* initial version
* add structure and certificate generation
* remove redundant article
* create the reviews service and later delete it
required for pods to start
* kubernetes -> kubectl
* complete creating the egress gateway section
* add deployment of an ingress gateway
* use LoadBalancer type for the private ingress gateway
* expand the cleanup section
* add "Expose reviews v2" section
* use hostnames in CN so it can be verified by curl
* use a single slash in HTTPRewrite uri field
* fix the virtual service and the curl call
* add a troubleshooting section
* use port 80 in the egress gateway's deployment
* implement the consume section for reviews v2
* expand the troubleshooting section
* split a virtual service, use port 443
* unite two virtual services for reviews
* add namespace to the gateway reference
* complete the cleaning instructions
* fix prefix match and rewrite in consuming reviews v2
* rename the gateway, destination rule, rewrite authority in ingress cluster2
* split the virtual service in cluster1 into two parts
* set access log format to print both the path and the rewritten path
* extend the cleanup section
* add load balancing between the local and remote versions of reviews
* remove usi
* change consume/expose details to ratings
* add diagrams
* canary release the remote version
* fix the subtitle and the publish date
* add subset v1 to the routing to the local version
* use local name (reviews) for a virtual service in the default namespace
* add the 'Deploy reviews v2 locally and retire reviews v1' section
* a Gateway -> an ingress Gateway
* virtualservice myreviews-bookinfo-v2 -> virtualservice privately-exposed-services
* add the "Expose ratings and reviews v3" section
* add printing response code to curl commands
* add a step to delete the consumption of the remote service from `cluster2`
* add a section "Consume ratings and reviews v3"
* add a section about Istio RBAC
* rewrite certificate creation - add spiffe SAN
* add a section about RBAC on ingress gateway
* remove redundant quote
* add extended key usage and critical to subjectAltName
* add generation of certificate and key for cluster3
* rewrite ingress RBAC in cluster2 to use EnvoyFilter for RBAC
Istio RBAC currently does not support getting principal for
MUTUAL TLS, only for ISTIO_MUTUAL
* fix MeshFederation5, the local version of reviews must be v2
* fix a typo
* add the "Cancel exposure of ratings" section
* add checking Istio configuration artifacts
* rewrite the introduction, add requirements and the proposed implementation section
* to base implementation -> to base the implementation
* split a long line
* web page -> webpage
* fix indentation
* of deploying -> after deploying
* add an explanation about openssl
* extend the explanation about `cluster3`
* add an explanation about deploying gateways
* create the certificates -> create the certificates and keys
* remove "the" from "to generate the certificates and the keys"
* minor changes in gateway deployment
* mount volumes from secrets -> mount secrets as data volumes
* add explanation about private gateways
* cluster1 and cluster2 -> both clusters
* add an explanation about exposure/consumption
* add an explanation about c1,c2,c3.example.com hostnames
* real URL -> existing hostname
* port 80 -> port 443 (the egress gateway)
* remove the non-mTLS options
* VirtualService -> virtual service
* fix indentation
* remove back ticks from reviews v1 and v2
* in remote cluster -> is in remote cluster
* add explanation about expose-nothing behavior by default
* add a separating empty line
* port 80 -> port 443
* VirtualService -> virtual service, part 2
* your Kubernetes cluster -> your second cluster
* add "in case you have a load balancer"
* add "in case you have a load balancer... otherwise..."
* fix the pod of reviews-v2 in the first cluster
mention the new pod
* web page -> webpage
* cluster1 -> the first cluster
* make multiple tests a sublist
* rewrite the sentence "Let's change the RBAC policy"
remove let's
remote passive voice
* rewrite the series of the tests to check RBAC
* issues requests -> sends requests
* Let's consider -> consider
* split a long line
* add "locally" to has access to ratings
* the ratings -> ratings
* use first/second cluster instead of cluster1/cluster2 in headings
* add a subsection to remove certificate and key files
* extend the sentence about role binding
* extend the sentence about enabling Istio RBAC on bookinfo
* rewrite the sentence about accessing the webpage of the bookinfo app
* add an explanation about the EnvoyFilter
* other 50% -> the other 50%
* 50% of time -> 50% of the time
* at cluster -> in cluster
* rewrite the sentence about cleaning Istio RBAC
* add summary
* in the subtitle: traffic control -> strict access control
* for the many different reasons -> for different reasons
* special certificates -> dedicated certificates, add dots
* add a sentence about defense in depth and PCI compliance
* fix typos
* through their gateways -> through corresponding gateways
* _v1_ -> `v1`
* ad-hoc -> ad hoc
* put EnvoyFilter and the name of the Envoy's filter in backticks
* instructions for NodePort Ingress -> instructions for using node port for ingress
* add "hoc" to .spelling, for "ad hoc" expression
* fix a link
* remove unneeded single bullet
* fix a link for Defense-in-depth
* rewrite the list of reasons for split applications between multiple clusters
* add a clause about boundary protection
* expand on non-uniform naming
* rewrite the bullet about boundary protection
* expand on the lack of common trust
* fix division into paragraphs in the introduction
* different as -> different than
* in different namespaces in a cluster -> in the clusters
* to the ratings -> to the ratings service
* rewrite the explanation about DNS and routing
* add a comma after "destined to ratings"
* split a long line
* replace PCI DSS with boundary protection
* remove an unneeded empty line
* split long lines in the summary
* simplify the sentence in the summary about explicit exposure of the clusters
* put "paired" in italics
* split a long line
* change the publish date to 12-th of August
* split a long line
* add the "Isolation of system components and boundary protection" subsection
* rephrase a sentence to remove passive voice
* add cyber and subnetworks to .spelling
used by NIST Special Publication 800-53, Revision 4, Security and Privacy
Controls for Federal Information Systems and Organizations:
This type of enhanced protection limits the potential harm from cyber attacks...
