istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

zh-translation: sync for some updated p0 doc (#6207) 

* zh-translation: sync for some updated p0 doc

* zh-translation: sync for some updated p2 doc

* fix
This commit is contained in:
ilylia 2019-12-25 20:49:19 +08:00 committed by Istio Automation
parent ab7fb70bad
commit a405485d22
21 changed files with 823 additions and 235 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/zh/boilerplates/verify-crds.md
View File

@ -1,3 +1,5 @@
---
---
等待所有的 Istio CRD 创建完成:
{{< text bash >}}

4
content/zh/docs/examples/bookinfo/index.md
View File

@ -159,6 +159,10 @@ $ curl -s http://${GATEWAY_URL}/productpage | grep -o "<title>.*</title>"
* 如果**没有**启用双向 TLS请执行以下命令
{{< tip >}}
如果您是 Istio 的新手,并且使用了 `demo` [配置文件](/zh/docs/setup/additional-setup/config-profiles/),请选择此步。
{{< /tip >}}
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/networking/destination-rule-all.yaml@
{{< /text >}}

2
content/zh/docs/examples/microservices-istio/_index.md
View File

@ -1,7 +1,7 @@
---
title: 使用 Kubernetes 和 Istio 学习微服务
description: 该模块化教程为新用户提供了一步步将 Istio 应用于常见微服务场景的动手经验。
weight: 40
weight: 100
icon: classroom
simple_list: true
content_above: true

17
content/zh/docs/examples/microservices-istio/setup-kubernetes-cluster/index.md
View File

@ -33,7 +33,7 @@ weight: 2
如果您是一位讲师,可以为每个参与者分配独立的命名空间。本教程支持多个参与者在不同的命名空间下同时运行。
{{< /tip >}}
1. 安装 Istio 且启用双向 TLS。 TODO: 为讲师准备命令或要点
1. [安装 Istio](/zh/docs/setup/) 并启用严格双向 TLS
1. [启用 Envoy 访问日志](/zh/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging)。
@ -197,6 +197,21 @@ weight: 2
EOF
{{< /text >}}
1. 为 `${NAMESPACE}-user-config.yaml` 配置文件设置环境变量 `KUBECONFIG`
{{< text bash >}}
$ export KUBECONFIG=./${NAMESPACE}-user-config.yaml
{{< /text >}}
1. 打印当前命名空间以确认配置文件已生效:
{{< text bash >}}
$ kubectl config view -o jsonpath="{.contexts[?(@.name==\"$(kubectl config current-context)\")].context.namespace}"
tutorial
{{< /text >}}
在输出中可以看到命名空间的名字。
1. 如果您为自己设置好了集群,复制前面步骤中提到的 `${NAMESPACE}-user-config.yaml` 文件到您的本地机器,`${NAMESPACE}` 就是前面步骤中的命名空间。比如,`tutorial-user-config.yaml`。
教程中您将会再次用到这个文件。

12
content/zh/docs/examples/microservices-istio/setup-local-computer/index.md
View File

@ -8,7 +8,13 @@ weight: 3
在本模块中,您将为教程准备本地计算机
1. 开始之前,在本地计算机上,创建你的 namespace`${NAMESPACE}`,然后创建文件:`${NAMESPACE}-user-config.yaml``${NAMESPACE}` 是你之前创建的 namespace。例如 `tutorial-user-config.yaml`
1. 在本地计算机上,创建一个环境变量保存命名空间的名字,它将用于教程的命令中。您可以使用任意名字,如 `tutorial`
{{< text bash >}}
$ export NAMESPACE=tutorial
{{< /text >}}
1. 在本地计算机上,找到之前在教程中创建的 `${NAMESPACE}-user-config.yaml` 文件,`${NAMESPACE}` 是命名空间的名字。例如 `tutorial-user-config.yaml`
1. 安装 [`curl`](https://curl.haxx.se/download.html)。
@ -18,13 +24,13 @@ weight: 3
1. 安装 [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/)。
1. 设置环境变量 `KUBECONFIG` 配置文件 `${NAMESPACE}-user-config.yaml`
1. 为配置文件 `${NAMESPACE}-user-config.yaml` 设置环境变量 `KUBECONFIG`
{{< text bash >}}
$ export KUBECONFIG=./${NAMESPACE}-user-config.yaml
{{< /text >}}
1. 通过打印当前命名空间来验证配置是否生效:
1. 通过打印当前命名空间来验证配置是否生效
{{< text bash >}}
$ kubectl config view -o jsonpath="{.contexts[?(@.name==\"$(kubectl config current-context)\")].context.namespace}"

