7 +54,7 @@ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
}
snip_deploy_the_sample_application_1() {
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
}
! IFS=$'\n' read -r -d '' snip_deploy_the_sample_application_1_out <<\ENDSNIP

15
content/en/docs/setup/install/external-controlplane/index.md
View File

@ -225,15 +225,16 @@ and installing the sidecar injector webhook configuration on the remote cluster
{{< text bash >}}
$ kubectl create namespace external-istiod --context="${CTX_REMOTE_CLUSTER}"
$ istioctl manifest generate -f remote-config-cluster.yaml --set values.defaultRevision=default | kubectl apply --context="${CTX_REMOTE_CLUSTER}" -f -
$ istioctl install -f remote-config-cluster.yaml --set values.defaultRevision=default --context="${CTX_REMOTE_CLUSTER}"
{{< /text >}}
1. Confirm that the remote cluster's injection webhook configuration has been installed:
{{< text bash >}}
$ kubectl get mutatingwebhookconfiguration --context="${CTX_REMOTE_CLUSTER}"
NAME WEBHOOKS AGE
istio-sidecar-injector-external-istiod 4 6m24s
NAME WEBHOOKS AGE
istio-revision-tag-default-external-istiod 4 2m2s
istio-sidecar-injector-external-istiod 4 2m5s
{{< /text >}}
1. Confirm that the remote cluster's validation webhook configurations have been installed:
@ -774,7 +775,7 @@ $ export SECOND_CLUSTER_NAME=<your second remote cluster name>
1. Install the configuration on the remote cluster:
{{< text bash >}}
$ istioctl manifest generate -f second-remote-cluster.yaml | kubectl apply --context="${CTX_SECOND_CLUSTER}" -f -
$ istioctl install -f second-remote-cluster.yaml --context="${CTX_SECOND_CLUSTER}"
{{< /text >}}
1. Confirm that the remote cluster's injection webhook configuration has been installed:
@ -895,7 +896,7 @@ Clean up the external control plane cluster:
{{< text bash >}}
$ kubectl delete -f external-istiod-gw.yaml --context="${CTX_EXTERNAL_CLUSTER}"
$ istioctl uninstall -y --purge --context="${CTX_EXTERNAL_CLUSTER}"
$ istioctl uninstall -y --purge -f external-istiod.yaml --context="${CTX_EXTERNAL_CLUSTER}"
$ kubectl delete ns istio-system external-istiod --context="${CTX_EXTERNAL_CLUSTER}"
$ rm controlplane-gateway.yaml external-istiod.yaml external-istiod-gw.yaml
{{< /text >}}
@ -904,7 +905,7 @@ Clean up the remote config cluster:
{{< text bash >}}
$ kubectl delete ns sample --context="${CTX_REMOTE_CLUSTER}"
$ istioctl manifest generate -f remote-config-cluster.yaml --set values.defaultRevision=default | kubectl delete --context="${CTX_REMOTE_CLUSTER}" -f -
$ istioctl uninstall -y --purge -f remote-config-cluster.yaml --set values.defaultRevision=default --context="${CTX_REMOTE_CLUSTER}"
$ kubectl delete ns external-istiod --context="${CTX_REMOTE_CLUSTER}"
$ rm remote-config-cluster.yaml istio-ingressgateway.yaml
$ rm istio-egressgateway.yaml eastwest-gateway-1.yaml || true
@ -914,7 +915,7 @@ Clean up the optional second remote cluster if you installed it:
{{< text bash >}}
$ kubectl delete ns sample --context="${CTX_SECOND_CLUSTER}"
$ istioctl manifest generate -f second-remote-cluster.yaml | kubectl delete --context="${CTX_SECOND_CLUSTER}" -f -
$ istioctl uninstall -y --purge -f second-remote-cluster.yaml --context="${CTX_SECOND_CLUSTER}"
$ kubectl delete ns external-istiod --context="${CTX_SECOND_CLUSTER}"
$ rm second-remote-cluster.yaml eastwest-gateway-2.yaml
{{< /text >}}

15
content/en/docs/setup/install/external-controlplane/snips.sh
View File

@ -105,7 +105,7 @@ sed -i'.bk' \
snip_set_up_the_remote_config_cluster_3() {
kubectl create namespace external-istiod --context="${CTX_REMOTE_CLUSTER}"
istioctl manifest generate -f remote-config-cluster.yaml --set values.defaultRevision=default | kubectl apply --context="${CTX_REMOTE_CLUSTER}" -f -
istioctl install -f remote-config-cluster.yaml --set values.defaultRevision=default --context="${CTX_REMOTE_CLUSTER}"
}
snip_set_up_the_remote_config_cluster_4() {
@ -113,8 +113,9 @@ kubectl get mutatingwebhookconfiguration --context="${CTX_REMOTE_CLUSTER}"
}
! IFS=$'\n' read -r -d '' snip_set_up_the_remote_config_cluster_4_out <<\ENDSNIP
NAME WEBHOOKS AGE
istio-sidecar-injector-external-istiod 4 6m24s
NAME WEBHOOKS AGE
istio-revision-tag-default-external-istiod 4 2m2s
istio-sidecar-injector-external-istiod 4 2m5s
ENDSNIP
snip_set_up_the_remote_config_cluster_5() {
@ -476,7 +477,7 @@ kubectl annotate namespace external-istiod "topology.istio.io/controlPlaneCluste
}
snip_register_the_new_cluster_4() {
istioctl manifest generate -f second-remote-cluster.yaml | kubectl apply --context="${CTX_SECOND_CLUSTER}" -f -
istioctl install -f second-remote-cluster.yaml --context="${CTX_SECOND_CLUSTER}"
}
snip_register_the_new_cluster_5() {
@ -582,14 +583,14 @@ ENDSNIP
snip_cleanup_1() {
kubectl delete -f external-istiod-gw.yaml --context="${CTX_EXTERNAL_CLUSTER}"
istioctl uninstall -y --purge --context="${CTX_EXTERNAL_CLUSTER}"
istioctl uninstall -y --purge -f external-istiod.yaml --context="${CTX_EXTERNAL_CLUSTER}"
kubectl delete ns istio-system external-istiod --context="${CTX_EXTERNAL_CLUSTER}"
rm controlplane-gateway.yaml external-istiod.yaml external-istiod-gw.yaml
}
snip_cleanup_2() {
kubectl delete ns sample --context="${CTX_REMOTE_CLUSTER}"
istioctl manifest generate -f remote-config-cluster.yaml --set values.defaultRevision=default | kubectl delete --context="${CTX_REMOTE_CLUSTER}" -f -
istioctl uninstall -y --purge -f remote-config-cluster.yaml --set values.defaultRevision=default --context="${CTX_REMOTE_CLUSTER}"
kubectl delete ns external-istiod --context="${CTX_REMOTE_CLUSTER}"
rm remote-config-cluster.yaml istio-ingressgateway.yaml
rm istio-egressgateway.yaml eastwest-gateway-1.yaml || true
@ -597,7 +598,7 @@ rm istio-egressgateway.yaml eastwest-gateway-1.yaml || true
snip_cleanup_3() {
kubectl delete ns sample --context="${CTX_SECOND_CLUSTER}"
istioctl manifest generate -f second-remote-cluster.yaml | kubectl delete --context="${CTX_SECOND_CLUSTER}" -f -
istioctl uninstall -y --purge -f second-remote-cluster.yaml --context="${CTX_SECOND_CLUSTER}"
kubectl delete ns external-istiod --context="${CTX_SECOND_CLUSTER}"
rm second-remote-cluster.yaml eastwest-gateway-2.yaml
}

8
content/en/docs/setup/install/helm/index.md
View File

@ -151,8 +151,7 @@ for example `helm show values istio/gateway`.
### Migrating from non-Helm installations
If you're migrating from a version of Istio installed using `istioctl` or
Operator to Helm (Istio 1.5 or earlier), you need to delete your current Istio
If you're migrating from a version of Istio installed using `istioctl` to Helm (Istio 1.5 or earlier), you need to delete your current Istio
control plane resources and re-install Istio using Helm as described above. When
deleting your current Istio installation, you must not remove the Istio Custom Resource
Definitions (CRDs) as that can lead to loss of your custom Istio resources.
@ -162,10 +161,7 @@ It is highly recommended to take a backup of your Istio resources using steps
described above before deleting current Istio installation in your cluster.
{{< /warning >}}
You can follow steps mentioned in the
[Istioctl uninstall guide](/docs/setup/install/istioctl#uninstall-istio) or
[Operator uninstall guide](/docs/setup/install/operator/#uninstall)
depending upon your installation method.
You can follow steps mentioned in the [Istioctl uninstall guide](/docs/setup/install/istioctl#uninstall-istio).
## Uninstall

12
content/en/docs/setup/install/helm/snips.sh
View File

@ -35,7 +35,7 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_installation_steps_4_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0 1.23.0
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0 1.24.0
ENDSNIP
snip_install_discovery() {
@ -48,8 +48,8 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_installation_steps_6_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0 1.23.0
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.23.0 1.23.0
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0 1.24.0
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.24.0 1.24.0
ENDSNIP
snip_installation_steps_7() {
@ -93,7 +93,7 @@ kubectl get deployments -n istio-system --output wide
! IFS=$'\n' read -r -d '' snip_installation_steps_8_out <<\ENDSNIP
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
istiod 1/1 1 1 10m discovery docker.io/istio/pilot:1.23.0 istio=pilot
istiod 1/1 1 1 10m discovery docker.io/istio/pilot:1.24.0 istio=pilot
ENDSNIP
snip_install_ingressgateway() {
@ -107,8 +107,8 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_helm_ls_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0 1.23.0
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.23.0 1.23.0
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0 1.24.0
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.24.0 1.24.0
ENDSNIP
snip_delete_delete_gateway_charts() {

4
content/en/docs/setup/install/multiple-controlplanes/index.md
View File

@ -259,14 +259,14 @@ sleep-78ff5975c6-nxtth.app-ns-3 Kubernetes SYNCED SYNCED SYNCED
1. Clean up the first usergroup:
{{< text bash >}}
$ istioctl uninstall --revision usergroup-1
$ istioctl uninstall --revision usergroup-1 --set values.global.istioNamespace=usergroup-1
$ kubectl delete ns app-ns-1 usergroup-1
{{< /text >}}
1. Clean up the second usergroup:
{{< text bash >}}
$ istioctl uninstall --revision usergroup-2
$ istioctl uninstall --revision usergroup-2 --set values.global.istioNamespace=usergroup-2
$ kubectl delete ns app-ns-2 app-ns-3 usergroup-2
{{< /text >}}

4
content/en/docs/setup/install/multiple-controlplanes/snips.sh
View File

@ -239,11 +239,11 @@ x-envoy-upstream-service-time: 3
ENDSNIP
snip_cleanup_1() {
istioctl uninstall --revision usergroup-1
istioctl uninstall --revision usergroup-1 --set values.global.istioNamespace=usergroup-1
kubectl delete ns app-ns-1 usergroup-1
}
snip_cleanup_2() {
istioctl uninstall --revision usergroup-2
istioctl uninstall --revision usergroup-2 --set values.global.istioNamespace=usergroup-2
kubectl delete ns app-ns-2 app-ns-3 usergroup-2
}

