Apply ISTIO_MUTUAL not only in the used subsets, but also in the general cases.
While only the subsets are used to communicate with the egress gateway
service, not applying ISTIO_MUTUAL in the general cases causes istiocl authn tls-check to produce conflict errors
fixes https://github.com/istio/istio.io/issues/4024
- Substantially simplify logic that deals with releases & release notes.
- Make it easier to add a new release to the site. THere are fewer things to
change as the site infra can figure more stuff out on its own.
- Make it so release notes can be added in one language without require them
to be added in the other language.
- Replace the ugly "a new version is available" callout on older release note
pages with a popup that only shows up when you click on the download button.
(cherry picked from commit d458423cf4)
* replace checking Envoy's statistics with printing Envoy's logs
to verify that the traffic flows through the egress gateway
* fix links to "verify that egress traffic is directed through the egress gateway"
* use a fake host with static endpoints for TCP routing
it will allow accessing MongoDB services without FQDN hostname
* add --set gateways.istio-egressgateway.enabled=true
to the command that redeploys the egress gateway
* which -> that
* in the same way as for the case -> as in the case
* my-mongo-fake-host.com -> my-mongo.tcp.svc
* an FQDN hostname -> a domain name
* fix indentation
* unite the sections of TCP without gateway and TCP with gateway
* virtual services -> a virtual service
* add --ignore-not-found=true to a cleanup section
* fix the output of logs
* remove a virtual service from TLS without gateway
- Added the text_hack shortcode to embed text blocks in a tabset in a list. This fixes the
indenting problem in that case. It's a hack, thus the name, but it works.
- Added a download button in the footer of each page.
- Tweaked the rendering of the horizontal lines in the panels on the home page to
improve appearance and avoid occasional funny rendering.
- Run the SVG optimizer on the site content to reduce the size of a few newly added/updated
files.
- Release notes for a release now sport a warning message if there's a newer patch
available. The warning includes a link to the patch's release notes.
- Release announcement blog posts get the same warning message.
- Release announcement blog posts now generally contain the text of the
release notes directly in place, rather than containing a link to the notes
- Add support for a ticker on the home page.
This will be used for important announcements.
- Added a test suite to test out the different compositions of
site features.
- Substantially improve the composability of site features
(callouts, tabs, text blocks, boilerplates, lists). You can
now more confidentally mix & match these in any combination
and have a pretty good chance it'll render correctly.
- We haven't been checking external links for months now due to a script error
when someone added an option that didn't work as expected. I'm fixing a bunch
of resulting broken links. I can't turn on the link checker yet since there are
some bad links in reference docs which I have to address first.
- Add a bunch of links to yaml files in our code examples using the @@ syntax.
* initial version, copied from release-0.8, updated format
* remove the sentence about release 0.8
* remove mentioning namespaces
* fix a localhost:1313 link
* fix the links to the new examples instead of tasks
* extend the introduction into "Configure monitoring and access policies"
* fix format of the Logging section
* fix command format of "Access control by routing" section
* replace source.service with source.name
* remove 'tail -4' since the log can come from multiple mixer telemetry instances
* add subset cnn to the virtual services
* update the log output after access control by routing
* fix format of the command to send requests to cnn.com
in access control by routing
* fix format for "Access control by Mixer policy checks"
* change the error code from 404 to 403 in "Access control by Mixer policy checks"
* add 'with mutual authentication enabled'
* fix cleanup format, delete politics source
* use kubectl apply instead of istioctl/kubectl create
* add reporterUID and sourcePrincipal attributes to the log
remove source, sourceNamespace since they erroneously report egress-gateway as a source
remove user since it is unknown
document the parameters
* fix format of Access policies by mixer, part 2
* our organization -> the organization
* fix format in the Dashboard section, 404 -> 403, SOURCE_POD_IN_POLITICS -> SOURCE_POD_POLITICS
* remove the dashboard section since it does not show source
* from a certain namespace -> with a certain service account
* change future tense to present one
* add assumption about the container name being sleep
* remove additional future tense usages
* fix a link
* $SOURCE_POD -> SOURCE_POD
* remove another case of future tense
* remove the cleanup of grafana
* change summary
* fix links
* put backticks around Listchecker
* on the localhost -> inside the pod
* add 'SDKs' to .spelling
* fix another link
* more link fixing
* Egress Gateway task -> Egress Gateway example
* add the last_update field
* add IBM to attribution
* remove the weight attribute
* Update content/blog/2018/egress-monitoring-access-control/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/blog/2018/egress-monitoring-access-control/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* after you accomplish this -> after completing that example
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Remove note, must -> should
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* combine two sentences: "peformed before you begin" and "enabled traffic to edition.cnn.com"
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Now -> at this point, configure for monitoring -> configure to monitor
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* According to the scenario of this blog post -> according to our scenario
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* remove leftover from 27f2917884
* rewrite "Related tasks and examples" as a bulleted list
* extract additional bullet
* WIP Add Kubernetes Installation landing page.
