* Add documentation for telemetry v1 vs v2
* Minor fixes
* Fix
* Fix broken URLs
* Language fixes
* Language fixes
* Added index
* Move doc under metrics-and-logs faq
* Update content/en/faq/metrics-and-logs/telemetry-v1-vs-v2.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/faq/metrics-and-logs/telemetry-v1-vs-v2.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* add proxy_ssl-name directive
to the ingress.bluemix.net/ssl-services annotation to set the SNI of the
ingress gateway in the Kubernetes ingress
* specify the host names in Gateway and VirtualService
instead of '*'
* remove cleanup of unused constructs
* add last_update field
* Add addons blog post
* Apply suggestions from code review
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* fix format
* fix lint
* Apply suggestions from code review
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* Update index.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* initial version
* rewrite the motivation for the example
* switch the order: use managed Istio or install it yourself
* fix indentation
* do not use "this example shows" twice
replace the second sentence with "In this example you..."
* rewrite the example to simplify it
* fix the letter case in a sentence
* remove using --context
copied&pasted from another example
* finalize rewriting the example, simplifying things, minor improvements
* Update index.md
* Update index.md
* remove the troubleshooting section
* fix some whitespace issues
* nginx -> Nginx
* split long lines
* add explanation why both certificates are required
* remove Nginx since it is an implementation detail of ALB
* rewrite the introduction
* remove multiple glossary entries for mutual TLS
* External-IP -> external IP
* The Application Load Balancer Ingress subdomain certificates -> The Application Load Balancer's Ingress subdomain certificates
* shorten the sentence about exchange certificates and trust them
* remove one more glossary item
* delete "this time" since it is the first time curl is used in this example
* additional --cert option -> the --cert option
* you will need -> you need
* add missing dot
* Istio Ingress Gateway -> Istio ingress gateway
* fix two typos
* will not be able to communicate -> will not be able to communicate directly
* fix abbreviations usage: IKS, ALB, NLB
* rewrite the introduction
* move storing the Ingress IP before using it
* certificate -> TLS certificate
* rewrite the introduction of the section "Create secrets for ALB and Istio ingress gateway"
* domain name of your cluster -> domain name of your ALB
* remove mentioning NLB
use "ingress gateway instead of NLB"
* move the example to the blogs section
* fix metadata, description
* this example -> this blog post
* add echoing INGRESS_GATEWAY_IP
* remove grep by IP in the output of the DNS NLB domains
otherwise the fields of the output are not printed and it is not clear
which value corresponds to which field
* in the output of the previous command -> in the line that matches the IP of the gateway
* fix the part about verifiying that the certificate is created for NLB domain
* IKS-provided certificates -> certificates provided by IKS
* burden -> overhead
* Require -> Enforce
* add a summary
* add a sentence about allocating a hostname for Istio ingress gateway
* update the publication date
* Update content/en/blog/2019/alb-ingress-gateway-iks/index.md
remove the explanation about the domain name format, remove "for each cluster"
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* remove in addition to registering a DNS domain
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* the recommend way -> the recommended method to send traffic
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* Istio mutual TLS -> STRICT mutual TLS
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* In this blog post -> this blog describes how
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* nlb-dns-create -> nlb-dns create
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* add -n httptools two deploy the Gateway
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* add -n httptools
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* add an explanation about re-encryption from ALB to Istio ingress gateway
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* add an explanation about using ALB and NLB certificates for mTLS between the ALB and the Istio ingress gateway
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* Istio ingress gateway -> the Istio ingress gateway
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* The traffic -> traffic, Istio sidecar -> an Istio sidecar, ALB -> the ALB
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* Application Load Balancer -> ALB
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* add -n httptools
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* add -n httptools
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
* one of another -> of one another
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* add missing "that", remove "one to another"
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* Istio sidecar -> an Istio sidecar, "it requires" -> "requires"
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* while ALB -> which
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* move the blog post to 2020
* fix the publish date
* third field -> fourth field
regarding the status of the certificate in "ibmcloud ks nlb-dnss"
* a new DNS domain -> a new DNS subdomain
* for the gateway's IP -> for the Istio gateway's IP
* ALB -> the ALB
* split long lines
* remove Policy and DestinationRule
* fix the year in the publish date
* Istio Ingress Gateway -> an Istio Ingress Gateway
* a -> the, for Istio Ingress Gateway
* remove mentioning "Let's encrypt" certificate in the introduction
it is a technical detail
* has to -> must
* Securely direct -> Direct encrypted
* rewrite the introduction to explain what happens with the certificates
* rewrite the usage of the private keys
* you configure -> you will configure
* allows us -> allows you
* clarify using Let's encrypt, securely send traffic -> send encrypted traffic
* ALB -> the ALB
* in order to verify -> in order to specify
Co-authored-by: Ram Vennam <rvennam@us.ibm.com>
Co-authored-by: Rachael Graham <rachael.graham@ibm.com>
* update for istio users why gloo
* Copy edits and implement Jed's suggestions
Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>
* Retire helm documentation as we use a protobuf
The new rendered source of truth is:
https://preliminary.istio.io/docs/reference/config/istio.operator.v1alpha1/
This is rendered from the API repo protobuf which (may) need description fields
set. That protobuf is here:
https://github.com/istio/api/blob/master/operator/v1alpha1/operator.proto
* Follow the flowchart
The flowchart is not quite right and could use some improvement.
