Automator: update istio.io@ reference docs (#10401)

2021-10-04 19:48:22 -07:00 · 2021-10-04 19:48:22 -07:00 · cf38cac32b
parent 78559247ff
commit cf38cac32b
2 changed files with 66 additions and 6 deletions
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@ -340,12 +340,7 @@ spec:
        name: my-wasm-extension # This must match the name above
        config_discovery:
          config_source:
-            api_config_source:
-              api_type: GRPC
-              transport_api_version: V3
-              grpc_services:
-              - envoy_grpc:
-                  cluster_name: xds-grpc
+            ads: {}
          type_urls: [&quot;envoy.extensions.filters.http.wasm.v3.Wasm&quot;]
 </code></pre>

--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@ -146,6 +146,71 @@ spec:
        paths: [&quot;/healthz&quot;]
 </code></pre>

+<ul>
+<li>When applied on a Gateway, you can also use the special header name <code>x-jwt-claim</code> for matching JWT claims in
+the VirtualService. Claims of type string or list of string are supported and nested claims are also supported using
+<code>.</code> as a separator for claim names. Examples: <code>x-jwt-claim.admin</code> matches the claim &ldquo;admin&rdquo; and <code>x-jwt-claim.group.id</code>
+matches the nested claims &ldquo;group&rdquo; and &ldquo;id&rdquo;.</li>
+</ul>
+
+<p>The following example creates the request authentication and authorization policies for JWT validation on ingress
+gateway and routes requests based on the &ldquo;version&rdquo; claim in the validated JWT.</p>
+
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: jwt-on-ingress
+  namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     app: istio-ingressgateway
+  jwtRules:
+  - issuer: &quot;issuer-foo&quot;
+    jwksUri: https://example.com/.well-known/jwks.json
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: require-jwt
+  namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     app: istio-ingressgateway
+  rules:
+  - from:
+    - source:
+        requestPrincipals: [&quot;*&quot;]
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: route-jwt
+spec:
+  hosts:
+  - foo.prod.svc.cluster.local
+  gateways:
+  - istio-ingressgateway
+  http:
+  - name: &quot;v2-route&quot;
+    match:
+    - headers:
+        x-jwt-claim.version:
+          exact: &quot;v2&quot;
+    route:
+    - destination:
+        host: foo.prod.svc.cluster.local
+        subset: v2
+  - name: &quot;default-route&quot;
+    route:
+    - destination:
+        host: foo.prod.svc.cluster.local
+        subset: v1
+</code></pre>
+
+<p><strong>Note:</strong> This routing is only supported on Gateways and proper request authentication must first be applied to validate the JWT.</p>
+
 <table class="message-fields">
 <thead>
 <tr>