357
content/en/docs/setup/install/operator/index.md
View File

@ -1,357 +0,0 @@
---
title: Istio Operator Install
description: Instructions to install Istio in a Kubernetes cluster using the Istio operator.
weight: 99
keywords: [kubernetes, operator]
aliases:
- /docs/setup/install/standalone-operator
owner: istio/wg-environments-maintainers
test: yes
status: Beta
---
{{< warning >}}
Use of the operator for new Istio installations is discouraged in favor of the [Istioctl](/docs/setup/install/istioctl)
and [Helm](/docs/setup/install/helm) installation methods. While the operator will continue to be supported,
new feature requests will not be prioritized.
{{< /warning >}}
Instead of manually installing, upgrading, and uninstalling Istio,
you can instead let the Istio [operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
manage the installation for you.
This relieves you of the burden of managing different `istioctl` versions.
Simply update the operator {{<gloss CRDs>}}custom resource (CR){{</gloss>}} and the
operator controller will apply the corresponding configuration changes for you.
The same [`IstioOperator` API](/docs/reference/config/istio.operator.v1alpha1/) is used
to install Istio with the operator as when using the [istioctl install instructions](/docs/setup/install/istioctl).
In both cases, configuration is validated against a schema and the same correctness
checks are performed.
{{< warning >}}
Using an operator does have a security implication.
With the `istioctl install` command, the operation will run in the admin users security context,
whereas with an operator, an in-cluster pod will run the operation in its security context.
To avoid a vulnerability, ensure that the operator deployment is sufficiently secured.
{{< /warning >}}
## Prerequisites
1. Perform any necessary [platform-specific setup](/docs/setup/platform-setup/).
1. Check the [Requirements for Pods and Services](/docs/ops/deployment/application-requirements/).
1. Install the [{{< istioctl >}} command](/docs/ops/diagnostic-tools/istioctl/).
## Install
### Deploy the Istio operator
The `istioctl` command can be used to automatically deploy the Istio operator:
{{< text syntax=bash snip_id=deploy_istio_operator >}}
$ istioctl operator init
{{< /text >}}
This command runs the operator by creating the following resources in the `istio-operator` namespace:
- The operator custom resource definition
- The operator controller deployment
- A service to access operator metrics
- Necessary Istio operator RBAC rules
You can configure which namespace the operator controller is installed in, the namespace(s) the operator watches, the installed Istio image sources and versions, and more. For example, you can pass one or more namespaces to watch using the `--watchedNamespaces` flag:
{{< text syntax=bash snip_id=deploy_istio_operator_watch_ns >}}
$ istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2
{{< /text >}}
See the [`istioctl operator init` command reference](/docs/reference/commands/istioctl/#istioctl-operator-init) for details.
{{< tip >}}
You can alternatively deploy the operator using Helm:
1. Create a namespace `istio-operator`.
{{< text syntax=bash snip_id=create_ns_istio_operator >}}
$ kubectl create namespace istio-operator
{{< /text >}}
2) Install operator using Helm.
{{< text syntax=bash snip_id=deploy_istio_operator_helm >}}
$ helm install istio-operator manifests/charts/istio-operator \
--set watchedNamespaces="istio-namespace1\,istio-namespace2" \
-n istio-operator
{{< /text >}}
Note that you need to [download the Istio release](/docs/setup/additional-setup/download-istio-release/)
to run the above command.
{{< /tip >}}
{{< warning >}}
Prior to Istio 1.10.0, the namespace `istio-system` needed to be created before installing the operator. As of Istio 1.10.0, the `istioctl operator init` will create the `istio-system` namespace.
If you use something other than `istioctl operator init`, then the `istio-system` namespace needs to be created manually.
{{< /warning >}}
### Install Istio with the operator
With the operator installed, you can now create a mesh by deploying an `IstioOperator` resource.
To install the Istio `demo` [configuration profile](/docs/setup/additional-setup/config-profiles/)
using the operator, run the following command:
{{< text syntax=bash snip_id=install_istio_demo_profile >}}
$ kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: demo
EOF
{{< /text >}}
The controller will detect the `IstioOperator` resource and then install the Istio
components corresponding to the specified (`demo`) configuration.
{{< warning >}}
If you used `--watchedNamespaces` when you initialized the Istio operator, apply the `IstioOperator` resource in one of the watched namespaces, instead of in `istio-system`.
{{< /warning >}}
The Istio control plane (istiod) will be installed in the `istio-system` namespace by default. To install it in a different location, specify the namespace using the `values.global.istioNamespace` field as follows:
{{< text syntax=yaml snip_id=none >}}
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
...
spec:
profile: demo
values:
global:
istioNamespace: istio-namespace1
{{< /text >}}
{{< tip >}}
The Istio operator controller begins the process of installing Istio within 90 seconds of
the creation of the `IstioOperator` resource. The Istio installation completes within 120
seconds.
{{< /tip >}}
You can confirm the Istio control plane services have been deployed with the following commands:
{{< text syntax=bash snip_id=kubectl_get_svc >}}
$ kubectl get services -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-egressgateway ClusterIP 10.96.65.145 <none> ... 30s
istio-ingressgateway LoadBalancer 10.96.189.244 192.168.11.156 ... 30s
istiod ClusterIP 10.96.189.20 <none> ... 37s
{{< /text >}}
{{< text syntax=bash snip_id=kubectl_get_pods >}}
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-696cccb5-m8ndk 1/1 Running 0 68s
istio-ingressgateway-86cb4b6795-9jlrk 1/1 Running 0 68s
istiod-b47586647-sf6sw 1/1 Running 0 74s
{{< /text >}}
## Update
Now, with the controller running, you can change the Istio configuration by editing or replacing
the `IstioOperator` resource. The controller will detect the change and respond by updating
the Istio installation correspondingly.
For example, you can switch the installation to the `default`
profile with the following command:
{{< text syntax=bash snip_id=update_to_default_profile >}}
$ kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: default
EOF
{{< /text >}}
You can also enable or disable components and modify resource settings.
For example, to enable the `istio-egressgateway` component and increase istiod memory requests:
{{< text syntax=bash snip_id=update_to_default_profile_egress >}}
$ kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: default
components:
pilot:
k8s:
resources:
requests:
memory: 3072Mi
egressGateways:
- name: istio-egressgateway
enabled: true
EOF
{{< /text >}}
You can observe the changes that the controller makes in the cluster in response to `IstioOperator` CR updates by
checking the operator controller logs:
{{< text syntax=bash snip_id=operator_logs >}}
$ kubectl logs -f -n istio-operator "$(kubectl get pods -n istio-operator -lname=istio-operator -o jsonpath='{.items[0].metadata.name}')"
{{< /text >}}
Refer to the [`IstioOperator` API](/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec)
for the complete set of configuration settings.
## In-place Upgrade
Download and extract the `istioctl` corresponding to the version of Istio you wish to upgrade to. Reinstall the operator
at the target Istio version:
{{< text syntax=bash snip_id=inplace_upgrade >}}
$ <extracted-dir>/bin/istioctl operator init
{{< /text >}}
You should see that the `istio-operator` pod has restarted and its version has changed to the target version:
{{< text syntax=bash snip_id=inplace_upgrade_get_pods_istio_operator >}}
$ kubectl get pods --namespace istio-operator \
-o=jsonpath='{range .items[*]}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
{{< /text >}}
After a minute or two, the Istio control plane components should also be restarted at the new version:
{{< text syntax=bash snip_id=inplace_upgrade_get_pods_istio_system >}}
$ kubectl get pods --namespace istio-system \
-o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
{{< /text >}}
## Canary Upgrade
The process for canary upgrade is similar to the [canary upgrade with `istioctl`](/docs/setup/upgrade/canary/).
For example, to upgrade Istio {{< istio_previous_version >}}.0 to {{< istio_full_version >}}, first install {{< istio_previous_version >}}.0 :
{{< text syntax=bash snip_id=download_istio_previous_version >}}
$ curl -L https://istio.io/downloadIstio | ISTIO_VERSION={{< istio_previous_version >}}.0 sh -
{{< /text >}}
Deploy the operator using Istio version {{< istio_previous_version >}}.0:
{{< text syntax=bash snip_id=deploy_operator_previous_version >}}
$ istio-{{< istio_previous_version >}}.0/bin/istioctl operator init
{{< /text >}}
Install Istio control plane demo profile:
{{< text syntax=bash snip_id=install_istio_previous_version >}}
$ kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane-{{< istio_previous_version_revision >}}-0
spec:
profile: default
EOF
{{< /text >}}
Verify that the `IstioOperator` CR named `example-istiocontrolplane` exists in your cluster:
{{< text syntax=bash snip_id=verify_operator_cr >}}
$ kubectl get iop --all-namespaces
NAMESPACE NAME REVISION STATUS AGE
istio-system example-istiocontrolplane{{< istio_previous_version_revision >}}-0 HEALTHY 11m
{{< /text >}}
Download and extract the `istioctl` corresponding to the version of Istio you wish to upgrade to.
Then, run the following command to install the new target revision of the Istio control plane based on the in-cluster
`IstioOperator` CR (here, we assume the target revision is {{< istio_full_version_revision >}}):
{{< text syntax=bash snip_id=canary_upgrade_init >}}
$ istio-{{< istio_full_version >}}/bin/istioctl operator init --revision {{< istio_full_version_revision >}}
{{< /text >}}
{{< tip >}}
You can alternatively use Helm to deploy another operator with a different revision setting:
{{< text syntax=bash snip_id=none >}}
$ helm install istio-operator manifests/charts/istio-operator \
--set watchedNamespaces=istio-system \
-n istio-operator \
--set revision={{< istio_full_version_revision >}}
{{< /text >}}
Note that you need to [download the Istio release](/docs/setup/additional-setup/download-istio-release/)
to run the above command.
{{< /tip >}}
Make a copy of the `example-istiocontrolplane` CR and save it in a file named `example-istiocontrolplane-{{< istio_full_version_revision >}}.yaml`.
Change the name to `example-istiocontrolplane-{{< istio_full_version_revision >}}` and add `revision: {{< istio_full_version_revision >}}` to the CR.
Your updated `IstioOperator` CR should look something like this:
{{< text syntax=bash snip_id=cat_operator_yaml >}}
$ cat example-istiocontrolplane-{{< istio_full_version_revision >}}.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane-{{< istio_full_version_revision >}}
spec:
revision: {{< istio_full_version_revision >}}
profile: default
{{< /text >}}
Apply the updated `IstioOperator` CR to the cluster. After that, you will have two control plane deployments and services running side-by-side:
{{< text syntax=bash snip_id=get_pods_istio_system >}}
$ kubectl get pod -n istio-system -l app=istiod
NAME READY STATUS RESTARTS AGE
istiod-{{< istio_full_version_revision >}}-597475f4f6-bgtcz 1/1 Running 0 64s
istiod-6ffcc65b96-bxzv5 1/1 Running 0 2m11s
{{< /text >}}
{{< text syntax=bash snip_id=get_svc_istio_system >}}
$ kubectl get services -n istio-system -l app=istiod
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istiod ClusterIP 10.104.129.150 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 2m35s
istiod-{{< istio_full_version_revision >}} ClusterIP 10.111.17.49 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 88s
{{< /text >}}
To complete the upgrade, label the workload namespaces with `istio.io/rev={{< istio_full_version_revision >}}` and restart the workloads, as
explained in the [Data plane upgrade](/docs/setup/upgrade/canary/#data-plane) documentation.
## Uninstall
If you used the operator to perform a canary upgrade of the control plane, you can uninstall the old control plane and keep the new one by deleting the old in-cluster `IstioOperator` CR, which will uninstall the old revision of Istio:
{{< text syntax=bash snip_id=delete_example_istiocontrolplane >}}
$ kubectl delete istiooperators.install.istio.io -n istio-system example-istiocontrolplane
{{< /text >}}
Wait until Istio is uninstalled - this may take some time.
Then you can remove the Istio operator for the old revision by running the following command:
{{< text syntax=bash snip_id=none >}}
$ istioctl operator remove --revision <revision>
{{< /text >}}
If you omit the `revision` flag, then all revisions of Istio operator will be removed.
Note that deleting the operator before the `IstioOperator` CR and corresponding Istio revision are fully removed may result in leftover Istio resources.
To clean up anything not removed by the operator:
{{< text syntax=bash snip_id=cleanup >}}
$ istioctl uninstall -y --purge
$ kubectl delete ns istio-system istio-operator
{{< /text >}}