* Update content/en/blog/2019/performance-best-practices/index.md
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Initial documentation on Multiple Control Planes
I suspect this will be improved as we get more user feedback and
istioctl integrations, but this is a reasonable start
* Typo
* Minor edits
* Apply suggestions from code review
Co-Authored-By: Adam Miller <1402860+adammil2000@users.noreply.github.com>
* Frank's suggestions
* lint
* Apply suggestions from code review
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Fix links for removal of helm installation directory
* Point to archive version of istioctl upgrade instructions
* Add Aporeto to lint ignores for now.
* Provision a certificate to an application through a sidecar
* Revisions based on the review comments
* Move the document location
* Revise install command based on the review comments
* Make the blog more concise
* Explain the use case
* Revised based on comments
* Revise based on review comments
* Revised based on the review comments
* Revise based on review comments
* Revise based on review comments
* Revise based on review comments
* Revise based on review comments
* Revise based on review comments
* Add istiod blog post
* Update content/en/blog/2020/istiod/index.md
remove errant period
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/blog/2020/istiod/index.md
add missing space
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add correct description
* put the 'istiod's in backticks
* adjust caps again
`istiod` only when used to refer to the service.
Bold when introducing it.
Regular weight when using in body.
* md lint changes that make vscode sad
* policies => policy
* Update spell-chequer for istiod blog
* backticks around PodSecurityPolicy
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Add a blog on declarative wasm extensions for envoy and istio
* Pushed changes for review
* fixed lint errors
* fixed bash syntax
* update note to http for module delivery
* clean rest of lint issues
* fix(architecture): remove mixer mentions from architecture doc
Signed-off-by: Douglas Reid <douglas-reid@users.noreply.github.com>
* remove outdated link
Signed-off-by: Douglas Reid <douglas-reid@users.noreply.github.com>
* Blog post to be cherrypicked and published immediately with 1.4
* still working on linting
* removed colon from title
* fixed lint errors.
* fixed broken link error
* updated diagrams, final lint fixes, addressing ericvn comments
* removed target release
* update operator ref doc
* fix broken link
* Update url to archive link
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* wip: setup observability tasks for v2
Signed-off-by: Douglas Reid <dougreid@google.com>
* continue work
Signed-off-by: Douglas Reid <dougreid@google.com>
* lint fix
Signed-off-by: Douglas Reid <dougreid@google.com>
* remove mixer ref from what-is-istio
Signed-off-by: Douglas Reid <dougreid@google.com>
* further cleanup
Signed-off-by: Douglas Reid <dougreid@google.com>
* lint fix
Signed-off-by: Douglas Reid <dougreid@google.com>
* when will the linting stop?
Signed-off-by: Douglas Reid <dougreid@google.com>
* Update content/en/docs/tasks/observability/mixer/_index.md
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Rewrite contribution guides to empower reviewers
This rewrite includes the following changes:
- Implement the new reviewer role.
- Restructure the contribution guides into multiple smaller pages to make
them easier to reference.
- Added separate pages for adding new content and reviewing content.
- Added clarifying text for the implemented shortcodes and processes.
- Updated all links.
- Added color-coded flow chart of the review process.
Signed-off-by: rcaballeromx <grca@google.com>
* Add content to help identify audience needs.