This adds the landing page and organizes the content to make it easier to navigate.
Signed-off-by: rcaballeromx <grca@google.com>
* Apply initial feedback on landing page content.
Signed-off-by: rcaballeromx <grca@google.com>
* Rename and move files to enhance navigation.
Added aliases to redirect after filename changes.
Signed-off-by: rcaballeromx <grca@google.com>
* Harmonize all installation guide titles and intros.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix all links affected by the restructure.
Fixed all internal links and added aliases to ensure external redirects.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix paths of images on the ZH content.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix additional links and apply feedback.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix link error introduced by rebase.
Signed-off-by: rcaballeromx <grca@google.com>
* Remove redundant instances of "Istio" in titles.
Signed-off-by: rcaballeromx <grca@google.com>
- Add linter support to detect internal links to aliases. Those are now flagged as
bad links so the source needs to be updated to point to the real destination,
avoiding the user a redirect.
- Fixed occurences of links to aliases.
- Now only load popper.js on pages that use popups in order to improve
load times.
* note HTTP-related attributes -> notice the HTTP-related attributes
* related to Istio sidecar -> related to the Istio sidecar
* rewrite the sentence about ports and the installation option
use port 8000 instead of 443, to generate less confusion
* no HTTP service or service entry -> no HTTP service and no service entry
* extend understanding what happened with the third approach
* change section titles
* split the cleanup section into cleanup subsections
* fix links
* must not -> do not need to
* rewrite the sentence about switching to the first approach
* per specific port, gaining -> for specific ports, enabling
* A caveat is that some ports, for example port 80, already have HTTP
services inside Istio by default
* In this approach, similarly to the previous one -> With this approach, like with the previous one
* approaches can be applied -> approaches can be used
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* split long lines
* split long lines
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Revert "Update content/docs/tasks/traffic-management/egress/index.md"
This reverts commit febb76edc9.
* rewrite the sentence about the installation option and add a link to installation options
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* remove duplicate text
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* remove a redundant empty line
* address the reader directly
- Ensure that references to GitHub content use the proper annotations so
we get links to the correct branches.
- Added a check to make sure content is not using blockquotes (instead of
{{< warning >}}, {{< tip >}}, and {{< idea >}}. This check is currently
disabled, pending the Chinese content being updated.
- Fix a few violations of these new checks.
* add a step to confirm that Bookinfo is running without ingress
to verify that the app with Istio runs correctly without ingress,
to separate Istio installation errors from Ingress configuration
errors, to prevent questions like these
https://stackoverflow.com/questions/54307216/istio-proxy-unable-to-connect-to-istio-pilot
* fix the links to the renamed section (confirm the app is accessible...)
* add a tab section about mTLS
* remove leftover ";done"
* remove SNI monitoring and policy enforcement section
* add explanation why mTLS between sidecars and egress gateways is needed
* add mTLS enabled/disabled tabs to the egress MongoDB blog post
* remove placeholder SNI in logs
* add forward_downstream_sni and sni_verifier filters for wildcard TLS hosts
* add a required empty line
* make the sentence about enabling mTLS a note
* add inline comment in the yamls regarding the SNI filters
* a couple of filters -> Envoy filters
* rewrite the sentence why the SNI filters are used
* fix "so that policies will be enforced based on the original SNI value"
* prevents a possibility for deceiving Mixer -> prevents Mixer from being deceived
* will not match -> does not match
* make note ('>') one line to make lint happy
- The width value now defaults to 100%, so it doesn't need to be specified explicitly
in many cases.
- The ratio value can now be computed automatically for PNG and JPG files, so it doesn't need
to be specified explicitly.