201
content/en/docs/setup/install/operator/snips.sh
View File

@ -1,201 +0,0 @@
#!/bin/bash
# shellcheck disable=SC2034,SC2153,SC2155,SC2164
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################################
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/setup/install/operator/index.md
####################################################################################################
snip_deploy_istio_operator() {
istioctl operator init
}
snip_deploy_istio_operator_watch_ns() {
istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2
}
snip_create_ns_istio_operator() {
kubectl create namespace istio-operator
}
snip_deploy_istio_operator_helm() {
helm install istio-operator manifests/charts/istio-operator \
--set watchedNamespaces="istio-namespace1\,istio-namespace2" \
-n istio-operator
}
snip_install_istio_demo_profile() {
kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: demo
EOF
}
snip_kubectl_get_svc() {
kubectl get services -n istio-system
}
! IFS=$'\n' read -r -d '' snip_kubectl_get_svc_out <<\ENDSNIP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-egressgateway ClusterIP 10.96.65.145 <none> ... 30s
istio-ingressgateway LoadBalancer 10.96.189.244 192.168.11.156 ... 30s
istiod ClusterIP 10.96.189.20 <none> ... 37s
ENDSNIP
snip_kubectl_get_pods() {
kubectl get pods -n istio-system
}
! IFS=$'\n' read -r -d '' snip_kubectl_get_pods_out <<\ENDSNIP
NAME READY STATUS RESTARTS AGE
istio-egressgateway-696cccb5-m8ndk 1/1 Running 0 68s
istio-ingressgateway-86cb4b6795-9jlrk 1/1 Running 0 68s
istiod-b47586647-sf6sw 1/1 Running 0 74s
ENDSNIP
snip_update_to_default_profile() {
kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: default
EOF
}
snip_update_to_default_profile_egress() {
kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: default
components:
pilot:
k8s:
resources:
requests:
memory: 3072Mi
egressGateways:
- name: istio-egressgateway
enabled: true
EOF
}
snip_operator_logs() {
kubectl logs -f -n istio-operator "$(kubectl get pods -n istio-operator -lname=istio-operator -o jsonpath='{.items[0].metadata.name}')"
}
snip_inplace_upgrade() {
<extracted-dir>/bin/istioctl operator init
}
snip_inplace_upgrade_get_pods_istio_operator() {
kubectl get pods --namespace istio-operator \
-o=jsonpath='{range .items[*]}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
}
snip_inplace_upgrade_get_pods_istio_system() {
kubectl get pods --namespace istio-system \
-o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
}
snip_download_istio_previous_version() {
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.0 sh -
}
snip_deploy_operator_previous_version() {
istio-1.22.0/bin/istioctl operator init
}
snip_install_istio_previous_version() {
kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane-1-22-0
spec:
profile: default
EOF
}
snip_verify_operator_cr() {
kubectl get iop --all-namespaces
}
! IFS=$'\n' read -r -d '' snip_verify_operator_cr_out <<\ENDSNIP
NAMESPACE NAME REVISION STATUS AGE
istio-system example-istiocontrolplane1-22-0 HEALTHY 11m
ENDSNIP
snip_canary_upgrade_init() {
istio-1.23.0/bin/istioctl operator init --revision 1-23-0
}
snip_cat_operator_yaml() {
cat example-istiocontrolplane-1-23-0.yaml
}
! IFS=$'\n' read -r -d '' snip_cat_operator_yaml_out <<\ENDSNIP
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane-1-23-0
spec:
revision: 1-23-0
profile: default
ENDSNIP
snip_get_pods_istio_system() {
kubectl get pod -n istio-system -l app=istiod
}
! IFS=$'\n' read -r -d '' snip_get_pods_istio_system_out <<\ENDSNIP
NAME READY STATUS RESTARTS AGE
istiod-1-23-0-597475f4f6-bgtcz 1/1 Running 0 64s
istiod-6ffcc65b96-bxzv5 1/1 Running 0 2m11s
ENDSNIP
snip_get_svc_istio_system() {
kubectl get services -n istio-system -l app=istiod
}
! IFS=$'\n' read -r -d '' snip_get_svc_istio_system_out <<\ENDSNIP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istiod ClusterIP 10.104.129.150 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 2m35s
istiod-1-23-0 ClusterIP 10.111.17.49 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 88s
ENDSNIP
snip_delete_example_istiocontrolplane() {
kubectl delete istiooperators.install.istio.io -n istio-system example-istiocontrolplane
}
snip_cleanup() {
istioctl uninstall -y --purge
kubectl delete ns istio-system istio-operator
}

146
content/en/docs/setup/install/operator/test.sh
View File

@ -1,146 +0,0 @@
#!/usr/bin/env bash
# shellcheck disable=SC2154
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# @setup profile=none
set -e
set -u
set -o pipefail
source "content/en/boilerplates/snips/args.sh"
fullVersion="${bpsnip_args_istio_full_version}"
fullVersionRevision="${fullVersion//./-}"
previousVersion="${bpsnip_args_istio_previous_version}.0"
previousVersionMinorUpgrade="${previousVersion%.0}.1"
function testOperatorDeployWatchNs(){
# print out body of the function and execute with flag
# this is to avoid using the default public registry
$(type snip_deploy_istio_operator_watch_ns | sed '1,3d;$d') --hub "$HUB"
_wait_for_deployment istio-operator istio-operator
# cleanup required for next steps
istioctl uninstall -y --purge
kubectl delete ns istio-operator istio-namespace1 istio-namespace2
}
function testOperatorDeployHelm(){
snip_create_ns_istio_operator
snip_deploy_istio_operator_helm
_wait_for_deployment istio-operator istio-operator
# cleanup required for next steps
helm uninstall istio-operator -n istio-operator
kubectl delete ns istio-operator
}
function testOperatorDeploy(){
$(type snip_deploy_istio_operator | sed '1,3d;$d') --hub "$HUB"
_wait_for_deployment istio-operator istio-operator
}
function testInstallIstioDemo(){
snip_install_istio_demo_profile
sleep 30s
_wait_for_deployment istio-system istiod
_verify_like snip_kubectl_get_svc "$snip_kubectl_get_svc_out"
_verify_like snip_kubectl_get_pods "$snip_kubectl_get_pods_out"
}
function testUpdateProfileDefaultEgress(){
snip_update_to_default_profile_egress
sleep 30s
_verify_contains snip_kubectl_get_svc "egressgateway"
}
function testOperatorLogs(){
command=$(type snip_operator_logs | sed '1,3d;$d')
# prevent following log stream
command="${command/"logs -f"/"logs"}"
echo "$command" | sh -
}
function istioDownload(){
version="$1"
# downloadIstio takes a TARGET_OS env var, but it's exepected to be Linux or Darwin.
# Uppercase the first letter of the TARGET_OS used within the pipeline, which is linux or darwin
curl -L https://istio.io/downloadIstio | TARGET_OS=${TARGET_OS^} ISTIO_VERSION="$version" sh -
}
function operatorInit(){
version="$1"
istioDownload "$version"
istio-"$version"/bin/istioctl operator init
rm -rf "istio-$version"
}
function testInplaceUpgrade(){
operatorInit "$previousVersion"
operatorInit "$previousVersionMinorUpgrade"
snip_inplace_upgrade_get_pods_istio_operator
snip_inplace_upgrade_get_pods_istio_system
}
function testCanaryUpgrade(){
# downloadIstio takes a TARGET_OS env var, but it's exepected to be Linux or Darwin.
# Uppercase the first letter of the TARGET_OS used within the pipeline, which is linux or darwin
TARGET_OS=${TARGET_OS^} snip_download_istio_previous_version
snip_deploy_operator_previous_version
snip_install_istio_previous_version
_verify_like snip_verify_operator_cr "$snip_verify_operator_cr_out"
rm -rf "istio-$previousVersion"
istioctl operator init --revision "$fullVersionRevision"
}
function testTwoControlPlanes(){
echo "$snip_cat_operator_yaml_out" > example-istiocontrolplane-previous-version.yaml
_verify_like snip_cat_operator_yaml "$snip_cat_operator_yaml_out"
kubectl apply -f example-istiocontrolplane-previous-version.yaml
rm -f example-istiocontrolplane-previous-version.yaml
_verify_like snip_get_pods_istio_system "$snip_get_pods_istio_system_out"
_verify_like snip_get_svc_istio_system "$snip_get_svc_istio_system_out"
}
testOperatorDeployWatchNs
testOperatorDeployHelm
testOperatorDeploy
testInstallIstioDemo
snip_update_to_default_profile
testUpdateProfileDefaultEgress
testOperatorLogs
snip_cleanup
testInplaceUpgrade
snip_cleanup
testCanaryUpgrade
# @cleanup
snip_delete_example_istiocontrolplane
snip_cleanup

32
content/en/docs/setup/upgrade/canary/snips.sh
View File

@ -41,7 +41,7 @@ kubectl get pods -n istio-system -l app=istiod
! IFS=$'\n' read -r -d '' snip_control_plane_2_out <<\ENDSNIP
NAME READY STATUS RESTARTS AGE
istiod-1-22-1-bdf5948d5-htddg 1/1 Running 0 47s
istiod-1-23-1-bdf5948d5-htddg 1/1 Running 0 47s
istiod-canary-84c8d4dcfb-skcfv 1/1 Running 0 25s
ENDSNIP
@ -51,7 +51,7 @@ kubectl get svc -n istio-system -l app=istiod
! IFS=$'\n' read -r -d '' snip_control_plane_3_out <<\ENDSNIP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istiod-1-22-1 ClusterIP 10.96.93.151 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 109s
istiod-1-23-1 ClusterIP 10.96.93.151 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 109s
istiod-canary ClusterIP 10.104.186.250 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 87s
ENDSNIP
@ -61,7 +61,7 @@ kubectl get mutatingwebhookconfigurations
! IFS=$'\n' read -r -d '' snip_control_plane_4_out <<\ENDSNIP
NAME WEBHOOKS AGE
istio-sidecar-injector-1-22-1 2 2m16s
istio-sidecar-injector-1-23-1 2 2m16s
istio-sidecar-injector-canary 2 114s
ENDSNIP
@ -98,13 +98,13 @@ istioctl proxy-status | grep "\.test-ns "
}
snip_usage_1() {
istioctl install --revision=1-22-1 --set profile=minimal --skip-confirmation
istioctl install --revision=1-23-0 --set profile=minimal --skip-confirmation
istioctl install --revision=1-23-1 --set profile=minimal --skip-confirmation
istioctl install --revision=1-24-0 --set profile=minimal --skip-confirmation
}
snip_usage_2() {
istioctl tag set prod-stable --revision 1-22-1
istioctl tag set prod-canary --revision 1-23-0
istioctl tag set prod-stable --revision 1-23-1
istioctl tag set prod-canary --revision 1-24-0
}
snip_usage_3() {
@ -128,13 +128,13 @@ istioctl ps
! IFS=$'\n' read -r -d '' snip_usage_5_out <<\ENDSNIP
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-78ff5975c6-62pzf.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-23-0-7f6fc6cfd6-s8zfg 1.23.0
sleep-78ff5975c6-8kxpl.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-1-bdf5948d5-n72r2 1.22.1
sleep-78ff5975c6-8q7m6.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-1-bdf5948d5-n72r2 1-22.1
sleep-78ff5975c6-62pzf.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-24-0-7f6fc6cfd6-s8zfg 1.24.0
sleep-78ff5975c6-8kxpl.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-23-1-bdf5948d5-n72r2 1.23.1
sleep-78ff5975c6-8q7m6.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-23-1-bdf5948d5-n72r2 1-23.1
ENDSNIP
snip_usage_6() {
istioctl tag set prod-stable --revision 1-23-0 --overwrite
istioctl tag set prod-stable --revision 1-24-0 --overwrite
}
snip_usage_7() {
@ -148,17 +148,17 @@ istioctl ps
! IFS=$'\n' read -r -d '' snip_usage_8_out <<\ENDSNIP
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-5984f48bc7-kmj6x.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-23-0-7f6fc6cfd6-jsktb 1.23.0
sleep-78ff5975c6-jldk4.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-23-0-7f6fc6cfd6-jsktb 1.23.0
sleep-7cdd8dccb9-5bq5n.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-23-0-7f6fc6cfd6-jsktb 1.23.0
sleep-5984f48bc7-kmj6x.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-24-0-7f6fc6cfd6-jsktb 1.24.0
sleep-78ff5975c6-jldk4.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-24-0-7f6fc6cfd6-jsktb 1.24.0
sleep-7cdd8dccb9-5bq5n.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-24-0-7f6fc6cfd6-jsktb 1.24.0
ENDSNIP
snip_default_tag_1() {
istioctl tag set default --revision 1-23-0
istioctl tag set default --revision 1-24-0
}
snip_uninstall_old_control_plane_1() {
istioctl uninstall --revision 1-22-1 -y
istioctl uninstall --revision 1-23-1 -y
}
snip_uninstall_old_control_plane_2() {