Addressed typos, consistency improvements, and other small fixes.
Added a mention and link to our code of conduct to the review process.
Signed-off-by: rcaballeromx <grca@google.com>
* Istio multi-cluster with local control planes automation
* Grammatical fixes from review comments.
* Fix lint error.
* Fix lint error.
* Fix more lint errors.
* Add pictures and fix language for code blocks.
* Update images.
* Update descriptions
* Fix more lint errors.
* Add istio-ingressgateway to spelling.
* Change istio io links to relative paths.
* Some reworking and add content on dependeny CR to the doc.
* Move to year 2020
* Update weight for right display.
* Copy edits, clarified language
* Typo fix
Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>
These fix problems encountered when switching to the new Hugo which has
a completely different markdown engine. I went through diffs of the generated
HTML and made required adjustments.
Events are used for special announcements. There are stickers and banners that can be
displayed to the user. These can be used to announce an imminent release with a
sticker and countdown clock, or can be used to invite users to a future
conference, or can be used to announce that a new release is available for download.
See the authoring guide for instructions on how to use these announcements.
- We don't need cookies for istio.io, the few settings we do have should be
managed with browser-local storage instead. This is a better privacy posture,
and avoids sending needless data to the server for every request.
- If a returning user comes to the site, if there are unread
blog posts or news articles less than 15 quadrllion nanosecond
old will be treated as being unread. When there are unred articles,
the News or Blog link in the title bar will get a green dot indicating
articles are available. When clicking on News, then you'll get the
news categories with a pill showing how many articles are unread for
each category.
First-time visitors to the site will not get any dots or pills for
existing articles. These will only appear in subsequent visits for
new articles.
Due to the default behavior for new users, if you just look at the
preview, you will not see any pills or dots. To see what this actually
looks like, load up the preview, then go to the Chrome Developer Tools,
click on the Application tab, then on Local Storage, and then find the
visitedPages entry. Right click on the entry, select Edit Value,
and set the value to {}. Then refresh the page and you
should see some dots show up next to the Blog and News links in
the header.
* Added the Best Practices section with general principles.
This is the beginning of the new Best Practices section.
Our goal is to provide a section for all the best practices and recommendations
for Istio deployments. The best practices are based on the identified and
recommended deployment models.
Signed-off-by: rcaballeromx <grca@google.com>
* Change headings for clarity.
Adds clarity to some passages based on feedback.
Removes a list of recommendations that was causing some confusion.
Adds a glossary entry for failure domains and how they relate to a
platform's availability zones.
Signed-off-by: rcaballeromx <grca@google.com>
* Move Best Practices to Ops Guide
Signed-off-by: rcaballeromx <grca@google.com>
* Moved Deployment Best Practices to a new "Prepare Your Deployment" section.
Moved all deployment preparation content into a new section under "Setup".
For now the content includes the following sections:
- Deployment models
- Deployment best practices
- Pod requirements
Merged the two existing pages containing pod requirements into one single page.
Signed-off-by: rcaballeromx <grca@google.com>
* Replace example with better guidance around namespace tenancy.
Signed-off-by: Rigs Caballero <grca@google.com>
* Add links and language pointing to the Prepare section
Signed-off-by: Rigs Caballero <grca@google.com>
* Fix minor typos and broken links.
Signed-off-by: Rigs Caballero <grca@google.com>
* Move from Setup to Operations
Signed-off-by: Rigs Caballero <grca@google.com>
* Fix broken links
Signed-off-by: Rigs Caballero <grca@google.com>
* Fix rebasing issues.
Signed-off-by: Rigs Caballero <grca@google.com>
* Fix multicluster install link.
Signed-off-by: Rigs Caballero <grca@google.com>
* split deploying ratings-v2 and updating the environment variable
* move the explanation about mutual TLS in the introduction of TCP egress traffic control
* fix helm template to add a port for TCP
the deployment must be changed in addition to the service definition
* add Policy to enable/disable mTLS at the egress gateway
* update the last_update field
Let's make additional changes in a followup PR.
* Replace "Mesh Expansion" with "VM Support" and related edits.
To avoid confusion and improve the visibility of the VM-related content, these
changes align with terminology used by our users.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix descriptions, titles and link texts.