8
content/zh/docs/ops/common-problems/validation/index.md
View File

@ -15,7 +15,7 @@ aliases:
## 接受无效配置 {#invalid-configuration-is-accepted}
验证 `istio-galley`和`validationwebhookconfiguration` 配置是否存在并且是正确的。 无效的 `apiVersion``apiGroup``resource` 配置应该在两个 `webhook` 其中之一被列举出来。
验证 `istio-galley validationwebhookconfiguration` 配置是否存在并且是正确的。 无效的 `apiVersion`、`apiGroup` `resource` 配置应该在两个 `webhook` 其中之一被列举出来。
{{< text bash yaml >}}
$ kubectl get validatingwebhookconfiguration istio-galley -o yaml
@ -143,7 +143,7 @@ webhooks:
{{< /text >}}
如果 `validatingwebhookconfiguration` 不存在,那就验证
`istio-galley-configuration` `configmap` 是否存在。`istio-galley` 使用 configmap 的数据来创建或更新 `validatingwebhookconfiguration`
`istio-galley-configuration configmap` 是否存在。`istio-galley` 使用 configmap 的数据来创建或更新 `validatingwebhookconfiguration`
{{< text bash yaml >}}
$ kubectl -n istio-system get configmap istio-galley-configuration -o jsonpath='{.data}'
@ -176,7 +176,7 @@ webhooks:
## 创建配置失败报错: x509 certificate errors {#x509-certificate-errors}
`x509: certificate signed by unknown authority` 错误通常和 webhook 配置中的空 `caBundle` 有关,所以要确认它不为空 (请查阅 [验证 webhook 配置](#invalid-configuration-is-accepted))。在部署 `istio-galley` 的时候要有意识地调整 webhook 配置,使用 `istio-galley-configuration` `configmap` 和安装自 `istio-system` 命名空间私有 `istio.istio-galley-service-account` 的根证书。
`x509: certificate signed by unknown authority` 错误通常和 webhook 配置中的空 `caBundle` 有关,所以要确认它不为空 (请查阅 [验证 webhook 配置](#invalid-configuration-is-accepted))。在部署 `istio-galley` 的时候要有意识地调整 webhook 配置,使用 `istio-galley-configuration configmap` 和安装自 `istio-system` 命名空间私有 `istio.istio-galley-service-account` 的根证书。
1. 验证 `istio-galley` pod 是否在运行:
@ -238,7 +238,7 @@ webhooks:
- get
{{< /text >}}
`istio-galley` 需要 `validatingwebhookconfigurations` 的权限来创建和更新 `istio-galley` `validatingwebhookconfiguration` 配置项。
`istio-galley` 需要 `validatingwebhookconfigurations` 的权限来创建和更新 `istio-galley validatingwebhookconfiguration` 配置项。
## 创建配置报错:`no such hosts` 、 `no endpoints available` {#creating-configuration-fail}

9
content/zh/docs/reference/commands/galley/index.html
View File

@ -161,7 +161,7 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--accessListFile &lt;string&gt;</code></td>
<td></td>
<td>The access list yaml file that contains the allowd mTLS peer ids. (default `/etc/config/accesslist.yaml`)</td>
<td>The access list yaml file that contains the allowed mTLS peer ids. (default `/etc/config/accesslist.yaml`)</td>
</tr>
<tr>
<td><code>--caCertFile &lt;string&gt;</code></td>
@ -391,7 +391,7 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--validation-port &lt;uint&gt;</code></td>
<td></td>
<td>HTTPS port of the validation service. Must be 443 if service has more than one port (default `443`)</td>
<td>HTTPS port of the validation service. (default `9443`)</td>
</tr>
<tr>
<td><code>--validation-webhook-config-file &lt;string&gt;</code></td>
@ -414,6 +414,11 @@ remove_toc_prefix: 'galley '
<td>File containing the x509 private key matching --validation.tls.clientCertificate. (default ``)</td>
</tr>
<tr>
<td><code>--watchConfigFiles</code></td>
<td></td>
<td>Enable the Fsnotify for watching config source files on the disk and implicit signaling on a config change. Explicit signaling will still be enabled </td>
</tr>
<tr>
<td><code>--webhook-name &lt;string&gt;</code></td>
<td></td>
<td>Name of the k8s validatingwebhookconfiguration (default `istio-galley`)</td>

573
content/zh/docs/reference/commands/istioctl/index.html
View File

File diff suppressed because it is too large Load Diff

6
content/zh/docs/reference/commands/operator/index.html
View File

@ -65,11 +65,11 @@ remove_toc_prefix: 'operator '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, name, patch, tpath, translator, util, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, patch, tpath, translator, util, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, name, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -89,7 +89,7 @@ remove_toc_prefix: 'operator '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, name, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>