... routers, gateways, and firewalls separating system components into physically separate networks or
subnetworks
* rephrase and reformat the section about boundary protection and isolation
* rewrite the section about isolation and boundary protection
* Kubernetes community -> the Kubernetes community
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* three patterns -> three documented patterns
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* three patterns differ -> the differences between the patterns
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add "where none of the multi cluster patterns apply" to "there are cases when you want to"
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* didn't establish -> have not established
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* rewrite the sentence about the best solution and the goal
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Payment Card Industry Data Security Standard -> the ..
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* move "in my opinion" to the beginning of the sentence
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* move "in my opinion" to the beginning of the sentence, part 2
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Add "the" to PCI DSS
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add "approach" after "the proposed mesh federation"
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add "the" before NIST
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* uniform identical naming -> uniform naming
* common indentity and common trust -> common identity and trust
* mesh-federation -> isolated-clusters
* rewrite the blog post, removing mesh federation and multicluster mesh mentioning
* add the "Testing the certificates in the chain of calls" section
* Revert "add the "Testing the certificates in the chain of calls" section"
This reverts commit 6ada5903e5.
* remove redundant parenthesis around the first link to PCI DSS
* fix a typo (though -> through)
* remove the last '/' which seems to confuse lint
* remove namespace qualifier for gateways in virtual services
since the virtual services are in the same namespace
* extend the explanation about RBAC
* try another link for gdpr
* add ` ` to try to make lint happy
* Revert "add ` ` to try to make lint happy"
This reverts commit 552806883f.
* rewrite the list of standards as a table, add links to the paragraph below
* put full service name in backticks
* fix a typo (localtion -> location)
* fix the level of the first section
* rename the ca-example-com-certs secrets into c1/c2-trusted-certs secrets
to enable running commands in a single cluster
* use kubectl apply to create a namespace in case it already exists
for the single cluster scenario
* add deleting of the ratings service in the first cluster
during the initial setting
* change the error in case ratings is not found
* remove istio-private-gateways from the list of RBAC-included namespaces
* add '--ignore-not-found=true' to the kubectl delete commands
to support the case of a single cluster
* credit card -> payment card
* add running the blog post in a single cluster
* add unsetting environment variables to the cleanup section
* fix internal links
* The approach I propose - The approach I use
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* features of the proposed approach -> features of the approach
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* I propose -> I use
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* I propose to base connecting clusters on -> I connect clusters based on
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add "some of the process could clearly benefit from automation..."
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* similar the pattern -> similar to the pattern
* the proposed implementation -> the implementation pattern
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* added a comment that my approach is different from multicluster meshes
* fix a link
* add a multi-mesh section to examples
* move the blog post about cluster isolation to examples
* rewrite the blog post as example
* add a missing period in the description
* Revert "add a missing period in the description"
This reverts commit 14f656280f.
* Revert "rewrite the blog post as example"
This reverts commit 875a4f55f0.
* Revert "move the blog post about cluster isolation to examples"
This reverts commit 17b20a1cb5.
* Revert "add a multi-mesh section to examples"
This reverts commit 9d9365eee7.
* rewrite the blog post to not contain the same service (reviews) in two meshes
per comments of Sven Mawson
using ratings and httpbin to show exposure of two services
* fix the link to Envoy's RBAC filter
* fix an internal link
* fix spelling
* remove redundant empty line
* remove "no common trust" from the single cluster
* initial version after moving the example to istio-ecosystem
* fix list formatting
* additional touches
replace cluster with mesh everywhere
add monitoring at the boundary
* describe -> outline, report
* put all mesh-federation and multi-mesh instances into the glossary markup
* update the publish date
* call "service location transparency" an optional feature
* rewrote "Service location transparency is important" to "Service location transparency is useful in the cases when you want"
* the istio-ecosystem repository -> Istio ecosystem
* rewrite subtitle
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Rewrite the title
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* rewrite the sentence about isolation
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* rewrite the sentence about separate service meshes on separate networks
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Remove "Istio to connect applications in the meshes with different compliance requirements"
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove the glossary item from mesh federation and add "support and automation work under way"
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 2
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add comparison with multi-cluster (single mesh)
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 3
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 4
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 5
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 5
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 6
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 7
* report -> touch on
* update the date of the blog
Ihor Sychevskyi
Frank Budinsky
Martin Taillefer
Rigs Caballero
Vadim Eisenberg