Addressed the feedback given around the link text still containing "mesh
expansion". Also addressed the feedback around the accuracy of the
titles and descriptions used.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix bullets and descriptions.
Signed-off-by: rcaballeromx <grca@google.com>
* Return content to examples.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix broken links.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix title for accuracy.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix links for ZH content.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix language for clarity.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix broken link to SDS task.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix merge conflicts.
Signed-off-by: Rigs Caballero <grca@google.com>
* authz blog
* address comments
* more update
* address comments
* add API comparsion
* more fix
* update
* update link
* more updates
* update
* Some editorial fixes.
* Edit pass
Moved the summary to the beginning: We should state the most important information at the beginning of all posts, let the reader decide if they want to read the rest for the details.
Adjusted language for clarity in several places.
Changed some content to avoid talking about the future, per our style guide.
Fixed 80 column widths.
* Added call to action and fixed linter error
* Update content/en/blog/2019/v1beta1-authorization-policy/index.md
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
* Fix linter error
* Test of the docs checks
* Refinements to the operator blog post
Change ordered lists to unordered lists
Remove forward looking statements
Edit for clarity
* Self-review
* Address review comments.
* Address linting problems.
* Lint cleanup
* Little more tidy
* Address reviewer comments
* Blog for secure webhook management
* Revise the wording
* Revise wording and location of guide
* Revise the writing
* Revised based on review comments
* Fix a wording
* Fix a link
* Blog for Istio DNS certificate management
* Change the wording
* Add an explanation for the architecture
* Revise the wording
* Revisions based on review comments
* Fix a typo
- Fix a bunch of heading capitalization.
- Remove words that shouldn't be in the dictionary
and update the text accordingly.
- Added a few @@ sequences to reference content files from text blocks.
- Used a few {{< source_branch_name >}} sequences to refer to the proper
branch in GitHub rather than master.
* initial implementation
* add HTTP gateway for httpbin.org
* rewrite the introduction
* extend the exmample by blocking traffic from the mesh
* use www.google.com instead of *
* fix a typo in httpbin.org
* rename 'front proxy' to 'proxy', rewrite the first paragraph
* add a step for enabling Envoy's access logging
* Gateway -> ingress gateway, server -> servers, Note -> ensure
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* httpbin/google -> the httpbin/google services
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Configure -> create, is used -> you will need it
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* expand the sentence why the reader will need the localhost service entry
* expand the sentence about configuring routing
* rewrite the sentence about accessing httpbin.org
* Check the logs of the gateway -> print the gateway's log
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* You should see a line -> search the log for an entry
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Check the Mixer log -> print the Mixer log
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* You should see a line -> search the log for an entry
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Access `www.google.com` through your ingress -> Access the `www.google.com` service through your ingress gateway
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Check the Mixer log -> print the Mixer log
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* You should see a line -> search the log for an entry
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* You should see a line -> search the log for an entry
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Check the Mixer log -> print the Mixer log
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* fix indentation
* fix the first step
* split a long line
* expand about the mesh gateway
* remove leftovers from previous commits
* print the log with: -> print the log with the following command:
* remove printing Mixer log since in 1.1 it does not have to be enabled by default
* use TLS instead of HTTPS
to prevent confusion with the TLS termination cases
* front-proxy -> proxy
* fix the cleanup
* fix links
* use cnn instead of google
since the webpage of google is less clear to grep
* move to examples
* rewrite the example as a blog post
* example -> blog post
* initial version
* add structure and certificate generation
* remove redundant article
* create the reviews service and later delete it
required for pods to start
* kubernetes -> kubectl
* complete creating the egress gateway section
* add deployment of an ingress gateway
* use LoadBalancer type for the private ingress gateway
* expand the cleanup section
* add "Expose reviews v2" section
* use hostnames in CN so it can be verified by curl
* use a single slash in HTTPRewrite uri field
* fix the virtual service and the curl call
* add a troubleshooting section
* use port 80 in the egress gateway's deployment
* implement the consume section for reviews v2
* expand the troubleshooting section
* split a virtual service, use port 443
* unite two virtual services for reviews
* add namespace to the gateway reference
* complete the cleaning instructions
