istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Automator: update istio.io@ reference docs (#10401)

This commit is contained in:
Istio Automation 2021-10-04 19:48:22 -07:00 committed by GitHub
parent 78559247ff
commit cf38cac32b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 66 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
content/en/docs/reference/config/networking/envoy-filter/index.html
View File

@ -340,12 +340,7 @@ spec:
name: my-wasm-extension # This must match the name above name: my-wasm-extension # This must match the name above
config_discovery: config_discovery:
config_source: config_source:
api_config_source: ads: {}
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds-grpc
type_urls: ["envoy.extensions.filters.http.wasm.v3.Wasm"] type_urls: ["envoy.extensions.filters.http.wasm.v3.Wasm"]
</code></pre> </code></pre>

65
content/en/docs/reference/config/security/request_authentication/index.html
View File

@ -146,6 +146,71 @@ spec:
paths: [&quot;/healthz&quot;] paths: [&quot;/healthz&quot;]
</code></pre> </code></pre>
<ul>
<li>When applied on a Gateway, you can also use the special header name <code>x-jwt-claim</code> for matching JWT claims in
the VirtualService. Claims of type string or list of string are supported and nested claims are also supported using
<code>.</code> as a separator for claim names. Examples: <code>x-jwt-claim.admin</code> matches the claim &ldquo;admin&rdquo; and <code>x-jwt-claim.group.id</code>
matches the nested claims &ldquo;group&rdquo; and &ldquo;id&rdquo;.</li>
</ul>
<p>The following example creates the request authentication and authorization policies for JWT validation on ingress
gateway and routes requests based on the &ldquo;version&rdquo; claim in the validated JWT.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-on-ingress
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
jwtRules:
- issuer: &quot;issuer-foo&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: route-jwt
spec:
hosts:
- foo.prod.svc.cluster.local
gateways:
- istio-ingressgateway
http:
- name: &quot;v2-route&quot;
match:
- headers:
x-jwt-claim.version:
exact: &quot;v2&quot;
route:
- destination:
host: foo.prod.svc.cluster.local
subset: v2
- name: &quot;default-route&quot;
route:
- destination:
host: foo.prod.svc.cluster.local
subset: v1
</code></pre>
<p><strong>Note:</strong> This routing is only supported on Gateways and proper request authentication must first be applied to validate the JWT.</p>
<table class="message-fields"> <table class="message-fields">
<thead> <thead>
<tr> <tr>