150
content/zh/docs/reference/commands/pilot-agent/index.html
View File

@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -47,7 +47,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -68,10 +68,6 @@ remove_toc_prefix: 'pilot-agent '
</thead>
<tbody>
<tr>
<td><code>--applicationPorts &lt;stringSlice&gt;</code></td>
<td>Ports exposed by the application. Used to determine that Envoy is configured and ready to receive traffic. (default `[]`)</td>
</tr>
<tr>
<td><code>--binaryPath &lt;string&gt;</code></td>
<td>Path to the proxy binary (default `/usr/local/bin/envoy`)</td>
</tr>
@ -161,11 +157,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -185,7 +181,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -196,6 +192,10 @@ remove_toc_prefix: 'pilot-agent '
<td>The identity used as the suffix for mixer&#39;s spiffe SAN. This would only be used by pilot all other proxy would get this value from pilot (default ``)</td>
</tr>
<tr>
<td><code>--outlierLogPath &lt;string&gt;</code></td>
<td>The log path for outlier detection (default ``)</td>
</tr>
<tr>
<td><code>--parentShutdownDuration &lt;duration&gt;</code></td>
<td>The time in seconds that Envoy will wait before shutting down the parent process during a hot restart (default `1m0s`)</td>
</tr>
@ -221,7 +221,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--serviceregistry &lt;string&gt;</code></td>
<td>Select the platform for service registry, options are {Kubernetes, Consul, Mock} (default `Kubernetes`)</td>
<td>Select the platform for service registry, options are {Kubernetes, Consul, MCP, Mock} (default `Kubernetes`)</td>
</tr>
<tr>
<td><code>--statsdUdpAddress &lt;string&gt;</code></td>
@ -263,11 +263,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -287,7 +287,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -316,12 +316,12 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -346,7 +346,7 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -378,12 +378,60 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
</thead>
<tbody>
<tr>
<td><code>CA_ADDR</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>CA_PROVIDER</code></td>
<td>String</td>
<td><code>Citadel</code></td>
<td></td>
</tr>
<tr>
<td><code>ENABLE_INGRESS_GATEWAY_SDS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>GKE_CLUSTER_URL</code></td>
<td>String</td>
<td><code></code></td>
<td>The url of GKE cluster</td>
</tr>
<tr>
<td><code>INGRESS_GATEWAY_FALLBACK_SECRET</code></td>
<td>String</td>
<td><code>gateway-fallback</code></td>
<td></td>
</tr>
<tr>
<td><code>INGRESS_GATEWAY_NAMESPACE</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>INITIAL_BACKOFF_MSEC</code></td>
<td>Integer</td>
<td><code>10</code></td>
<td></td>
</tr>
<tr>
<td><code>INSTANCE_IP</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>ISTIOD_ADDR</code></td>
<td>String</td>
<td><code></code></td>
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_AUTO_MTLS_ENABLED</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -456,6 +504,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>NAMESPACE</code></td>
<td>String</td>
<td><code>istio-system</code></td>
<td>namespace that nodeagent/citadel run in</td>
</tr>
<tr>
<td><code>PILOT_BLOCK_HTTP_ON_443</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -504,6 +558,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CRD_VALIDATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_DEBOUNCE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -530,7 +590,7 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
@ -618,6 +678,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>PLUGINS</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>POD_NAME</code></td>
<td>String</td>
<td><code></code></td>
@ -642,6 +708,30 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>SDS address</td>
</tr>
<tr>
<td><code>SECRET_GRACE_DURATION</code></td>
<td>Time Duration</td>
<td><code>1h0m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>SECRET_JOB_RUN_INTERVAL</code></td>
<td>Time Duration</td>
<td><code>10m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>SECRET_TTL</code></td>
<td>Time Duration</td>
<td><code>24h0m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>SECRET_WATCHER_RESYNC_PERIOD</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>STACKDRIVER_TRACING_DEBUG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -672,12 +762,24 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>Sets the max number of message events for stackdriver</td>
</tr>
<tr>
<td><code>STALED_CONNECTION_RECYCLE_RUN_INTERVAL</code></td>
<td>Time Duration</td>
<td><code>5m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
<tr>
<td><code>TRUST_DOMAIN</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>USE_ISTIO_JWT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -693,15 +795,16 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<tbody>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
<tr><td><code>num_failed_outgoing_requests</code></td><td><code>Sum</code></td><td>Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.)</td></tr>
<tr><td><code>num_outgoing_requests</code></td><td><code>Sum</code></td><td>Number of total outgoing requests (e.g. to a token exchange server, CA, etc.)</td></tr>
<tr><td><code>num_outgoing_retries</code></td><td><code>Sum</code></td><td>Number of outgoing retry requests (e.g. to a token exchange server, CA, etc.)</td></tr>
<tr><td><code>outgoing_latency</code></td><td><code>Sum</code></td><td>The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_https</code></td><td><code>LastValue</code></td><td>Number of conflicting HTTP listeners with well known HTTPS ports</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
<tr><td><code>pilot_discovery_calls</code></td><td><code>Sum</code></td><td>Individual method calls in Pilot</td></tr>
<tr><td><code>pilot_discovery_errors</code></td><td><code>Sum</code></td><td>Errors encountered during a given method call within Pilot</td></tr>
<tr><td><code>pilot_discovery_resources</code></td><td><code>Distribution</code></td><td>Returned resource counts per method by Pilot</td></tr>
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
@ -711,5 +814,10 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
<tr><td><code>total_active_connections</code></td><td><code>Sum</code></td><td>The total number of active SDS connections.</td></tr>
<tr><td><code>total_push_errors</code></td><td><code>Sum</code></td><td>The total number of failed SDS pushes.</td></tr>
<tr><td><code>total_pushes</code></td><td><code>Sum</code></td><td>The total number of SDS pushes.</td></tr>
<tr><td><code>total_secret_update_failures</code></td><td><code>Sum</code></td><td>The total number of dynamic secret update failures reported by proxy.</td></tr>
<tr><td><code>total_stale_connections</code></td><td><code>Sum</code></td><td>The total number of stale SDS connections.</td></tr>
</tbody>
</table>