8
content/en/docs/setup/upgrade/helm/snips.sh
View File

@ -77,16 +77,16 @@ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system
}
snip_usage_1() {
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-22-1 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-23-0 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-23-1 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-24-0 -n istio-system | kubectl apply -f -
}
snip_usage_2() {
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-23-0 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-24-0 -n istio-system | kubectl apply -f -
}
snip_default_tag_1() {
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{default}" --set revision=1-23-0 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{default}" --set revision=1-24-0 -n istio-system | kubectl apply -f -
}
snip_in_place_upgrade_1() {

3
content/en/docs/tasks/observability/distributed-tracing/skywalking/test.sh → content/en/docs/tasks/observability/distributed-tracing/skywalking/test-disable.sh
View File

@ -22,6 +22,9 @@ set -o pipefail
source "tests/util/samples.sh"
source "tests/util/addons.sh"
# FIXME To re-enable this test, rename this file to test.sh once
# https://github.com/istio/istio.io/issues/15680 is fixed
# @setup profile=none
echo "$snip_configure_tracing_1" | istioctl install -y -r skywalkingagent -f -
snip_configure_tracing_2

10
content/en/docs/tasks/security/authentication/authn-policy/snips.sh
View File

@ -298,7 +298,7 @@ spec:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
EOF
}
@ -316,7 +316,7 @@ spec:
name: httpbin-gateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
EOF
}
@ -337,7 +337,7 @@ curl --header "Authorization: Bearer deadbeef" "$INGRESS_HOST:$INGRESS_PORT/head
ENDSNIP
snip_enduser_authentication_9() {
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/demo.jwt -s)
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s)
curl --header "Authorization: Bearer $TOKEN" "$INGRESS_HOST:$INGRESS_PORT/headers" -s -o /dev/null -w "%{http_code}\n"
}
@ -346,11 +346,11 @@ curl --header "Authorization: Bearer $TOKEN" "$INGRESS_HOST:$INGRESS_PORT/header
ENDSNIP
snip_enduser_authentication_10() {
wget --no-verbose https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/gen-jwt.py
wget --no-verbose https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/gen-jwt.py
}
snip_enduser_authentication_11() {
wget --no-verbose https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/key.pem
wget --no-verbose https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/key.pem
}
snip_enduser_authentication_12() {

4
content/en/docs/tasks/security/authentication/claim-to-header/snips.sh
View File

@ -48,7 +48,7 @@ spec:
app: httpbin
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
outputClaimToHeaders:
- header: "x-jwt-claim-foo"
claim: "foo"
@ -64,7 +64,7 @@ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadat
ENDSNIP
snip_allow_requests_with_valid_jwt_and_listtyped_claims_3() {
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
}
! IFS=$'\n' read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_3_out <<\ENDSNIP

6
content/en/docs/tasks/security/authentication/jwt-route/snips.sh
View File

@ -47,7 +47,7 @@ spec:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
EOF
}
@ -97,7 +97,7 @@ HTTP/1.1 401 Unauthorized
ENDSNIP
snip_validating_ingress_routing_based_on_jwt_claims_3() {
TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode
TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode
}
! IFS=$'\n' read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_3_out <<\ENDSNIP
@ -114,7 +114,7 @@ HTTP/1.1 200 OK
ENDSNIP
snip_validating_ingress_routing_based_on_jwt_claims_5() {
TOKEN_NO_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode
TOKEN_NO_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode
}
! IFS=$'\n' read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_5_out <<\ENDSNIP

2
content/en/docs/tasks/security/authorization/authz-custom/snips.sh
View File

@ -36,7 +36,7 @@ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadat
ENDSNIP
snip_deploy_the_external_authorizer_1() {
kubectl apply -n foo -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/extauthz/ext-authz.yaml
kubectl apply -n foo -f https://raw.githubusercontent.com/istio/istio/master/samples/extauthz/ext-authz.yaml
}
! IFS=$'\n' read -r -d '' snip_deploy_the_external_authorizer_1_out <<\ENDSNIP

12
content/en/docs/tasks/security/authorization/authz-ingress/test.sh
View File

@ -77,12 +77,12 @@ _verify_same snip_ipbased_allow_list_and_deny_list_5 "$snip_ipbased_allow_list_a
if [ "$GATEWAY_API" == "true" ]; then
_verify_like snip_ipbased_allow_list_and_deny_list_8 "$snip_ipbased_allow_list_and_deny_list_8_out"
CLIENT_IP=$(kubectl get pods -n foo -o name -l istio.io/gateway-name=httpbin-gateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n foo | grep remoteIP; done | tail -1 | awk -F, '{print $3}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
snip_ipbased_allow_list_and_deny_list_8
snip_ipbased_allow_list_and_deny_list_12
_wait_for_istio authorizationpolicy foo ingress-policy
else
_verify_like snip_ipbased_allow_list_and_deny_list_6 "$snip_ipbased_allow_list_and_deny_list_6_out"
CLIENT_IP=$(kubectl get pods -n istio-system | grep ingress | awk '{print $1}' | while read -r pod; do kubectl logs "$pod" -n istio-system | grep remoteIP; done | tail -1 | awk -F, '{print $3}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
snip_ipbased_allow_list_and_deny_list_6
snip_ipbased_allow_list_and_deny_list_10
_wait_for_istio authorizationpolicy istio-system ingress-policy
fi
@ -90,12 +90,12 @@ _verify_same snip_ipbased_allow_list_and_deny_list_14 "$snip_ipbased_allow_list_
if [ "$GATEWAY_API" == "true" ]; then
_verify_like snip_ipbased_allow_list_and_deny_list_9 "$snip_ipbased_allow_list_and_deny_list_9_out"
CLIENT_IP=$(kubectl get pods -n foo -o name -l istio.io/gateway-name=httpbin-gateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n foo | grep remoteIP; done | tail -1 | awk -F, '{print $4}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
snip_ipbased_allow_list_and_deny_list_9
snip_ipbased_allow_list_and_deny_list_13
_wait_for_istio authorizationpolicy foo ingress-policy
else
_verify_like snip_ipbased_allow_list_and_deny_list_7 "$snip_ipbased_allow_list_and_deny_list_7_out"
CLIENT_IP=$(kubectl get pods -n istio-system -o name -l istio=ingressgateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n istio-system | grep remoteIP; done | tail -1 | awk -F, '{print $3}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
snip_ipbased_allow_list_and_deny_list_7
snip_ipbased_allow_list_and_deny_list_11
_wait_for_istio authorizationpolicy istio-system ingress-policy
fi
@ -104,7 +104,7 @@ _verify_same snip_ipbased_allow_list_and_deny_list_14 "$snip_ipbased_allow_list_
# Test client IP denied
if [ "$GATEWAY_API" == "true" ]; then
CLIENT_IP=$(kubectl get pods -n foo -o name -l istio.io/gateway-name=httpbin-gateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n foo | grep remoteIP; done | tail -1 | awk -F, '{print $3}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
CLIENT_IP=$(kubectl get pods -n foo -o name -l gateway.networking.k8s.io/gateway-name=httpbin-gateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n foo | grep remoteIP; done | tail -1 | awk -F, '{print $3}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
snip_ipbased_allow_list_and_deny_list_17
_wait_for_istio authorizationpolicy foo ingress-policy
else
@ -115,7 +115,7 @@ fi
_verify_same snip_ipbased_allow_list_and_deny_list_19 "$snip_ipbased_allow_list_and_deny_list_19_out"
if [ "$GATEWAY_API" == "true" ]; then
CLIENT_IP=$(kubectl get pods -n foo -o name -l istio.io/gateway-name=httpbin-gateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n foo | grep remoteIP; done | tail -1 | awk -F, '{print $4}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
CLIENT_IP=$(kubectl get pods -n foo -o name -l gateway.networking.k8s.io/gateway-name=httpbin-gateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n foo | grep remoteIP; done | tail -1 | awk -F, '{print $4}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
snip_ipbased_allow_list_and_deny_list_18
_wait_for_istio authorizationpolicy foo ingress-policy
else

6
content/en/docs/tasks/security/authorization/authz-jwt/snips.sh
View File

@ -47,7 +47,7 @@ spec:
app: httpbin
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
EOF
}
@ -87,7 +87,7 @@ EOF
}
snip_allow_requests_with_valid_jwt_and_listtyped_claims_5() {
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
}
! IFS=$'\n' read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_5_out <<\ENDSNIP
@ -133,7 +133,7 @@ EOF
}
snip_allow_requests_with_valid_jwt_and_listtyped_claims_9() {
TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode -
TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode -
}
! IFS=$'\n' read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_9_out <<\ENDSNIP

3
content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/index.md
View File

@ -124,7 +124,7 @@ Kubernetes Services for egress traffic work with other protocols as well.
{{< /text >}}
1. Access `httpbin.org` via the Kubernetes service's hostname from the source pod with Istio sidecar. Notice the
headers added by Istio sidecar, for example `X-Envoy-Decorator-Operation`. Also note that
headers added by Istio sidecar, for example `X-Envoy-Peer-Metadata`. Also note that
the `Host` header equals to your service's hostname.
{{< text bash >}}
@ -138,7 +138,6 @@ Kubernetes Services for egress traffic work with other protocols as well.
"X-B3-Sampled": "0",
"X-B3-Spanid": "5795fab599dca0b8",
"X-B3-Traceid": "5079ad3a4af418915795fab599dca0b8",
"X-Envoy-Decorator-Operation": "my-httpbin.default.svc.cluster.local:80/*",
"X-Envoy-Peer-Metadata": "...",
"X-Envoy-Peer-Metadata-Id": "sidecar~10.28.1.74~sleep-6bdb595bcb-drr45.default~default.svc.cluster.local"
}

1
content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/snips.sh
View File

@ -109,7 +109,6 @@ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS my-httpbin.default.svc.cluster.l
"X-B3-Sampled": "0",
"X-B3-Spanid": "5795fab599dca0b8",
"X-B3-Traceid": "5079ad3a4af418915795fab599dca0b8",
"X-Envoy-Decorator-Operation": "my-httpbin.default.svc.cluster.local:80/*",
"X-Envoy-Peer-Metadata": "...",
"X-Envoy-Peer-Metadata-Id": "sidecar~10.28.1.74~sleep-6bdb595bcb-drr45.default~default.svc.cluster.local"
}

2
content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/test.sh
View File

@ -48,7 +48,7 @@ _verify_contains snip_kubernetes_externalname_service_to_access_an_external_serv
snip_kubernetes_externalname_service_to_access_an_external_service_4
_wait_for_istio destinationrule default my-httpbin
_verify_contains snip_kubernetes_externalname_service_to_access_an_external_service_5 "\"X-Envoy-Decorator-Operation\": \"my-httpbin.default.svc.cluster.local:80/*\""
_verify_contains snip_kubernetes_externalname_service_to_access_an_external_service_5 "\"X-Envoy-Peer-Metadata\":"
# service wikipedia
snip_use_a_kubernetes_service_with_endpoints_to_access_an_external_service_1

2
content/en/news/releases/1.23.x/announcing-1.23/_index.md
View File

@ -67,7 +67,7 @@ The new application features a more modern design, and performance improvements
## Deprecating the in-cluster Operator
Three years ago, we [updated our documentation](/docs/setup/install/operator/) to discourage the use of the in-cluster operator for new Istio installations. We are now ready to formally mark it as deprecated in Istio 1.23. People leveraging the operator — which we estimate to be fewer than 10% of our user base — will need to migrate to other install and upgrade mechanisms in order to upgrade to Istio 1.24 or above. The expected release date for 1.24 is November 2024.
Three years ago, we [updated our documentation](https://archive.istio.io/v1.23/docs/setup/install/operator/) to discourage the use of the in-cluster operator for new Istio installations. We are now ready to formally mark it as deprecated in Istio 1.23. People leveraging the operator — which we estimate to be fewer than 10% of our user base — will need to migrate to other install and upgrade mechanisms in order to upgrade to Istio 1.24 or above. The expected release date for 1.24 is November 2024.
We recommend users move to Helm and istioctl, which remain supported by the Istio project. Migrating to istioctl is trivial; migrating to Helm will require tooling which we will publish along with the 1.24 release.