* adding new blog post on traffic mgmt
* updates to address PR feedback
* fixed spelling issues and adjusted weight
* added DestinationRule to linter spelling config
* removed DestinationRule, using backticks per instructions
* using backticks instead of custom spelling config
* sceleton of the post
* add creating and dropping bookinfo user
* use present tense
* add created/drop ratings collection
* add unsetting of MONGODB_HOST and MONGODB_PORT environment variables
* add a step to check that bookinfo user can get ratings
* fix command line bookinfo v2 deployment
* renamed externalMySQLRatings.png -> externalDBRatings.png
* set the ratings to 1 to provide a visual clue
* rewrite the "access the webpage" section
* add "Egress control for TLS" section
* add "Directing TLS Egress traffic through the egress gateway" section
* add the "Enable Egress MongoDB traffic to arbitrary wildcarded domains" section
* replace cat <<EOF | kubectl apply/create -f - with kubectl apply/create -f - <<EOF
* replace mysql with mongodb in the diagram
* add a section about TCP egress control
* add cleanup of egress entry for TCP
* add location: MESH_EXTERNAL to service entries
* if you have mTLS enabled -> if you want to enable mTLS
* add a section regarding TCP traffic through the egress gateway
* restructure the post to be devided into TCP and TLS sections
* removed mentioning Istio installed with Istio 1.0
* fix indentation
* extend the description of TCP egress control
* fix a link
* expand the explanation on the egress gateway, move the setting IP env variable to the common TCP section
* add unsetting MONGODB_IP to the cleanup section
* do not use a list for one entry
* bookinfo-ratings-v2-mysql-external.svg -> bookinfo-ratings-v2-mongodb-external.svg
* MySQL -> MongoDB
* fix the explanation about the DNS resolution of the TCP service entry
* add an explanation about directing TCP egress traffic thru the egress gateway
* remove future tense
* add a sentence about encrypting TCP traffic with mutual TLS
* application pods -> MongoDB clients
* add explanation about TCP egress without mutual TLS
* protocol is on top of -> protocol runs on top of
* add an explanation about the egress control for mongo protocol on TLS
* add a missing dot
* sidecar proxy directs the traffic to the host -> to the gateway
* remove redundant empty line
* add explanation about TLS through the egress gateway
* add explanation about sidecar proxy -> gateway -> mongo db routing
* subsection -> section
* HTTPS -> MongoDB
* add conclusion
* add a sentence about wildcarded domains to the conclusion
* add wildcarded to .spelling
* add 'wildcards' to .spelling
* fix a title (TCP -> TLS)
* remove a redundant empty line
* linting: do not use italics inside links
* fix the date of the blog post
* fix the weight of the blog post
* improve the titles
* controlling external services -> controlling traffic to external services
* to prevent the password being -> to prevent the password from being
* remove redundant comma
* MongoDB -> MongoDB service
* you deploy a version of ratings -> you will deploy a version... in the next subsection
* simplified description of deploying ratings v2
* simplifie TCP egress traffic alternatives description
* rewrite the motivation for egress gateway
* fix an internal link (direct egress traffic thru an egress gateway)
* to provide you -> to provide yourself
* remove redundant web page refresh instruction
* remove redundant 'to'
* remove redundant explanation about mTLS
* port for direct -> port for directing
* Revert "remove redundant web page refresh instruction"
This reverts commit 2c73a26497.
* MongoDB instance -> MongoDB service
* fix additional dead link
* add an expanation about the SNI proxy
* remove instructions for Istio before 1.0.1
* shorten a title
* our -> your
* organization security requirements -> organization's security requirements
* special -> custom, add a sentence about other TCP/TLS protocols
* move the blog post to advanced examples
* rewrite the blog post as example
* fix an internal link
* Revert "rewrite the blog post as example"
This reverts commit 5369927fd4.
* Revert "move the blog post to advanced examples"
This reverts commit 461c9f679a.
* move the "with mTLS section" after "without mTLS", for TCP egress gateway
* remove 'the' from TCP traffic
* update the date of the blog post
* add an explanation about *.com used in the example
* one per each -> one for each
* fix wording of egress traffic configuration for wildcarded domains
* for the cases -> for cases
* fix the wording of leaving multiple MongoDB hosts as an exercise for the reader
* add an explanation about TCP vs. Mongo protocols
* add "sometimes" in "sometimes the IP of the MongoDB host is not stable..."
* through an egress gateway -> from sidecars to the egress gateway
* capable to route -> capable of routing
Vadim Eisenberg
Martin Taillefer
Steven Dake
Douglas Reid
imgbot[bot]
mtail
Frank Budinsky
Rigs Caballero
Shriram Rajagopalan
Jianfei Hu
mandarjog
Sandeep Parikh
Chunlin Yang