206
content/zh/docs/reference/commands/pilot-discovery/index.html
View File

@ -43,11 +43,11 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -67,7 +67,7 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -104,11 +104,6 @@ remove_toc_prefix: 'pilot-discovery '
<td>Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client. (default ``)</td>
</tr>
<tr>
<td><code>--consulserverInterval &lt;duration&gt;</code></td>
<td></td>
<td>Interval (in seconds) for polling the Consul service registry (default `2s`)</td>
</tr>
<tr>
<td><code>--consulserverURL &lt;string&gt;</code></td>
<td></td>
<td>URL for the Consul server (default ``)</td>
@ -129,11 +124,6 @@ remove_toc_prefix: 'pilot-discovery '
<td>Disable discovery service from verifying the existence of CRDs at startup and then installing if not detected. It is recommended to be disable for highly available setups. </td>
</tr>
<tr>
<td><code>--discoveryCache</code></td>
<td></td>
<td>Enable caching discovery service responses </td>
</tr>
<tr>
<td><code>--domain &lt;string&gt;</code></td>
<td></td>
<td>DNS domain suffix (default `cluster.local`)</td>
@ -176,12 +166,12 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -206,7 +196,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -318,11 +308,11 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -342,7 +332,7 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -396,12 +386,12 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -426,7 +416,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -458,18 +448,90 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
</thead>
<tbody>
<tr>
<td><code>AUDIENCE</code></td>
<td>String</td>
<td><code></code></td>
<td>Expected audience in the tokens. </td>
</tr>
<tr>
<td><code>AUTHZ_FAILURE_LOG_BURST_SIZE</code></td>
<td>Integer</td>
<td><code>1</code></td>
<td></td>
</tr>
<tr>
<td><code>AUTHZ_FAILURE_LOG_FREQ</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>BYPASS_OOP_MTLS_SAN_VERIFICATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Whether or not to validate SANs for out-of-process adapters auth.</td>
</tr>
<tr>
<td><code>CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval.</td>
</tr>
<tr>
<td><code>CITADEL_SELF_SIGNED_CA_CERT_TTL</code></td>
<td>Time Duration</td>
<td><code>87600h0m0s</code></td>
<td>The TTL of self-signed CA root certificate.</td>
</tr>
<tr>
<td><code>CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVAL</code></td>
<td>Time Duration</td>
<td><code>1h0m0s</code></td>
<td>The interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes.</td>
</tr>
<tr>
<td><code>CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILE</code></td>
<td>Integer</td>
<td><code>20</code></td>
<td>Grace period percentile for self-signed root cert.</td>
</tr>
<tr>
<td><code>ISTIOD_ADDR</code></td>
<td>String</td>
<td><code></code></td>
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>ISTIO_LANG</code></td>
<td>String</td>
<td><code></code></td>
<td>Selects the attribute expression language runtime for Mixer.</td>
</tr>
<tr>
<td><code>K8S_INGRESS_NS</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>KUBERNETES_SERVICE_HOST</code></td>
<td>String</td>
<td><code></code></td>
<td>Kuberenetes service host, set automatically when running in-cluster</td>
</tr>
<tr>
<td><code>MAX_WORKLOAD_CERT_TTL</code></td>
<td>Time Duration</td>
<td><code>2160h0m0s</code></td>
<td>The max TTL of issued workload certificates.</td>
</tr>
<tr>
<td><code>PILOT_BLOCK_HTTP_ON_443</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -518,6 +580,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CRD_VALIDATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_DEBOUNCE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -544,7 +612,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
@ -644,17 +712,41 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td></td>
</tr>
<tr>
<td><code>ROOT_CA_DIR</code></td>
<td>String</td>
<td><code>./etc/cacerts</code></td>
<td>Location of a local or mounted CA root</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
<tr>
<td><code>TOKEN_ISSUER</code></td>
<td>String</td>
<td><code></code></td>
<td>OIDC token issuer. If set, will be used to check the tokens.</td>
</tr>
<tr>
<td><code>USE_ISTIO_JWT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>WEBHOOK</code></td>
<td>String</td>
<td><code></code></td>
<td>Name of webhook config to patch, if istioctl is not used.</td>
</tr>
<tr>
<td><code>WORKLOAD_CERT_TTL</code></td>
<td>Time Duration</td>
<td><code>2160h0m0s</code></td>
<td>The TTL of issued workload certificates.</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
@ -668,7 +760,37 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><td><code>citadel_secret_controller_secret_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates recreated due to secret deletion (service account still exists).</td></tr>
<tr><td><code>citadel_secret_controller_svc_acc_created_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates created due to service account creation.</td></tr>
<tr><td><code>citadel_secret_controller_svc_acc_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates deleted due to service account deletion.</td></tr>
<tr><td><code>citadel_server_authentication_failure_count</code></td><td><code>Sum</code></td><td>The number of authentication failures.</td></tr>
<tr><td><code>citadel_server_csr_count</code></td><td><code>Sum</code></td><td>The number of CSRs received by Citadel server.</td></tr>
<tr><td><code>citadel_server_csr_parsing_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when parsing the CSR.</td></tr>
<tr><td><code>citadel_server_csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
<tr><td><code>citadel_server_id_extraction_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when extracting the ID from CSR.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.</td></tr>