2
content/en/news/releases/1.4.x/announcing-1.4/change-notes/index.md
View File

@ -44,7 +44,7 @@ publishdate: 2019-11-14
## Installation
- **Added** the experimental [operator controller](/docs/setup/install/operator/) for dynamic updates to an Istio installation.
- **Added** the experimental [operator controller](https://archive.istio.io/v1.23/docs/setup/install/operator/) for dynamic updates to an Istio installation.
- **Removed** the `proxy_init` Docker image. Instead, the `istio-init` container reuses the `proxyv2` image.
- **Updated** the base image to `ubuntu:bionic`.

2
content/en/news/releases/1.5.x/announcing-1.5/_index.md
View File

@ -64,7 +64,7 @@ particular has some cool enhancements. Command line installation of Istio using
[`istioctl`](/docs/reference/commands/istioctl) is now beta for installation and
will work for most customers in most use cases. Managing your installation via
an Operator is still alpha, but we continue to improve it with a new
[`IstioOperator API`](/docs/reference/config/istio.operator.v1alpha1/).
`IstioOperator` API.
Speaking of `istioctl`, it has over a dozen improvements -- new items it can
analyze, better validation rules, and better ability to integrate with CI

2
content/en/news/releases/1.7.x/announcing-1.7/_index.md
View File

@ -89,7 +89,7 @@ resources via its proxy immediately upon its boot.
Sometimes stale endpoints could make Pilot become unhealthy. [We fixed that](https://github.com/istio/istio/issues/25112).
The [Istio Operator](/docs/setup/install/operator/)
The [Istio Operator](https://archive.istio.io/v1.23/docs/setup/install/operator/)
is a great way to install Istio, as it automates a fair amount of toil. Canary
control plane deployments are also important; they allow ultra-safe upgrades of
Istio. Unfortunately, you couldn't use them together - [until now](/docs/setup/upgrade/#canary-upgrades).

2
content/en/news/releases/1.8.x/announcing-1.8/_index.md
View File

@ -23,7 +23,7 @@ Here are some highlights for this release:
## Installing and Upgrading Istio
To codify all the knowledge on how to deploy and upgrade a mesh into software, we built the `IstioOperator` API and two different methods to install it - [istioctl install](/docs/setup/install/istioctl/) and the [Istio operator](/docs/setup/install/operator/). However, some of our users have a deployment workflow for other software based on Helm, and so in this release we've added support for [installing Istio with Helm 3](/docs/setup/install/helm/). This includes both [in-place upgrades](/docs/setup/install/helm/#in-place-upgrade) and [canary deployment of new control planes](/docs/setup/install/helm/#canary-upgrade), after installing 1.8 or later. Helm 3 support is currently Alpha, so please try it out and give your feedback.
To codify all the knowledge on how to deploy and upgrade a mesh into software, we built the `IstioOperator` API and two different methods to install it - [istioctl install](/docs/setup/install/istioctl/) and the [Istio operator](https://archive.istio.io/v1.23/docs/setup/install/operator/). However, some of our users have a deployment workflow for other software based on Helm, and so in this release we've added support for [installing Istio with Helm 3](/docs/setup/install/helm/). This includes both [in-place upgrades](/docs/setup/install/helm/#in-place-upgrade) and [canary deployment of new control planes](/docs/setup/install/helm/#canary-upgrade), after installing 1.8 or later. Helm 3 support is currently Alpha, so please try it out and give your feedback.
Given the several methods of installation that Istio now supports, we've added a [which Istio installation method should I use?](/about/faq/#install-method-selection) FAQ page to help users understand which method may be best suited to their particular use case.

212
content/zh/docs/reference/commands/install-cni/index.html
View File

@ -76,22 +76,6 @@ remove_toc_prefix: 'install-cni '
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -198,22 +182,6 @@ See each sub-command&#39;s help for details on how to use the generated script.
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -228,14 +196,13 @@ See each sub-command&#39;s help for details on how to use the generated script.
<p>This script depends on the &#39;bash-completion&#39; package.
If it is not installed already, you can install it via your OS&#39;s package manager.</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(install-cni completion bash)</p>
<pre class="language-bash"><code>source &lt;(install-cni completion bash)</code></pre>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> install-cni completion bash &gt; /etc/bash_completion.d/install-cni</p>
<p>#### macOS:</p>
<p> install-cni completion bash &gt; $(brew --prefix)/etc/bash_completion.d/install-cni</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>install-cni completion bash &gt; /etc/bash_completion.d/install-cni</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>install-cni completion bash &gt; /usr/local/etc/bash_completion.d/install-cni</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>install-cni completion bash
</code></pre>
<table class="command-flags">
@ -267,22 +234,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -299,11 +250,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
<h3 id="install-cni-completion-fish">install-cni completion fish</h3>
<p>Generate the autocompletion script for the fish shell.</p>
<p>To load completions in your current shell session:</p>
<p> install-cni completion fish | source</p>
<pre class="language-bash"><code>install-cni completion fish | source</code></pre>
<p>To load completions for every new session, execute once:</p>
<p> install-cni completion fish &gt; ~/.config/fish/completions/install-cni.fish</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<pre class="language-bash"><code>install-cni completion bash &gt; ~/.config/fish/completions/install-cni.fish</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>install-cni completion fish [flags]
</code></pre>
<table class="command-flags">
@ -335,22 +285,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -365,12 +299,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
</tbody>
</table>
<h3 id="install-cni-completion-powershell">install-cni completion powershell</h3>
<p>Generate the autocompletion script for powershell.</p>
<p>Generate the autocompletion script for PowerShell.</p>
<p>To load completions in your current shell session:</p>
<p> install-cni completion powershell | Out-String | Invoke-Expression</p>
<p>To load completions for every new session, add the output of the above command
to your powershell profile.
</p>
<pre class="language-bash"><code>install-cni completion powershell | Out-String | Invoke-Expression</code></pre>
<p>To load completions for every new session, add the output of the above command to your powershell profile.</p>
<pre class="language-bash"><code>install-cni completion powershell [flags]
</code></pre>
<table class="command-flags">
@ -402,22 +334,6 @@ to your powershell profile.
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -433,18 +349,16 @@ to your powershell profile.
</table>
<h3 id="install-cni-completion-zsh">install-cni completion zsh</h3>
<p>Generate the autocompletion script for the zsh shell.</p>
<p>If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:</p>
<p> echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(install-cni completion zsh)</p>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> install-cni completion zsh &gt; &#34;${fpath[1]}/_install-cni&#34;</p>
<p>#### macOS:</p>
<p> install-cni completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_install-cni</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<p>If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:</p>
<pre class="language-bash"><code>echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</code></pre>
<p>To load completions in your current shell session:</p>
<pre class="language-bash"><code>source &lt;(install-cni completion zsh)</code></pre>
<p>To load completions for every new session, execute once:</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>install-cni completion zsh &gt; &#34;${fpath[1]}/_install-cni&#34;</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>install-cni completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_install-cni</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>install-cni completion zsh [flags]
</code></pre>
<table class="command-flags">
@ -476,22 +390,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -544,26 +442,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -586,7 +464,7 @@ to enable it. You can execute the following once:</p>
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>install-cni</code> command. Please use with caution as these environment variables are experimental and can change anytime.
These environment variables affect the behavior of the <code>install-cni</code> command.
<table class="envvars">
<thead>
<tr>
@ -706,6 +584,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and &gt; 1 worker thread</td>
</tr>
<tr>
<td><code>ENABLE_DEFERRED_STATS_CREATION</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Istio will lazily initialize a subset of the stats</td>
</tr>
<tr>
<td><code>ENABLE_DELIMITED_STATS_TAG_REGEX</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -718,12 +602,6 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.</td>
</tr>
<tr>
<td><code>ENABLE_EXTERNAL_NAME_ALIAS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.</td>
</tr>
<tr>
<td><code>ENABLE_HCM_INTERNAL_NETWORKS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -732,7 +610,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<tr>
<td><code>ENABLE_INBOUND_RETRY_POLICY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.</td>
</tr>
<tr>
@ -808,6 +686,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>Envoy proxy username</td>
</tr>
<tr>
<td><code>EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, excludes unsafe retry on 503 from default retry policy.</td>
</tr>
<tr>
<td><code>EXTERNAL_ISTIOD</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1046,12 +930,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td></td>
</tr>
<tr>
<td><code>PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)</td>
</tr>
<tr>
<td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1268,12 +1146,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If enabled, HBONE support can be configured for proxies.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TELEMETRY_LABEL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -1490,6 +1362,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>pod&#39;s namespace</td>
</tr>
<tr>
<td><code>PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.</td>
</tr>
<tr>
<td><code>REPAIR_BROKEN_POD_LABEL_KEY</code></td>
<td>String</td>
<td><code>cni.istio.io/uninitialized</code></td>
@ -1628,12 +1506,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.</td>
</tr>
<tr>
<td><code>VERIFY_CERTIFICATE_AT_CLIENT</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.</td>
</tr>
<tr>
<td><code>XDS_AUTH</code></td>
<td>Boolean</td>
<td><code>true</code></td>