* fix prefix match and rewrite in consuming reviews v2
* rename the gateway, destination rule, rewrite authority in ingress cluster2
* split the virtual service in cluster1 into two parts
* set access log format to print both the path and the rewritten path
* extend the cleanup section
* add load balancing between the local and remote versions of reviews
* remove usi
* change consume/expose details to ratings
* add diagrams
* canary release the remote version
* fix the subtitle and the publish date
* add subset v1 to the routing to the local version
* use local name (reviews) for a virtual service in the default namespace
* add the 'Deploy reviews v2 locally and retire reviews v1' section
* a Gateway -> an ingress Gateway
* virtualservice myreviews-bookinfo-v2 -> virtualservice privately-exposed-services
* add the "Expose ratings and reviews v3" section
* add printing response code to curl commands
* add a step to delete the consumption of the remote service from `cluster2`
* add a section "Consume ratings and reviews v3"
* add a section about Istio RBAC
* rewrite certificate creation - add spiffe SAN
* add a section about RBAC on ingress gateway
* remove redundant quote
* add extended key usage and critical to subjectAltName
* add generation of certificate and key for cluster3
* rewrite ingress RBAC in cluster2 to use EnvoyFilter for RBAC
Istio RBAC currently does not support getting principal for
MUTUAL TLS, only for ISTIO_MUTUAL
* fix MeshFederation5, the local version of reviews must be v2
* fix a typo
* add the "Cancel exposure of ratings" section
* add checking Istio configuration artifacts
* rewrite the introduction, add requirements and the proposed implementation section
* to base implementation -> to base the implementation
* split a long line
* web page -> webpage
* fix indentation
* of deploying -> after deploying
* add an explanation about openssl
* extend the explanation about `cluster3`
* add an explanation about deploying gateways
* create the certificates -> create the certificates and keys
* remove "the" from "to generate the certificates and the keys"
* minor changes in gateway deployment
* mount volumes from secrets -> mount secrets as data volumes
* add explanation about private gateways
* cluster1 and cluster2 -> both clusters
* add an explanation about exposure/consumption
* add an explanation about c1,c2,c3.example.com hostnames
* real URL -> existing hostname
* port 80 -> port 443 (the egress gateway)
* remove the non-mTLS options
* VirtualService -> virtual service
* fix indentation
* remove back ticks from reviews v1 and v2
* in remote cluster -> is in remote cluster
* add explanation about expose-nothing behavior by default
* add a separating empty line
* port 80 -> port 443
* VirtualService -> virtual service, part 2
* your Kubernetes cluster -> your second cluster
* add "in case you have a load balancer"
* add "in case you have a load balancer... otherwise..."
* fix the pod of reviews-v2 in the first cluster
mention the new pod
* web page -> webpage
* cluster1 -> the first cluster
* make multiple tests a sublist
* rewrite the sentence "Let's change the RBAC policy"
remove let's
remote passive voice
* rewrite the series of the tests to check RBAC
* issues requests -> sends requests
* Let's consider -> consider
* split a long line
* add "locally" to has access to ratings
* the ratings -> ratings
* use first/second cluster instead of cluster1/cluster2 in headings
* add a subsection to remove certificate and key files
* extend the sentence about role binding
* extend the sentence about enabling Istio RBAC on bookinfo
* rewrite the sentence about accessing the webpage of the bookinfo app
* add an explanation about the EnvoyFilter
* other 50% -> the other 50%
* 50% of time -> 50% of the time
* at cluster -> in cluster
* rewrite the sentence about cleaning Istio RBAC
* add summary
* in the subtitle: traffic control -> strict access control
* for the many different reasons -> for different reasons
* special certificates -> dedicated certificates, add dots
* add a sentence about defense in depth and PCI compliance
* fix typos
* through their gateways -> through corresponding gateways
* _v1_ -> `v1`
* ad-hoc -> ad hoc
* put EnvoyFilter and the name of the Envoy's filter in backticks
* instructions for NodePort Ingress -> instructions for using node port for ingress
* add "hoc" to .spelling, for "ad hoc" expression
* fix a link
* remove unneeded single bullet
* fix a link for Defense-in-depth
* rewrite the list of reasons for split applications between multiple clusters
* add a clause about boundary protection
* expand on non-uniform naming
* rewrite the bullet about boundary protection
* expand on the lack of common trust
* fix division into paragraphs in the introduction
* different as -> different than
* in different namespaces in a cluster -> in the clusters
* to the ratings -> to the ratings service
* rewrite the explanation about DNS and routing
* add a comma after "destined to ratings"
* split a long line
* replace PCI DSS with boundary protection
* remove an unneeded empty line
* split long lines in the summary
* simplify the sentence in the summary about explicit exposure of the clusters
* put "paired" in italics
* split a long line
* change the publish date to 12-th of August
* split a long line
* add the "Isolation of system components and boundary protection" subsection
* rephrase a sentence to remove passive voice
* add cyber and subnetworks to .spelling
used by NIST Special Publication 800-53, Revision 4, Security and Privacy
Controls for Federal Information Systems and Organizations:
This type of enhanced protection limits the potential harm from cyber attacks...