<tr><td><code>citadel_server_success_cert_issuance_count</code></td><td><code>Sum</code></td><td>The number of certificates issuances that have succeeded.</td></tr>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>galley_runtime_processor_event_span_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration between each incoming event</td></tr>
<tr><td><code>galley_runtime_processor_events_processed_total</code></td><td><code>Count</code></td><td>The number of events that have been processed</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_events_total</code></td><td><code>Distribution</code></td><td>The number of events per snapshot</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_lifetime_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration of each snapshot</td></tr>
<tr><td><code>galley_runtime_processor_snapshots_published_total</code></td><td><code>Count</code></td><td>The number of snapshots that have been published</td></tr>
<tr><td><code>galley_runtime_state_type_instances_total</code></td><td><code>LastValue</code></td><td>The number of type instances per type URL</td></tr>
<tr><td><code>galley_runtime_strategy_on_change_total</code></td><td><code>Count</code></td><td>The number of times the strategy's onChange has been called</td></tr>
<tr><td><code>galley_runtime_strategy_timer_max_time_reached_total</code></td><td><code>Count</code></td><td>The number of times the max time has been reached</td></tr>
<tr><td><code>galley_runtime_strategy_timer_quiesce_reached_total</code></td><td><code>Count</code></td><td>The number of times a quiesce has been reached</td></tr>
<tr><td><code>galley_runtime_strategy_timer_resets_total</code></td><td><code>Count</code></td><td>The number of times the timer has been reset</td></tr>
<tr><td><code>galley_source_kube_dynamic_converter_failure_total</code></td><td><code>Count</code></td><td>The number of times a dynamnic kubernetes source failed converting a resources</td></tr>
<tr><td><code>galley_source_kube_dynamic_converter_success_total</code></td><td><code>Count</code></td><td>The number of times a dynamic kubernetes source successfully converted a resource</td></tr>
<tr><td><code>galley_source_kube_event_error_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source encountered errored while handling an event</td></tr>
<tr><td><code>galley_source_kube_event_success_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source successfully handled an event</td></tr>
<tr><td><code>galley_validation_cert_key_update_errors</code></td><td><code>Count</code></td><td>Galley validation webhook certificate updates errors</td></tr>
<tr><td><code>galley_validation_cert_key_updates</code></td><td><code>Count</code></td><td>Galley validation webhook certificate updates</td></tr>
<tr><td><code>galley_validation_config_load</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)loads</td></tr>
<tr><td><code>galley_validation_config_load_error</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)load error</td></tr>
<tr><td><code>galley_validation_config_update_error</code></td><td><code>Count</code></td><td>k8s webhook configuration update error</td></tr>
<tr><td><code>galley_validation_config_updates</code></td><td><code>Count</code></td><td>k8s webhook configuration updates</td></tr>
<tr><td><code>galley_validation_failed</code></td><td><code>Count</code></td><td>Resource validation failed</td></tr>
<tr><td><code>galley_validation_http_error</code></td><td><code>Count</code></td><td>Resource validation http serve errors</td></tr>
<tr><td><code>galley_validation_passed</code></td><td><code>Count</code></td><td>Resource is valid</td></tr>
<tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
<tr><td><code>istio_mcp_clients_total</code></td><td><code>LastValue</code></td><td>The number of streams currently connected.</td></tr>
<tr><td><code>istio_mcp_message_sizes_bytes</code></td><td><code>Distribution</code></td><td>Size of messages received from clients.</td></tr>
@ -677,15 +799,37 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><td><code>istio_mcp_request_acks_total</code></td><td><code>Sum</code></td><td>The number of request acks received by the source.</td></tr>
<tr><td><code>istio_mcp_request_nacks_total</code></td><td><code>Sum</code></td><td>The number of request nacks received by the source.</td></tr>
<tr><td><code>istio_mcp_send_failures_total</code></td><td><code>Sum</code></td><td>The number of send failures in the source.</td></tr>
<tr><td><code>mixer_config_adapter_info_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the adapter info configuration.</td></tr>
<tr><td><code>mixer_config_adapter_info_configs_total</code></td><td><code>LastValue</code></td><td>The number of known adapters in the current config.</td></tr>
<tr><td><code>mixer_config_attributes_total</code></td><td><code>LastValue</code></td><td>The number of known attributes in the current config.</td></tr>
<tr><td><code>mixer_config_handler_configs_total</code></td><td><code>LastValue</code></td><td>The number of known handlers in the current config.</td></tr>
<tr><td><code>mixer_config_handler_validation_error_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered because handler validation returned error.</td></tr>
<tr><td><code>mixer_config_instance_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the instance configuration.</td></tr>
<tr><td><code>mixer_config_instance_configs_total</code></td><td><code>LastValue</code></td><td>The number of known instances in the current config.</td></tr>
<tr><td><code>mixer_config_rule_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the rule configuration.</td></tr>
<tr><td><code>mixer_config_rule_config_match_error_total</code></td><td><code>LastValue</code></td><td>The number of rule conditions that was not parseable.</td></tr>
<tr><td><code>mixer_config_rule_configs_total</code></td><td><code>LastValue</code></td><td>The number of known rules in the current config.</td></tr>