838
content/zh/docs/reference/commands/istioctl/index.html
View File

File diff suppressed because it is too large Load Diff

1347
content/zh/docs/reference/commands/operator/index.html
View File

File diff suppressed because it is too large Load Diff

306
content/zh/docs/reference/commands/pilot-agent/index.html
View File

@ -30,22 +30,6 @@ remove_toc_prefix: 'pilot-agent '
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -84,22 +68,6 @@ See each sub-command&#39;s help for details on how to use the generated script.
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -118,14 +86,13 @@ See each sub-command&#39;s help for details on how to use the generated script.
<p>This script depends on the &#39;bash-completion&#39; package.
If it is not installed already, you can install it via your OS&#39;s package manager.</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(pilot-agent completion bash)</p>
<pre class="language-bash"><code>source &lt;(pilot-agent completion bash)</code></pre>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> pilot-agent completion bash &gt; /etc/bash_completion.d/pilot-agent</p>
<p>#### macOS:</p>
<p> pilot-agent completion bash &gt; $(brew --prefix)/etc/bash_completion.d/pilot-agent</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>pilot-agent completion bash &gt; /etc/bash_completion.d/pilot-agent</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>pilot-agent completion bash &gt; /usr/local/etc/bash_completion.d/pilot-agent</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-agent completion bash
</code></pre>
<table class="command-flags">
@ -149,22 +116,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -185,11 +136,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
<h3 id="pilot-agent-completion-fish">pilot-agent completion fish</h3>
<p>Generate the autocompletion script for the fish shell.</p>
<p>To load completions in your current shell session:</p>
<p> pilot-agent completion fish | source</p>
<pre class="language-bash"><code>pilot-agent completion fish | source</code></pre>
<p>To load completions for every new session, execute once:</p>
<p> pilot-agent completion fish &gt; ~/.config/fish/completions/pilot-agent.fish</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<pre class="language-bash"><code>pilot-agent completion bash &gt; ~/.config/fish/completions/pilot-agent.fish</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-agent completion fish [flags]
</code></pre>
<table class="command-flags">
@ -213,22 +163,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -247,12 +181,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
</tbody>
</table>
<h3 id="pilot-agent-completion-powershell">pilot-agent completion powershell</h3>
<p>Generate the autocompletion script for powershell.</p>
<p>Generate the autocompletion script for PowerShell.</p>
<p>To load completions in your current shell session:</p>
<p> pilot-agent completion powershell | Out-String | Invoke-Expression</p>
<p>To load completions for every new session, add the output of the above command
to your powershell profile.
</p>
<pre class="language-bash"><code>pilot-agent completion powershell | Out-String | Invoke-Expression</code></pre>
<p>To load completions for every new session, add the output of the above command to your powershell profile.</p>
<pre class="language-bash"><code>pilot-agent completion powershell [flags]
</code></pre>
<table class="command-flags">
@ -276,22 +208,6 @@ to your powershell profile.
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -311,18 +227,16 @@ to your powershell profile.
</table>
<h3 id="pilot-agent-completion-zsh">pilot-agent completion zsh</h3>
<p>Generate the autocompletion script for the zsh shell.</p>
<p>If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:</p>
<p> echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(pilot-agent completion zsh)</p>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> pilot-agent completion zsh &gt; &#34;${fpath[1]}/_pilot-agent&#34;</p>
<p>#### macOS:</p>
<p> pilot-agent completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_pilot-agent</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<p>If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:</p>
<pre class="language-bash"><code>echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</code></pre>
<p>To load completions in your current shell session:</p>
<pre class="language-bash"><code>source &lt;(pilot-agent completion zsh)</code></pre>
<p>To load completions for every new session, execute once:</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>pilot-agent completion zsh &gt; &#34;${fpath[1]}/_pilot-agent&#34;</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>pilot-agent completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_pilot-agent</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-agent completion zsh [flags]
</code></pre>
<table class="command-flags">
@ -346,22 +260,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -428,26 +326,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -613,26 +491,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -722,22 +580,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -816,22 +658,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -874,26 +700,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -945,22 +751,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
@ -991,7 +781,7 @@ to enable it. You can execute the following once:</p>
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>pilot-agent</code> command. Please use with caution as these environment variables are experimental and can change anytime.
These environment variables affect the behavior of the <code>pilot-agent</code> command.
<table class="envvars">
<thead>
<tr>
@ -1141,6 +931,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and &gt; 1 worker thread</td>
</tr>
<tr>
<td><code>ENABLE_DEFERRED_STATS_CREATION</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Istio will lazily initialize a subset of the stats</td>
</tr>
<tr>
<td><code>ENABLE_DELIMITED_STATS_TAG_REGEX</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -1153,12 +949,6 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.</td>
</tr>
<tr>
<td><code>ENABLE_EXTERNAL_NAME_ALIAS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.</td>
</tr>
<tr>
<td><code>ENABLE_HCM_INTERNAL_NETWORKS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1167,7 +957,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<tr>
<td><code>ENABLE_INBOUND_RETRY_POLICY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.</td>
</tr>
<tr>
@ -1261,6 +1051,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>Envoy proxy username</td>
</tr>
<tr>
<td><code>EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, excludes unsafe retry on 503 from default retry policy.</td>
</tr>
<tr>
<td><code>EXIT_ON_ZERO_ACTIVE_CONNECTIONS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1595,12 +1391,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If set to true, enable the peer metadata discovery extension in Envoy</td>
</tr>
<tr>
<td><code>PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)</td>
</tr>
<tr>
<td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1817,12 +1607,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If enabled, HBONE support can be configured for proxies.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TELEMETRY_LABEL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -2045,6 +1829,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td></td>
</tr>
<tr>
<td><code>PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.</td>
</tr>
<tr>
<td><code>PROV_CERT</code></td>
<td>String</td>
<td><code></code></td>
@ -2099,6 +1889,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>The grace period ratio for the cert rotation, by default 0.5.</td>
</tr>
<tr>
<td><code>SECRET_GRACE_PERIOD_RATIO_JITTER</code></td>
<td>Floating-Point</td>
<td><code>0.01</code></td>
<td>Randomize the grace period ratio up or down by this amount to stagger cert renewals, by default .01 (~15 minutes over 24 hours).</td>
</tr>
<tr>
<td><code>SECRET_TTL</code></td>
<td>Time Duration</td>
<td><code>24h0m0s</code></td>
@ -2165,12 +1961,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.</td>
</tr>
<tr>
<td><code>VERIFY_CERTIFICATE_AT_CLIENT</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.</td>
</tr>
<tr>
<td><code>WASM_HTTP_REQUEST_MAX_RETRIES</code></td>
<td>Integer</td>
<td><code>5</code></td>

124
content/zh/docs/reference/commands/pilot-discovery/index.html
View File

@ -46,14 +46,13 @@ See each sub-command&#39;s help for details on how to use the generated script.
<p>This script depends on the &#39;bash-completion&#39; package.
If it is not installed already, you can install it via your OS&#39;s package manager.</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(pilot-discovery completion bash)</p>
<pre class="language-bash"><code>source &lt;(pilot-discovery completion bash)</code></pre>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> pilot-discovery completion bash &gt; /etc/bash_completion.d/pilot-discovery</p>
<p>#### macOS:</p>
<p> pilot-discovery completion bash &gt; $(brew --prefix)/etc/bash_completion.d/pilot-discovery</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>pilot-discovery completion bash &gt; /etc/bash_completion.d/pilot-discovery</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>pilot-discovery completion bash &gt; /usr/local/etc/bash_completion.d/pilot-discovery</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-discovery completion bash
</code></pre>
<table class="command-flags">
@ -77,11 +76,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
<h3 id="pilot-discovery-completion-fish">pilot-discovery completion fish</h3>
<p>Generate the autocompletion script for the fish shell.</p>
<p>To load completions in your current shell session:</p>
<p> pilot-discovery completion fish | source</p>
<pre class="language-bash"><code>pilot-discovery completion fish | source</code></pre>
<p>To load completions for every new session, execute once:</p>
<p> pilot-discovery completion fish &gt; ~/.config/fish/completions/pilot-discovery.fish</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<pre class="language-bash"><code>pilot-discovery completion bash &gt; ~/.config/fish/completions/pilot-discovery.fish</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-discovery completion fish [flags]
</code></pre>
<table class="command-flags">
@ -103,12 +101,10 @@ If it is not installed already, you can install it via your OS&#39;s package man
</tbody>
</table>
<h3 id="pilot-discovery-completion-powershell">pilot-discovery completion powershell</h3>
<p>Generate the autocompletion script for powershell.</p>
<p>Generate the autocompletion script for PowerShell.</p>
<p>To load completions in your current shell session:</p>
<p> pilot-discovery completion powershell | Out-String | Invoke-Expression</p>
<p>To load completions for every new session, add the output of the above command
to your powershell profile.
</p>
<pre class="language-bash"><code>pilot-discovery completion powershell | Out-String | Invoke-Expression</code></pre>
<p>To load completions for every new session, add the output of the above command to your powershell profile.</p>
<pre class="language-bash"><code>pilot-discovery completion powershell [flags]
</code></pre>
<table class="command-flags">
@ -131,18 +127,16 @@ to your powershell profile.
</table>
<h3 id="pilot-discovery-completion-zsh">pilot-discovery completion zsh</h3>
<p>Generate the autocompletion script for the zsh shell.</p>
<p>If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:</p>
<p> echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</p>
<p>To load completions in your current shell session:</p>
<p> source &lt;(pilot-discovery completion zsh)</p>
<p>To load completions for every new session, execute once:</p>
<p>#### Linux:</p>
<p> pilot-discovery completion zsh &gt; &#34;${fpath[1]}/_pilot-discovery&#34;</p>
<p>#### macOS:</p>
<p> pilot-discovery completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_pilot-discovery</p>
<p>You will need to start a new shell for this setup to take effect.
</p>
<p>If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:</p>
<pre class="language-bash"><code>echo &#34;autoload -U compinit; compinit&#34; &gt;&gt; ~/.zshrc</code></pre>
<p>To load completions in your current shell session:</p>
<pre class="language-bash"><code>source &lt;(pilot-discovery completion zsh)</code></pre>
<p>To load completions for every new session, execute once:</p>
<h4>Linux:</h4>
<pre class="language-bash"><code>pilot-discovery completion zsh &gt; &#34;${fpath[1]}/_pilot-discovery&#34;</code></pre>
<h4>macOS:</h4>
<pre class="language-bash"><code>pilot-discovery completion zsh &gt; $(brew --prefix)/share/zsh/site-functions/_pilot-discovery</code></pre>
<p>You will need to start a new shell for this setup to take effect.</p>
<pre class="language-bash"><code>pilot-discovery completion zsh [flags]
</code></pre>
<table class="command-flags">
@ -282,26 +276,6 @@ to enable it. You can execute the following once:</p>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, ip-autoallocate, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, ip-autoallocate, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
@ -424,7 +398,7 @@ Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_R
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>pilot-discovery</code> command. Please use with caution as these environment variables are experimental and can change anytime.
These environment variables affect the behavior of the <code>pilot-discovery</code> command.
<table class="envvars">
<thead>
<tr>
@ -550,6 +524,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and &gt; 1 worker thread</td>
</tr>
<tr>
<td><code>ENABLE_DEFERRED_STATS_CREATION</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Istio will lazily initialize a subset of the stats</td>
</tr>
<tr>
<td><code>ENABLE_DELIMITED_STATS_TAG_REGEX</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -562,12 +542,6 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.</td>
</tr>
<tr>
<td><code>ENABLE_EXTERNAL_NAME_ALIAS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.</td>
</tr>
<tr>
<td><code>ENABLE_HCM_INTERNAL_NETWORKS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -576,7 +550,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<tr>
<td><code>ENABLE_INBOUND_RETRY_POLICY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.</td>
</tr>
<tr>
@ -652,6 +626,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
<td>If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.</td>
</tr>
<tr>
<td><code>EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, excludes unsafe retry on 503 from default retry policy.</td>
</tr>
<tr>
<td><code>EXTERNAL_CA</code></td>
<td>String</td>
<td><code></code></td>
@ -920,12 +900,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
</tr>
<tr>
<td><code>PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)</td>
</tr>
<tr>
<td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1142,12 +1116,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If enabled, HBONE support can be configured for proxies.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TELEMETRY_LABEL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -1370,6 +1338,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td></td>
</tr>
<tr>
<td><code>PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.</td>
</tr>
<tr>
<td><code>REQUIRE_3P_TOKEN</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1460,12 +1434,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<td>If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.</td>
</tr>
<tr>
<td><code>VERIFY_CERTIFICATE_AT_CLIENT</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.</td>
</tr>
<tr>
<td><code>XDS_AUTH</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -1491,14 +1459,14 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
<tr><td><code>auto_registration_unregister_total</code></td><td><code>Sum</code></td><td>Total number of unregistrations.</td></tr>
<tr><td><code>auto_registration_updates_total</code></td><td><code>Sum</code></td><td>Total number of auto registration updates.</td></tr>
<tr><td><code>citadel_server_authentication_failure_count</code></td><td><code>Sum</code></td><td>The number of authentication failures.</td></tr>
<tr><td><code>citadel_server_cert_chain_expiry_seconds</code></td><td><code>LastValue</code></td><td>The time remaining, in seconds, before the certificate chain will expire. A negative value indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_cert_chain_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_cert_chain_expiry_seconds</code></td><td><code>LastValue</code></td><td>The time remaining, in seconds, before the Istio Generated cert chain will expire. A negative value indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_cert_chain_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Istio generated cert chain will expire.</td></tr>
<tr><td><code>citadel_server_csr_count</code></td><td><code>Sum</code></td><td>The number of CSRs received by Citadel server.</td></tr>
<tr><td><code>citadel_server_csr_parsing_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when parsing the CSR.</td></tr>
<tr><td><code>citadel_server_csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
<tr><td><code>citadel_server_id_extraction_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when extracting the ID from CSR.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_seconds</code></td><td><code>LastValue</code></td><td>The time remaining, in seconds, before the root certificate will expire. A negative value indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_seconds</code></td><td><code>LastValue</code></td><td>The time remaining, in seconds, before the root cert will expire. A negative value indicates the cert is expired.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when the root cert will expire.</td></tr>
<tr><td><code>citadel_server_success_cert_issuance_count</code></td><td><code>Sum</code></td><td>The number of certificates issuances that have succeeded.</td></tr>
<tr><td><code>controller_sync_errors_total</code></td><td><code>Sum</code></td><td>Total number of errorMetric syncing controllers.</td></tr>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>