... routers, gateways, and firewalls separating system components into physically separate networks or
subnetworks
* rephrase and reformat the section about boundary protection and isolation
* rewrite the section about isolation and boundary protection
* Kubernetes community -> the Kubernetes community
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* three patterns -> three documented patterns
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* three patterns differ -> the differences between the patterns
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add "where none of the multi cluster patterns apply" to "there are cases when you want to"
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* didn't establish -> have not established
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* rewrite the sentence about the best solution and the goal
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Payment Card Industry Data Security Standard -> the ..
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* move "in my opinion" to the beginning of the sentence
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* move "in my opinion" to the beginning of the sentence, part 2
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Add "the" to PCI DSS
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add "approach" after "the proposed mesh federation"
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add "the" before NIST
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* uniform identical naming -> uniform naming
* common indentity and common trust -> common identity and trust
* mesh-federation -> isolated-clusters
* rewrite the blog post, removing mesh federation and multicluster mesh mentioning
* add the "Testing the certificates in the chain of calls" section
* Revert "add the "Testing the certificates in the chain of calls" section"
This reverts commit 6ada5903e5.
* remove redundant parenthesis around the first link to PCI DSS
* fix a typo (though -> through)
* remove the last '/' which seems to confuse lint
* remove namespace qualifier for gateways in virtual services
since the virtual services are in the same namespace
* extend the explanation about RBAC
* try another link for gdpr
* add ` ` to try to make lint happy
* Revert "add ` ` to try to make lint happy"
This reverts commit 552806883f.
* rewrite the list of standards as a table, add links to the paragraph below
* put full service name in backticks
* fix a typo (localtion -> location)
* fix the level of the first section
* rename the ca-example-com-certs secrets into c1/c2-trusted-certs secrets
to enable running commands in a single cluster
* use kubectl apply to create a namespace in case it already exists
for the single cluster scenario
* add deleting of the ratings service in the first cluster
during the initial setting
* change the error in case ratings is not found
* remove istio-private-gateways from the list of RBAC-included namespaces
* add '--ignore-not-found=true' to the kubectl delete commands
to support the case of a single cluster
* credit card -> payment card
* add running the blog post in a single cluster
* add unsetting environment variables to the cleanup section
* fix internal links
* The approach I propose - The approach I use
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* features of the proposed approach -> features of the approach
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* I propose -> I use
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* I propose to base connecting clusters on -> I connect clusters based on
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add "some of the process could clearly benefit from automation..."
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* similar the pattern -> similar to the pattern
* the proposed implementation -> the implementation pattern
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* added a comment that my approach is different from multicluster meshes
* fix a link
* add a multi-mesh section to examples
* move the blog post about cluster isolation to examples
* rewrite the blog post as example
* add a missing period in the description
* Revert "add a missing period in the description"
This reverts commit 14f656280f.
* Revert "rewrite the blog post as example"
This reverts commit 875a4f55f0.
* Revert "move the blog post about cluster isolation to examples"
This reverts commit 17b20a1cb5.
* Revert "add a multi-mesh section to examples"
This reverts commit 9d9365eee7.
* rewrite the blog post to not contain the same service (reviews) in two meshes
per comments of Sven Mawson
using ratings and httpbin to show exposure of two services
* fix the link to Envoy's RBAC filter
* fix an internal link
* fix spelling
* remove redundant empty line
* remove "no common trust" from the single cluster
* initial version after moving the example to istio-ecosystem
* fix list formatting
* additional touches
replace cluster with mesh everywhere
add monitoring at the boundary
* describe -> outline, report
* put all mesh-federation and multi-mesh instances into the glossary markup
* update the publish date
* call "service location transparency" an optional feature
* rewrote "Service location transparency is important" to "Service location transparency is useful in the cases when you want"
* the istio-ecosystem repository -> Istio ecosystem
* rewrite subtitle
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Rewrite the title
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* rewrite the sentence about isolation
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* rewrite the sentence about separate service meshes on separate networks
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Remove "Istio to connect applications in the meshes with different compliance requirements"
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove the glossary item from mesh federation and add "support and automation work under way"
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 2
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* add comparison with multi-cluster (single mesh)
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 3
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 4
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 5
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 5
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 6
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* remove glossary reference, 7
* report -> touch on
* update the date of the blog
* Added blog for monitoring external service traffic
In release 1.3 we added support for monitoring traffic to external services
which are allowed or get blocked. This blog explains how to use these metrics to
get the host names/IP addresses for these external services.
* Address review comments
* Removed extra heading
* Re-align headers
* Update index.md
* Added App Identity and Access blog
* Updates after review
Reviewed by @adammil2000 and gtaylor
* Fixed linting
* Updated date, description
* Fixed spelling, added new words to .spelling
* Update doc for sds
* Update SDS doc for trustworthy jwt feature
* Drop legacy jwt support
* Add SDS announcement
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/docs/setup/platform-setup/_index.md
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update index.md
* Update .spelling
* Update content/en/docs/setup/install/helm/index.md
Co-Authored-By: Romain Lenglet <romain.lenglet@berabera.info>
* Update index.md
* Update _index.md
* Update index.md
* Address comments
* Refine doc again
* Bump the support version of k8s to 1.13
* Update vendors
* Update docs
* Apply suggestions from code review
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Oliver Liu <yonggangl@google.com>
* Update content/en/blog/2019/trustworthy-jwt-sds/index.md
Co-Authored-By: Rigs Caballero <grca@google.com>
* Add Istio Deployment Models concept.
This concept replaces the old multi-cluster concept.
Includes new diagrams that comply with the diagram creation guidelines.
Updates the Chinese content to use a local copy of the previous diagrams.
Fixes all internal links to the previous version of the doc.
Signed-off-by: rcaballeromx <grca@google.com>
* Add glossary entries for needed terms.
The terms involved are:
- Cluster
- Identity
- Trust domain
Signed-off-by: rcaballeromx <grca@google.com>
* Define cluster in a platform agnostic way.
Also adds links between `identity` and `trust domain`.
Signed-off-by: rcaballeromx <grca@google.com>
* Add missing `(` in links.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix links to sections and reduce image sizes.
Signed-off-by: rcaballeromx <grca@google.com>
* Simplify the definition of `trust domain`
Signed-off-by: rcaballeromx <grca@google.com>
* Move old images to the ZH content.
Signed-off-by: rcaballeromx <grca@google.com>
* Add reworked control plane content.
Also addresses the comments left on the PR including those regarding the
diagrams.
Signed-off-by: rcaballeromx <grca@google.com>
* Add fail over example and glossary entries.
This update also reworks the control plane models section to fit the example.
Additional adjustments were made to the diagrams too.
Signed-off-by: rcaballeromx <grca@google.com>
* Move mesh models section.
Also minor fixes and edits.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix glossary entries and links.
Signed-off-by: rcaballeromx <grca@google.com>
Iris
imgbot[bot]
craigbox
Neeraj Poddar
Frank Budinsky
sky
Ram Vennam
Sean Suchter
Istio Automation
Neeraj Poddar
Vadim Eisenberg
Douglas Reid
John Howard
Daniel Barclay
Cynthia Coan
Christian Posta
Oliver Liu
davidhauck
Steven Dake
Eric Van Norman
Mark Ferree
Istio Automation
shinji3887
Yangmin Zhu
lei-tang
John Pape
mandarjog
Dan Ciruli
craigbox
Louis Ryan
Diem Vu
Lin Sun
Xinnan Wen
Rigs Caballero
2BFL
aattuluri
Martin Taillefer
chentanjun
chentanjun
David Ebbo
Arun Fung
Steven Dake
Yanghui Weng
Zhonghu Xu
LisaFC
aal80
Idan Zach
Francois Pesce
Greg Taylor
Joshua Blatt
carolynhu
Phillip Quy Le
Adam Miller