<tr><td><code>mixer_config_template_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the template configuration.</td></tr>
<tr><td><code>mixer_config_template_configs_total</code></td><td><code>LastValue</code></td><td>The number of known templates in the current config.</td></tr>
<tr><td><code>mixer_config_unsatisfied_action_handler_total</code></td><td><code>LastValue</code></td><td>The number of actions that failed due to handlers being unavailable.</td></tr>
<tr><td><code>mixer_dispatcher_destinations_per_request</code></td><td><code>Distribution</code></td><td>Number of handlers dispatched per request by Mixer</td></tr>
<tr><td><code>mixer_dispatcher_destinations_per_variety_total</code></td><td><code>LastValue</code></td><td>Number of Mixer adapter destinations by template variety type</td></tr>
<tr><td><code>mixer_dispatcher_instances_per_request</code></td><td><code>Distribution</code></td><td>Number of instances created per request by Mixer</td></tr>
<tr><td><code>mixer_handler_closed_handlers_total</code></td><td><code>LastValue</code></td><td>The number of handlers that were closed during config transition.</td></tr>
<tr><td><code>mixer_handler_daemons_total</code></td><td><code>LastValue</code></td><td>The current number of active daemon routines in a given adapter environment.</td></tr>
<tr><td><code>mixer_handler_handler_build_failures_total</code></td><td><code>LastValue</code></td><td>The number of handlers that failed creation during config transition.</td></tr>
<tr><td><code>mixer_handler_handler_close_failures_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered while closing handlers during config transition.</td></tr>
<tr><td><code>mixer_handler_new_handlers_total</code></td><td><code>LastValue</code></td><td>The number of handlers that were newly created during config transition.</td></tr>
<tr><td><code>mixer_handler_reused_handlers_total</code></td><td><code>LastValue</code></td><td>The number of handlers that were re-used during config transition.</td></tr>
<tr><td><code>mixer_handler_workers_total</code></td><td><code>LastValue</code></td><td>The current number of active worker routines in a given adapter environment.</td></tr>
<tr><td><code>mixer_runtime_dispatch_duration_seconds</code></td><td><code>Distribution</code></td><td>Duration in seconds for adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>mixer_runtime_dispatches_total</code></td><td><code>Count</code></td><td>Total number of adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_https</code></td><td><code>LastValue</code></td><td>Number of conflicting HTTP listeners with well known HTTPS ports</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
<tr><td><code>pilot_discovery_calls</code></td><td><code>Sum</code></td><td>Individual method calls in Pilot</td></tr>
<tr><td><code>pilot_discovery_errors</code></td><td><code>Sum</code></td><td>Errors encountered during a given method call within Pilot</td></tr>
<tr><td><code>pilot_discovery_resources</code></td><td><code>Distribution</code></td><td>Returned resource counts per method by Pilot</td></tr>
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
@ -694,6 +838,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_k8s_cfg_events</code></td><td><code>Sum</code></td><td>Events from k8s config.</td></tr>
<tr><td><code>pilot_k8s_endpoints_with_no_pods</code></td><td><code>Sum</code></td><td>Endpoints that does not have any corresponding pods.</td></tr>
<tr><td><code>pilot_k8s_object_errors</code></td><td><code>LastValue</code></td><td>Errors converting k8s CRDs</td></tr>
<tr><td><code>pilot_k8s_reg_events</code></td><td><code>Sum</code></td><td>Events from k8s registry.</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
@ -707,8 +852,9 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
<tr><td><code>pilot_xds</code></td><td><code>LastValue</code></td><td>Number of endpoints connected to this pilot using XDS.</td></tr>
<tr><td><code>pilot_xds_cds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected CSD configs.</td></tr>
<tr><td><code>pilot_xds_eds_instances</code></td><td><code>LastValue</code></td><td>Instances for each cluster, as of last push. Zero instances is an error.</td></tr>
<tr><td><code>pilot_xds_cds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected CDS configs.</td></tr>
<tr><td><code>pilot_xds_eds_all_locality_endpoints</code></td><td><code>LastValue</code></td><td>Network endpoints for each cluster(across all localities), as of last push. Zero endpoints is an error.</td></tr>
<tr><td><code>pilot_xds_eds_instances</code></td><td><code>LastValue</code></td><td>Instances for each cluster(grouped by locality), as of last push. Zero instances is an error.</td></tr>
<tr><td><code>pilot_xds_eds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected EDS.</td></tr>
<tr><td><code>pilot_xds_lds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected LDS.</td></tr>
<tr><td><code>pilot_xds_push_context_errors</code></td><td><code>Sum</code></td><td>Number of errors (timeouts) initiating push context.</td></tr>
@ -716,5 +862,9 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><td><code>pilot_xds_pushes</code></td><td><code>Sum</code></td><td>Pilot build and send errors for lds, rds, cds and eds.</td></tr>
<tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
<tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>
<tr><td><code>sidecar_injection_failure_total</code></td><td><code>Sum</code></td><td>Total number of failed Side car injection requests.</td></tr>
<tr><td><code>sidecar_injection_requests_total</code></td><td><code>Sum</code></td><td>Total number of Side car injection requests.</td></tr>
<tr><td><code>sidecar_injection_skip_total</code></td><td><code>Sum</code></td><td>Total number of skipped injection requests.</td></tr>
<tr><td><code>sidecar_injection_success_total</code></td><td><code>Sum</code></td><td>Total number of successful Side car injection requests.</td></tr>
</tbody>
</table>