37
content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -231,17 +231,10 @@ No
<td><code><a href="#MeshConfig-OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td>
<p>Set the default behavior of the sidecar for handling outbound
traffic from the application. If your application uses one or
more external services that are not known apriori, setting the
policy to <code>ALLOW_ANY</code> will cause the sidecars to route any unknown
traffic originating from the application to its requested
destination. Users are strongly encouraged to use ServiceEntries
to explicitly declare any external dependencies, instead of using
<code>ALLOW_ANY</code>, so that traffic to these services can be
monitored. Can be overridden at a Sidecar level by setting the
<code>OutboundTrafficPolicy</code> in the <a href="/zh/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy">Sidecar
API</a>.
Default mode is <code>ALLOW_ANY</code> which means outbound traffic to unknown destinations will be allowed.</p>
traffic from the application.</p>
<p>Can be overridden at a Sidecar level by setting the <code>OutboundTrafficPolicy</code> in the
<a href="/zh/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy">Sidecar API</a>.</p>
<p>Default mode is <code>ALLOW_ANY</code>, which means outbound traffic to unknown destinations will be allowed.</p>
</td>
<td>
@ -464,7 +457,8 @@ By default, Istio emits statistics with the pattern <code>inbound|&lt;port&gt;|&
For example <code>inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p>
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p>
<ul>
<li><code>%SERVICE%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE%</code> - Will be substituted with short hostname of the service.</li>
<li><code>%SERVICE_NAME%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li>
<li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li>
<li><code>%TARGET_PORT%</code> - Will be substituted with the target port of the service.</li>
@ -491,7 +485,8 @@ By default, Istio emits statistics with the pattern <code>outbound|&lt;port&gt;|
For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p>
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p>
<ul>
<li><code>%SERVICE%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE%</code> - Will be substituted with short hostname of the service.</li>
<li><code>%SERVICE_NAME%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li>
<li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li>
<li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li>
@ -815,6 +810,9 @@ No
</section>
<h2 id="MeshConfig-OutboundTrafficPolicy">MeshConfig.OutboundTrafficPolicy</h2>
<section>
<p><code>OutboundTrafficPolicy</code> sets the default behavior of the sidecar for
handling unknown outbound traffic from the application.</p>
<table class="message-fields">
<thead>
<tr>
@ -4406,16 +4404,21 @@ No
<tr id="MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
<td><code>REGISTRY_ONLY</code></td>
<td>
<p>outbound traffic will be restricted to services defined in the
service registry as well as those defined through ServiceEntries</p>
<p>In <code>REGISTRY_ONLY</code> mode, unknown outbound traffic will be dropped.
Traffic destinations must be explicitly declared into the service registry through <code>ServiceEntry</code> configurations.</p>
<p>Note: Istio <a href="/latest/docs/ops/best-practices/security/#understand-traffic-capture-limitations">does not offer an outbound traffic security policy</a>.
This option does not act as one, or as any form of an outbound firewall.
Instead, this option exists primarily to offer users a way to detect missing <code>ServiceEntry</code> configurations by explicitly failing.</p>
</td>
</tr>
<tr id="MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY">
<td><code>ALLOW_ANY</code></td>
<td>
<p>outbound traffic to unknown destinations will be allowed, in case
there are no services or ServiceEntries for the destination port</p>
<p>In <code>ALLOW_ANY</code> mode, any traffic to unknown destinations will be allowed.
Unknown destination traffic will have limited functionality, however, such as reduced observability.
This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
to arbitrary destinations.</p>
</td>
</tr>

4113
content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
View File

File diff suppressed because it is too large Load Diff

32
content/zh/docs/reference/config/networking/sidecar/index.html
View File

@ -397,13 +397,9 @@ No
<td><code>outboundTrafficPolicy</code></td>
<td><code><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td>
<p>Configuration for the outbound traffic policy. If your
application uses one or more external services that are not known
apriori, setting the policy to <code>ALLOW_ANY</code> will cause the
sidecars to route any unknown traffic originating from the
application to its requested destination. If not specified,
inherits the system detected defaults from the namespace-wide or
the global default Sidecar.</p>
<p>Set the default behavior of the sidecar for handling outbound
traffic from the application.</p>
<p>Default mode is <code>ALLOW_ANY</code>, which means outbound traffic to unknown destinations will be allowed.</p>
</td>
<td>
@ -661,14 +657,7 @@ No
<h2 id="OutboundTrafficPolicy">OutboundTrafficPolicy</h2>
<section>
<p><code>OutboundTrafficPolicy</code> sets the default behavior of the sidecar for
handling outbound traffic from the application.
If your application uses one or more external
services that are not known apriori, setting the policy to <code>ALLOW_ANY</code>
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination. Users are strongly
encouraged to use <code>ServiceEntry</code> configurations to explicitly declare any external
dependencies, instead of using <code>ALLOW_ANY</code>, so that traffic to these
services can be monitored.</p>
handling unknown outbound traffic from the application.</p>
<table class="message-fields">
<thead>
@ -758,16 +747,21 @@ No
<tr id="OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
<td><code>REGISTRY_ONLY</code></td>
<td>
<p>Outbound traffic will be restricted to services defined in the
service registry as well as those defined through <code>ServiceEntry</code> configurations.</p>
<p>In <code>REGISTRY_ONLY</code> mode, unknown outbound traffic will be dropped.
Traffic destinations must be explicitly declared into the service registry through <code>ServiceEntry</code> configurations.</p>
<p>Note: Istio <a href="/latest/docs/ops/best-practices/security/#understand-traffic-capture-limitations">does not offer an outbound traffic security policy</a>.
This option does not act as one, or as any form of an outbound firewall.
Instead, this option exists primarily to offer users a way to detect missing <code>ServiceEntry</code> configurations by explicitly failing.</p>
</td>
</tr>
<tr id="OutboundTrafficPolicy-Mode-ALLOW_ANY">
<td><code>ALLOW_ANY</code></td>
<td>
<p>Outbound traffic to unknown destinations will be allowed, in case
there are no services or <code>ServiceEntry</code> configurations for the destination port.</p>
<p>In <code>ALLOW_ANY</code> mode, any traffic to unknown destinations will be allowed.
Unknown destination traffic will have limited functionality, however, such as reduced observability.
This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
to arbitrary destinations.</p>
</td>
</tr>

2
content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
View File

@ -211,7 +211,7 @@ the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

2
content/zh/docs/reference/config/security/authorization-policy/index.html
View File

@ -235,7 +235,7 @@ the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

2
content/zh/docs/reference/config/security/request_authentication/index.html
View File

@ -240,7 +240,7 @@ the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

2
content/zh/docs/reference/config/telemetry/index.html
View File

@ -229,7 +229,7 @@ the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

8
data/args.yml
View File

@ -1,11 +1,11 @@
# The primary Istio version identifier the docs describe, used throughout the site
version: "1.23"
version: "1.24"
# The full Istio version identifier the docs describe
full_version: "1.23.0"
full_version: "1.24.0"
# The previous Istio version identifier the docs describe, used for upgrade documentation
previous_version: "1.22"
previous_version: "1.23"
# The year to display in copyright notices
copyright_year: 2024
@ -25,7 +25,7 @@ archive_date: YYYY-MM-DD
archive_search_refinement: "V1.1"
# GitHub branch names used when the docs have links to GitHub
source_branch_name: release-1.23
source_branch_name: master
doc_branch_name: master
####### Static values

58
data/features.yaml
View File

@ -1,5 +1,7 @@
# yaml-language-server: $schema=features_schema.json
features:
- name: "Protocols:HTTP1.1/HTTP2/gRPC/TCP"
- name: "Protocols: HTTP1.1/HTTP2/gRPC/TCP"
id: "traffic.http_protocols"
link: "/docs/ops/configuration/traffic-management/protocol-selection/"
level:
@ -7,7 +9,7 @@ features:
maturity: Stable
nextExpectedPromotion: ""
area: Traffic Management
- name: "Protocols:Websockets/MongoDB"
- name: "Protocols: Websockets/MongoDB"
id: "traffic.websocket_protocols"
level:
checklist: ""
@ -36,7 +38,7 @@ features:
nextExpectedPromotion: ""
area: Traffic Management
- name: "Gateway Injection"
id: :"traffic.gateway_injection"
id: "traffic.gateway_injection"
level:
checklist: features/gateway_injection.md
maturity: Beta
@ -76,7 +78,7 @@ features:
link: "/docs/reference/config/networking/sidecar/"
level:
checklist: ""
maturity: Beta
maturity: Stable
nextExpectedPromotion: ""
area: Traffic Management
- name: "DNS Proxying"
@ -96,23 +98,23 @@ features:
area: Traffic Management
id: "traffic.k8s_gateway_apis"
- name: "Kubernetes Gateway APIs for mesh (`Service` `parentRef`) "
id: "traffic.k8s_gateway_apis_+mesh"
link: "/docs/tasks/traffic-management/"
level:
checklist: features/k8s-gateway-apis.md
maturity: Beta
maturity: Stable
nextExpectedPromotion: ""
area: Traffic Management
id: "traffic.k8s_gateway_apis_+mesh"
- name: "Gateway Network Topology Configuration"
link: "/docs/ops/configuration/traffic-management/network-topologies/"
- name: "Gateway Network Topology configuration"
id: "traffic.gateway_topology"
link: "/docs/ops/configuration/traffic-management/network-topologies/"
level:
checklist: features/configuring_gateway_network_topology.md
maturity: Alpha
nextExpectedPromotion: ""
area: Traffic Management
- name: "Kubernetes Multi-Cluster Service (MCS) Discovery"
id: :"traffic.kubernetes_mcs"
id: "traffic.kubernetes_mcs"
level:
checklist: features/kubernetes_mcs.md
maturity: Experimental
@ -235,7 +237,7 @@ features:
link: "/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls"
level:
checklist: features/auto_mtls.md
maturity: Beta
maturity: Stable
nextExpectedPromotion: ""
area: Security and policy enforcement
- name: "VM: Service Credential Distribution"
@ -280,10 +282,10 @@ features:
area: Security and policy enforcement
- name: "In-Cluster Operator"
id: "core.in_cluster_operator"
link: "/docs/setup/install/operator/"
link: ""
level:
checklist: ""
maturity: Beta
maturity: Deprecated
nextExpectedPromotion: ""
area: Core
- name: "Kubernetes: Envoy Installation and Traffic Interception"
@ -346,10 +348,17 @@ features:
level:
checklist: features/ipv6-support.md
maturity: Alpha
maturityNotes: Dual stack is experimental still.
nextExpectedPromotion: ""
area: Core
- name: "Distroless Base Images for Istio"
- name: "Dual Stack IPv4/IPv6"
id: "core.dual_stack"
level:
checklist: features/dual-stack-support.md
maturity: Alpha
link: "https://istio.io/latest/docs/setup/additional-setup/dual-stack/"
nextExpectedPromotion: ""
area: Core
- name: "Distroless base images"
id: "core.distroless"
link: "/docs/ops/configuration/security/harden-docker-images/"
level:
@ -365,7 +374,7 @@ features:
maturity: Beta
nextExpectedPromotion: ""
area: Core
- name: "Helm Based Installation"
- name: "Helm Installation"
id: "core.helm_installation"
link: "/docs/setup/install/helm/"
level:
@ -397,57 +406,58 @@ features:
checklist: features/telemetry_api.md
maturity: Stable
nextExpectedPromotion: ""
- name: "Dual Stack Support in Istio"
id: "core.dual_stack"
level:
checklist: features/dual-stack-support.md
maturity: Experimental
maturityNotes: Dual Stack IPv4 and IPv6 is supported.
link: "https://istio.io/latest/docs/setup/additional-setup/dual-stack/"
nextExpectedPromotion: ""
area: Core
# Ambient
- name: "Ztunnel Core"
id: "ambient.ztunnel"
level:
checklist: features/ambient.md
maturity: Beta
area: Ambient
- name: "Waypoints Core"
id: "ambient.waypoints"
level:
checklist: features/ambient.md
maturity: Beta
area: Ambient
- name: "Authorization Policies"
id: "ambient.authz"
level:
checklist: features/ambient.md
maturity: Beta
area: Ambient
- name: "Gateway API (HTTPRoute)"
id: "ambient.httproute"
level:
checklist: features/ambient.md
maturity: Beta
area: Ambient
- name: "Sidecar Interop"
id: "ambient.sidecar_interoperability"
level:
checklist: features/ambient.md
maturity: Alpha
area: Ambient
- name: "DNS Proxying"
id: "ambient.dns_proxying"
level:
checklist: features/ambient.md
maturity: Alpha
area: Ambient
- name: "Multi-cluster"
id: "ambient.multi_cluster"
level:
checklist: features/ambient.md
maturity: Alpha
area: Ambient
- name: "Multi-network"
id: "ambient.multi_network"
level:
checklist: features/ambient.md
maturity: Experimental
area: Ambient
- name: "Dual Stack, IPv6"
id: "ambient.dual_stack"
level:
checklist: features/ambient.md
maturity: Experimental

167
go.mod
View File

@ -2,58 +2,54 @@ module istio.io/istio.io
go 1.22.0
toolchain go1.22.2
// https://github.com/containerd/containerd/issues/5781
exclude k8s.io/kubernetes v1.13.0
// Client-go does not handle different versions of mergo due to some breaking changes - use the matching version
replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
require (
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
golang.org/x/sync v0.7.0
istio.io/istio v0.0.0-20240816101947-32ddc4cd05db
k8s.io/apimachinery v0.30.1
k8s.io/client-go v0.30.1
golang.org/x/sync v0.8.0
istio.io/istio v0.0.0-20240910151233-1d28c23a2a5c
k8s.io/apimachinery v0.31.0
k8s.io/client-go v0.31.0
)
require (
cel.dev/expr v0.15.0 // indirect
cloud.google.com/go/compute/metadata v0.3.0 // indirect
cloud.google.com/go/compute/metadata v0.5.0 // indirect
dario.cat/mergo v1.0.1 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
github.com/BurntSushi/toml v1.3.2 // indirect
github.com/MakeNowJust/heredoc v1.0.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.2.1 // indirect
github.com/Masterminds/sprig/v3 v3.2.3 // indirect
github.com/Masterminds/semver/v3 v3.3.0 // indirect
github.com/Masterminds/sprig/v3 v3.3.0 // indirect
github.com/VividCortex/ewma v1.2.0 // indirect
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cheggaaa/pb/v3 v3.1.5 // indirect
github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect
github.com/cncf/xds/go v0.0.0-20240830210341-88aa3b3c978a // indirect
github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
github.com/docker/cli v26.1.4+incompatible // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
github.com/docker/cli v27.2.0+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker v26.1.5+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.1 // indirect
github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
github.com/envoyproxy/go-control-plane v0.12.1-0.20240719165848-f888b4f71207 // indirect
github.com/envoyproxy/go-control-plane v0.13.1-0.20240823165802-4363a624d376 // indirect
github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
github.com/fatih/camelcase v1.0.0 // indirect
github.com/fatih/color v1.17.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-errors/errors v1.5.1 // indirect
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
github.com/go-logr/logr v1.4.2 // indirect
@ -63,43 +59,40 @@ require (
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-json v0.10.2 // indirect
github.com/goccy/go-json v0.10.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/cel-go v0.17.8 // indirect
github.com/google/cel-go v0.21.0 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-containerregistry v0.19.1 // indirect
github.com/google/go-containerregistry v0.20.2 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/gorilla/websocket v1.5.1 // indirect
github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd // indirect
github.com/gorilla/websocket v1.5.3 // indirect
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-version v1.7.0 // indirect
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/huandu/xstrings v1.4.0 // indirect
github.com/huandu/xstrings v1.5.0 // indirect
github.com/imdario/mergo v1.0.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.17.8 // indirect
github.com/kr/pretty v0.3.1 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/klauspost/compress v1.17.9 // indirect
github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
github.com/lestrrat-go/blackmagic v1.0.2 // indirect
github.com/lestrrat-go/httpcc v1.0.1 // indirect
github.com/lestrrat-go/iter v1.0.2 // indirect
github.com/lestrrat-go/jwx v1.2.29 // indirect
github.com/lestrrat-go/jwx v1.2.30 // indirect
github.com/lestrrat-go/option v1.0.1 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/magiconair/properties v1.8.7 // indirect
@ -107,110 +100,110 @@ require (
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.15 // indirect
github.com/miekg/dns v1.1.59 // indirect
github.com/miekg/dns v1.1.62 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/spdystream v0.2.0 // indirect
github.com/moby/spdystream v0.4.0 // indirect
github.com/moby/term v0.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/onsi/ginkgo/v2 v2.17.3 // indirect
github.com/onsi/ginkgo/v2 v2.20.1 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
github.com/openshift/api v0.0.0-20240530053948-b01900f1982a // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/openshift/api v0.0.0-20240905170329-a89b7ea1758a // indirect
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pires/go-proxyproto v0.7.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/prometheus/client_golang v1.19.1 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240409071808-615f978279ca // indirect
github.com/prometheus/client_golang v1.20.3 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.54.0 // indirect
github.com/prometheus/common v0.59.1 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/prometheus/prometheus v0.52.1 // indirect
github.com/prometheus/prometheus v0.54.1 // indirect
github.com/quic-go/qpack v0.4.0 // indirect
github.com/quic-go/quic-go v0.44.0 // indirect
github.com/quic-go/quic-go v0.46.0 // indirect
github.com/rivo/uniseg v0.4.6 // indirect
github.com/rogpeppe/go-internal v1.12.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/spf13/cast v1.6.0 // indirect
github.com/spf13/cobra v1.8.0 // indirect
github.com/spf13/cast v1.7.0 // indirect
github.com/spf13/cobra v1.8.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/viper v1.19.0 // indirect
github.com/stoewer/go-strcase v1.3.0 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/vbatts/tar-split v0.11.5 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
github.com/yl2chen/cidranger v1.0.2 // indirect
go.opentelemetry.io/otel v1.27.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0 // indirect
go.opentelemetry.io/otel/exporters/prometheus v0.49.0 // indirect
go.opentelemetry.io/otel/metric v1.27.0 // indirect
go.opentelemetry.io/otel/sdk v1.27.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.27.0 // indirect
go.opentelemetry.io/otel/trace v1.27.0 // indirect
go.opentelemetry.io/proto/otlp v1.2.0 // indirect
go.opentelemetry.io/otel v1.29.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.29.0 // indirect
go.opentelemetry.io/otel/exporters/prometheus v0.51.0 // indirect
go.opentelemetry.io/otel/metric v1.29.0 // indirect
go.opentelemetry.io/otel/sdk v1.29.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect
go.opentelemetry.io/otel/trace v1.29.0 // indirect
go.opentelemetry.io/proto/otlp v1.3.1 // indirect
go.starlark.net v0.0.0-20231121155337-90ade8b19d09 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/mock v0.4.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.24.0 // indirect
golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect
golang.org/x/mod v0.18.0 // indirect
golang.org/x/net v0.26.0 // indirect
golang.org/x/oauth2 v0.21.0 // indirect
golang.org/x/sys v0.21.0 // indirect
golang.org/x/term v0.21.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.22.0 // indirect
golang.org/x/crypto v0.26.0 // indirect
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
golang.org/x/mod v0.20.0 // indirect
golang.org/x/net v0.28.0 // indirect
golang.org/x/oauth2 v0.23.0 // indirect
golang.org/x/sys v0.25.0 // indirect
golang.org/x/term v0.23.0 // indirect
golang.org/x/text v0.17.0 // indirect
golang.org/x/time v0.6.0 // indirect
golang.org/x/tools v0.24.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
google.golang.org/grpc v1.65.0 // indirect
google.golang.org/protobuf v1.34.1 // indirect
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
helm.sh/helm/v3 v3.15.1 // indirect
istio.io/api v1.23.0-rc.0.0.20240808171852-2bb3b8eba0c2 // indirect
istio.io/client-go v1.23.0-rc.0.0.20240808172151-69d119325620 // indirect
k8s.io/api v0.30.1 // indirect
k8s.io/apiextensions-apiserver v0.30.1 // indirect
k8s.io/apiserver v0.30.1 // indirect
k8s.io/cli-runtime v0.30.1 // indirect
k8s.io/component-base v0.30.1 // indirect
k8s.io/klog/v2 v2.120.1 // indirect
helm.sh/helm/v3 v3.15.4 // indirect
istio.io/api v1.23.0-alpha.0.0.20240906053728-3111847c7e3b // indirect
istio.io/client-go v1.23.0-alpha.0.0.20240906054328-d710c036ec63 // indirect
k8s.io/api v0.31.0 // indirect
k8s.io/apiextensions-apiserver v0.31.0 // indirect
k8s.io/apiserver v0.31.0 // indirect
k8s.io/cli-runtime v0.31.0 // indirect
k8s.io/component-base v0.31.0 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect
k8s.io/kubectl v0.30.1 // indirect
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
sigs.k8s.io/controller-runtime v0.18.3 // indirect
k8s.io/kubectl v0.31.0 // indirect
k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3 // indirect
sigs.k8s.io/controller-runtime v0.19.0 // indirect
sigs.k8s.io/gateway-api v1.1.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
sigs.k8s.io/mcs-api v0.1.0 // indirect
sigs.k8s.io/kustomize/api v0.17.2 // indirect
sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect
sigs.k8s.io/mcs-api v0.1.1-0.20240624222831-d7001fe1d21c // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)

748
go.sum
View File

File diff suppressed because it is too large Load Diff

3
scripts/grab_reference_docs.sh
View File

@ -45,7 +45,6 @@ COMPONENTS=(
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@istioctl/cmd/istioctl@istioctl
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-agent@pilot-agent
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-discovery@pilot-discovery
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@operator/cmd/operator@operator
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@cni/cmd/install-cni@install-cni
)
@ -191,7 +190,7 @@ handle_config_analysis_messages() {
}
# delete all the existing generated files so that any stale files are removed
find "${ROOTDIR}/content/en/docs/reference" -name '*.html' -type f -print0 | xargs -0 rm 2>/dev/null
find "${ROOTDIR}/content/en/docs/reference" -name '*.html' -type f -print0 | grep -v istio.operator.v1alpha1 | xargs -0 rm 2>/dev/null
find "${ROOTDIR}/content/zh/docs/reference" -name '*.html' -type f -print0 | xargs -0 rm 2>/dev/null
# Prepare the work directory