20
content/zh/docs/reference/commands/sidecar-injector/index.html
View File

@ -89,7 +89,7 @@ remove_toc_prefix: 'sidecar-injector '
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td>Webhook port (default `443`)</td>
<td>Webhook port (default `9443`)</td>
</tr>
<tr>
<td><code>--reconcileWebhookConfig</code></td>
@ -199,7 +199,7 @@ remove_toc_prefix: 'sidecar-injector '
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td>Webhook port (default `443`)</td>
<td>Webhook port (default `9443`)</td>
</tr>
<tr>
<td><code>--probe-path &lt;string&gt;</code></td>
@ -333,7 +333,7 @@ remove_toc_prefix: 'sidecar-injector '
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td></td>
<td>Webhook port (default `443`)</td>
<td>Webhook port (default `9443`)</td>
</tr>
<tr>
<td><code>--reconcileWebhookConfig</code></td>
@ -380,6 +380,12 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
</thead>
<tbody>
<tr>
<td><code>ISTIOD_ADDR</code></td>
<td>String</td>
<td><code></code></td>
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
@ -434,6 +440,12 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<td>If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CRD_VALIDATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_DEBOUNCE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -460,7 +472,7 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>

2
content/zh/docs/reference/config/analysis/_index.md
View File

@ -5,4 +5,4 @@ weight: 70
layout: analysis-landing
---
[`istioctl`](/zh/docs/reference/commands/istioctl/#istioctl-experimental-analyze) 提供了对 Istio 配置状态的丰富分析,以便标识无效或次优的配置。这是此分析可能产生的错误或警告消息的列表。
[`istioctl`](/zh/docs/reference/commands/istioctl/#istioctl-analyze) 提供了对 Istio 配置状态的丰富分析,以便标识无效或次优的配置。这是此分析可能产生的错误或警告消息的列表。

2
content/zh/docs/reference/config/policy-and-telemetry/_index.md
View File

@ -1,7 +1,7 @@
---
title: 策略和遥测
description: 描述如何配置 Istio 的策略和遥测功能。
weight: 30
weight: 50
aliases:
- /zh/docs/reference/config/mixer/index.html
---

5
content/zh/docs/reference/glossary/routing-rules.md
View File

@ -1,5 +1,6 @@
---
title: Routing Rules
---
您在 [虚拟服务](#virtual-service) 中配置的路由规则,遵循服务网格定义了请求的路径。使用路由规则,您可以定义将寻址到 [虚拟服务](#virtual-service) 主机的流量路由到指定目标的工作负载。
路由规则帮您建立了复杂的 [流量路由](/zh/docs/concepts/traffic-management/#virtual-services) 场景。
您在 [虚拟服务](/zh/docs/concepts/traffic-management/#virtual-services) 中配置的路由规则,遵循服务网格定义了请求的路径。
使用路由规则,您可以定义将寻址到虚拟服务主机的流量路由到指定目标的工作负载。
路由规则使您可以控制流量,以实现如 A/B 测试、金丝雀发布以及按百分比分配流量的分阶段发布等任务。

2
content/zh/docs/setup/getting-started/index.md
View File

@ -138,7 +138,7 @@ $ kubectl create -n <namespace> -f <your-app-spec>.yaml
$ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -
{{< /text >}}
如果您不确定要从哪开始,可以先[部署 Bookinfo 示例](/zh/docs/examples/bookinfo/#deploying-the-application),它会让您体验到 Istio 的流量路由、故障注入、速率限制等功能。
如果您不确定要从哪开始,可以先[部署 Bookinfo 示例](/zh/docs/examples/bookinfo/),它会让您体验到 Istio 的流量路由、故障注入、速率限制等功能。
然后您可以根据您的兴趣浏览各种各样的[Istio 任务](/zh/docs/tasks/)。
下列任务都是初学者开始学习的好入口:

4
content/zh/docs/setup/install/helm/index.md
View File

@ -34,6 +34,10 @@ Helm 的安装方法已被弃用。
1. 检查 [Pod 和服务的要求](/zh/docs/ops/deployment/requirements/)。
1. [安装高于 2.10 版本的 Helm 客户端](https://github.com/helm/helm#install)。
{{< warning >}}
请使用 2.x 版本的 Helm。不支持 Helm 3。
{{< /warning >}}
## 添加 Helm chart 仓库
本指南的以下命令使用了包含 Istio 发行版镜像的 Helm charts。

5
content/zh/docs/setup/install/multicluster/shared-vpn/index.md
View File

@ -64,6 +64,7 @@ $ export TELEMETRY_POD_IP=$(kubectl -n istio-system get pod -l istio-mixer-type=
$ istioctl manifest apply \
--set profile=remote \
--set values.global.controlPlaneSecurityEnabled=false \
--set values.global.createRemoteSvcEndpoints=true \
--set values.global.remotePilotCreateSvcEndpoint=true \
--set values.global.remotePilotAddress=${PILOT_POD_IP} \
--set values.global.remotePolicyAddress=${POLICY_POD_IP} \
@ -100,6 +101,7 @@ $ export TELEMETRY_POD_IP=$(kubectl -n istio-system get pod -l istio-mixer-type=
| `values.global.remoteTelemetryAddress` | 有效的 IP 地址或主机名 | None | 指定 Istio 控制平面的 telemetry Pod IP 地址或远程集群 DNS 可解析的主机名 |
| `values.sidecarInjectorWebhook.enabled` | true, false | true | 指定是否在远程集群上启用自动 sidecar 注入 |
| `values.global.remotePilotCreateSvcEndpoint` | true, false | false | 如果设置,将使用 `remotePilotAddress` IP 创建用于 `istio-pilot` 的无选择器的服务和端点,以确保 `istio-pilot.<namespace>` 在远程集群上可通过 DNS 解析。 |
| `values.global.createRemoteSvcEndpoints` | true, false | false | 如果设置,`istio-pilot`、`istio-telemetry` 和 `istio-policy` 的 selector-less 服务和端点将用相应的远程 IP`remotePilotAddress`、`remoteTelmetryAddress` 和 `remotePolicyAddress` 分别创建,这样确保在远程集群中服务名可以通过 DNS 解析。 |
## 为远程集群创建配置文件{#kubeconfig}
@ -204,6 +206,7 @@ Kubernetes secret 数据密钥必须符合 `DNS-1123 subdomain` [格式](https:/
$ istioctl manifest generate \
--set profile=remote \
--set values.global.controlPlaneSecurityEnabled=false \
--set values.global.createRemoteSvcEndpoints=true \
--set values.global.remotePilotCreateSvcEndpoint=true \
--set values.global.remotePilotAddress=${PILOT_POD_IP} \
--set values.global.remotePolicyAddress=${POLICY_POD_IP} \
@ -227,6 +230,7 @@ Kubernetes secret 数据密钥必须符合 `DNS-1123 subdomain` [格式](https:/
$ istioctl manifest apply \
--set profile=remote \
--set values.global.controlPlaneSecurityEnabled=false \
--set values.global.createRemoteSvcEndpoints=true \
--set values.global.remotePilotCreateSvcEndpoint=true \
--set values.global.remotePilotAddress=${PILOT_POD_IP} \
--set values.global.remotePolicyAddress=${POLICY_POD_IP} \
@ -409,6 +413,7 @@ Istio Pilot 用该服务和端点以让远程 sidecars 可以通过 Istio 的本
--set values.global.mtls.enabled=true \
--set values.security.selfSigned=false \
--set values.global.controlPlaneSecurityEnabled=true \
--set values.global.createRemoteSvcEndpoints=true \
--set values.global.remotePilotCreateSvcEndpoint=true \
--set values.global.remotePilotAddress=${PILOT_POD_IP} \
--set values.global.remotePolicyAddress=${POLICY_POD_IP} \

9
content/zh/docs/tasks/observability/kiali/index.md
View File

@ -33,10 +33,17 @@ aliases:
在 Istio 命名空间中创建一个 Secret作为 Kiali 的身份验证凭据。
首先,定义要用作 Kiali 用户名和密码的凭据:
首先,定义要用作 Kiali 用户名和密码的凭据。
当提示出现时输入 Kiali 用户名:
{{< text bash >}}
$ KIALI_USERNAME=$(read -p 'Kiali Username: ' uval && echo -n $uval | base64)
{{< /text >}}
当提示出现时输入 Kiali 密码:
{{< text bash >}}
$ KIALI_PASSPHRASE=$(read -sp 'Kiali Passphrase: ' pval && echo -n $pval | base64)
{{< /text >}}

9
content/zh/docs/tasks/security/authentication/mtls-migration/index.md
View File

@ -58,9 +58,10 @@ aliases:
{{< text bash >}}
$ kubectl get destinationrule --all-namespaces
NAMESPACE NAME AGE
istio-system istio-policy 25m
istio-system istio-telemetry 25m
NAMESPACE NAME HOST AGE
istio-system istio-multicluster-destinationrule *.global 35s
istio-system istio-policy istio-policy.istio-system.svc.cluster.local 35s
istio-system istio-telemetry istio-telemetry.istio-system.svc.cluster.local 33s
{{< /text >}}
## 配置客户端发送双向 TLS 请求{#configure-clients-to-send-mutual-TLS-traffic}
@ -95,7 +96,7 @@ $ for from in "foo" "bar" "legacy"; do kubectl exec $(kubectl get pod -l app=sle
也可以指定一部分客户端使用 [`DestinationRule`](/zh/docs/reference/config/networking/destination-rule/) 中设置的 `ISTIO_MUTUAL` 双向 TLS 通信模式。
检查 [Grafana to monitor](/zh/docs/tasks/observability/metrics/using-istio-dashboard/) 验证设置起效后,再扩大作用范围,最终应用到所有的 Istio 客户端服务。
## 锁定为双向 TLS (可选){#lock-down-to-mutual-TLS-optional}
## 锁定为双向 TLS{#lock-down-to-mutual-TLS}
当所有客户端服务都成功迁移至 Istio 之后,注入 Envoy sidecar便可以锁定 `httpbin.foo` 只接收双向 TLS 请求。

11
content/zh/docs/tasks/traffic-management/mirroring/index.md
View File

@ -27,6 +27,10 @@ keywords: [traffic-management,mirroring]
name: httpbin-v1
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
@ -53,6 +57,10 @@ keywords: [traffic-management,mirroring]
name: httpbin-v2
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v2
template:
metadata:
labels:
@ -101,6 +109,9 @@ keywords: [traffic-management,mirroring]
name: sleep
spec:
replicas: 1
selector:
matchLabels:
app: sleep
template:
metadata:
labels: