* Adds documentation related to experimental RBAC
This adds documentation related to the newly introduced experimental
key.
Signed-off-by: Venil Noronha <veniln@vmware.com>
* Update experimental constraint key
This updates the experimental constraint key and related documentation.
Signed-off-by: Venil Noronha <veniln@vmware.com>
* networking -> network connectivity
* single control plane topology -> single control plane topology with VPN connectivity
* a single control plane topology with VPN connectivity -> a single control plane with VPN connectivity topology
* Simplify instructions by using labels selector on the helloworld yaml
* Added missing local context
* Renamed secret and config names for the remote k8s api
* Wrap into a warning section
* local->cluster1 remote->cluster2
* Review comments addressed
* Review comments addressed
* Moved the gateway up to the cluster 1 setup section and make it a generic gateway
* Review comments addressed
* split single control plane topology into two cases,
with and without VPN connectivity, so all the three topologies will appear in
the table of contents, and could be referenced from other documents
* make titles of subsections shorter, make connectivity lower case
* The wording in step 3 (individual workloads view) is odd.
In step 3 (individual workloads view), workloads is plural, which it shouldn't be, and the sentences starting with "Also, gives", are worded oddly.
* Updated text as per review comments
* note HTTP-related attributes -> notice the HTTP-related attributes
* related to Istio sidecar -> related to the Istio sidecar
* rewrite the sentence about ports and the installation option
use port 8000 instead of 443, to generate less confusion
* no HTTP service or service entry -> no HTTP service and no service entry
* extend understanding what happened with the third approach
* change section titles
* split the cleanup section into cleanup subsections
* fix links
* must not -> do not need to
* rewrite the sentence about switching to the first approach
* per specific port, gaining -> for specific ports, enabling
* A caveat is that some ports, for example port 80, already have HTTP
services inside Istio by default
* In this approach, similarly to the previous one -> With this approach, like with the previous one
* approaches can be applied -> approaches can be used
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* split long lines
* split long lines
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Revert "Update content/docs/tasks/traffic-management/egress/index.md"
This reverts commit febb76edc9.
* rewrite the sentence about the installation option and add a link to installation options
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* remove duplicate text
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* remove a redundant empty line
* address the reader directly
* document file names used in external certificate configuration
* rephrased to clarify based on PR feedabck
* note using different names requires reconfiguration
- Ensure that references to GitHub content use the proper annotations so
we get links to the correct branches.
- Added a check to make sure content is not using blockquotes (instead of
{{< warning >}}, {{< tip >}}, and {{< idea >}}. This check is currently
disabled, pending the Chinese content being updated.
- Fix a few violations of these new checks.
* Update the SDS doc.
* Small fix.
* Small fix.
* Small fix.
* Update content/docs/tasks/security/auth-sds/index.md
Co-Authored-By: myidpt <yonggangl@google.com>
* Apply suggestions from code review
Co-Authored-By: myidpt <yonggangl@google.com>
* Small fix according to the comments.
* Updated to install istio remote using values file
* Few unrelated doc fixes
* Remove zipkin and statsd flags as they are unsupported
* Revert "Few unrelated doc fixes"
This reverts commit 038096d137.
* Few more minor updates
* Switch to port 15443
* Break on-line helm commands
* Trailing space
* Put back some default istio features after verifying mc still works
* Add remote mixer addresses
* Formatting
* Specify container for cleaner output
* Wrong place
* use port 80 with protocol HTTPS for mTLS on egress gateway
* rewrite the instructions about why to apply mutual TLS
* make the protocol of 443 HTTPS
* allow monitor -> allow to monitor
* add Install Istio with access to all the external services by default
* fix a typo: copule -> couple
* add a call to cnn
* instal -> install
* replace ; with ,
* add a couple of requests to HTTPS services before changing the config map
to show that they are blocked
* do not delete pilot, it listens to the changes of the config map
* no need to reinstall/update -> no need to update
* add 'Change back to the blocking-by-default policy' section
* perfromed -> performed
* all the services -> all services
* instruct Istio proxy -> instruct the Istio proxy
* no HTTP service exist -> no HTTP service exists
* all the access ... will be blocked -> all accesses ... is blocked
* Unindent the block content
* blocked now -> now blocked
* Revert "add a couple of requests to HTTPS services before changing the config map"
This reverts commit 848171c041.
* Correct command to append output to istio.yaml, instead of replacing
* Also correct the command to enable mTLS globally. control plane and global mtls need to be set to true together, at least for now.
* Refactor the authorization task
- Move the permissive mode to a standalone task
- Rename the group/list claim support to align with other tasks
- Re-order to put the basic HTTP/TCP task first
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
* Fix links.
* resove comments.
* Address comments.
Currently, the command line snippet for setting up multi-cluster Istio
with Helm is confined to a single line. This makes it difficult to read
without having to scroll horizontally to read the entire command.
Update the command to be multi-line.
Signed-off-by: Nick Travers <n.e.travers@gmail.com>
Updated tablegen.py to process the configuration options from the values.yaml
files under /istio/install/kubernetes/heml/subcharts directory and the
remaining configuration options like global, istiocoredns, istio_cni from
values.yaml under /istio/install/kubernetes/helm/istio directory.
* add a step to confirm that Bookinfo is running without ingress
to verify that the app with Istio runs correctly without ingress,
to separate Istio installation errors from Ingress configuration
errors, to prevent questions like these
https://stackoverflow.com/questions/54307216/istio-proxy-unable-to-connect-to-istio-pilot
* fix the links to the renamed section (confirm the app is accessible...)
* put the instructions to kill the pod after checking that the key/certificate are loaded
* add "if you created the secret, but..." before killing the pod
* the secret <secret name> -> the <secret name> secret
* kill -> delete
* Add new setup instructions about istio-cni
* Fix review nits.
* Add Istio CNI to about/features as an alpha status feature
* Reword intro and installation steps
* Add sidecar injection compatibility info
* fix review comments
* Fix wording nits from sdake
* Fix nits and formatting comments from geeknoid.
* Added general CNI spec link and Istio k8s requirements link.
* Add a user guide for Istio Vault CA integration
* Fix lint errors
* Use helm template values to simplify the config
* Address review comments
* Fix the link in a command
* Small fixes
- Fix formatting for the Subscribe link on blog pages. That got broken in some refactoring I did a while back.
- Remove a few *NOTE* and _NOTE_ instances and replace with the canonical icons
- Add a link to our community repo in the Getting Involved page.
* add a tab section about mTLS
* remove leftover ";done"
* remove SNI monitoring and policy enforcement section
* add explanation why mTLS between sidecars and egress gateways is needed
* add mTLS enabled/disabled tabs to the egress MongoDB blog post
* remove placeholder SNI in logs
* add forward_downstream_sni and sni_verifier filters for wildcard TLS hosts
* add a required empty line
* make the sentence about enabling mTLS a note
* add inline comment in the yamls regarding the SNI filters
* a couple of filters -> Envoy filters
* rewrite the sentence why the SNI filters are used
* fix "so that policies will be enforced based on the original SNI value"
* prevents a possibility for deceiving Mixer -> prevents Mixer from being deceived
* will not match -> does not match
* make note ('>') one line to make lint happy
* initial version
* split a long line
* rephrase the sentence "Now, you configured..."
* add a requirement that mTLS is enabled
* remove leftover ';done'
* add monitoring and policy enforcement of SNI and source identity
* the logentry -> logentry
* that will allow -> that allows
* replace URL with Wikipedia in English
* clarify the examples in SNI monitoring, blocked vs. allowed
* Extend the introduction to monitoring/policies by source identity
* replace backticks with italics for sleep-us and sleep-canada
* the logentry -> logentry
* the sidecar proxy -> the sidecar proxies
* fix the names of the service accounts in cleanup
* it should be -> it must be
* services -> applications
* add: Access to other Wikipedia sites will be blocked
* inline the command to kill mixer pods
* add clarification about the access to Wikipedia sites from sleep-canada
* fix format of cleanup of monitoring/policies by source
* replace italics with backticks for sleep-us and sleep-canada due to spellchecker
* add a missing empty line
* Revert "inline the command to kill mixer pods"
This reverts commit 780913253d.
* of the source of traffic -> of the traffic source
* allows access -> allows to access
* delete "namely"
* Wikipedia -> the Wikipedia
* add a bullet about the privileged mode
* change privileged mode to NET_ADMIN capability
* Rewrite the sentence: it is required for...
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Simplify the sentence about the default service account
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* remove leftover from a previous commit
* remove another leftover from a previous commit
* add a missing whitespace after a dot
* remove capitalization of Service Account and Pod Security Policy
* add a remark about pod security policies being enforced in the cluster
* split the content between spec-requirements and required-pod-capabilities in the operations guide
* Fix the link to required-pod-capabilities
* An example for configuring and verifying split horizon EDS
* Add period to end of description
* Minor change
* Minor typo
* Comments by Lin Sun addressed
* Addressed @frankbu review comments and cross referenced with the concept doc
* Update index.md
In order to better distinguish between the two ways to call external services from an Istio mesh, we should remove the rules about `ServiceEntry`.
* Update index.md
Add a warning icon
* Update index.md
* add before-you-begin-egress boilerplate and use it in one case
* move the boilerplate into content
* replace before-you-begin section for egress task/examples
* remove egress related details from the boilerplate
- The width value now defaults to 100%, so it doesn't need to be specified explicitly
in many cases.
- The ratio value can now be computed automatically for PNG and JPG files, so it doesn't need
to be specified explicitly.
Fixed in the documentation command
- Typo, the `jsonpath` contain extra dot char: `.items[0]..metadata.name` instead of `.items[0].metadata.name`
- The jsonpath without a weapping in quote chars won't work on all the systems and could lead to some errors of type: `no matches found: jsonpath={.items[0].metadata.name}`
* Correct telemetry for prometheus doc
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* Add galley,polit and policy
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* update zh doc
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* Address review comments
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* mesh to metrics
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
Force merge because circleci errors are unrelated.
* which will be used -> which you will use
* note that any pod ... will do -> note that you can use any pod that ...
* add missing "example" word
* Create a shell variable to hold -> Create the `SOURCE_POD` environment variable to store
* remove "if you use the sleep sample"
* For this example -> For the sake of this example only
* by a Kubernetes service -> by the domain name of a Kubernetes service
* showed how you can -> shows how to
* Update content/docs/examples/advanced-gateways/http-proxy/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* cases when you must use -> cases require
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Simplify the sentence about using any pod with curl
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* simplify the sentence about creating SOURCE_POD
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Remove "for the sake of"
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* the pod of the proxy -> the proxy's pod
* TCP (!) -> TCP (not HTTP!)
* rewrite the sentence about Squid and HTTPS proxy
* clarify the automatic sidecar injection for the new namespace
* clarify the sentence about the IP address of the pod
* variable to hold -> variable to store
* clarified the summary after the deployment and testing of HTTPS proxy
* its traffic is controlled by Istio -> Istio controls its traffic
* by a Kubernetes service -> by the domain name of a Kubernetes service
* shows how you to -> shows how to
* remove a leftover from a previous editing
* split a long line
* though -> through
* outside the cluster -> outside of the cluster
* remove redundant whitespace
* rewrite the sentence about starting sleep sample
* HTTP CONNECT -> HTTP Connect
* rewrite the motivation for TCP service entry instead of HTTP
* rewrite another case of passive voice related to using HTTP CONNECT
* In this example -> in this case, hold -> store
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* proxy outside the cluster -> proxy being outside the cluster
* The next step is to -> Next, you must
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* has sidecar injected -> has a sidecar
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* rewrite understanding what happend section to make it as a list
* simplify Understanding what happened section
make it more high level
* remove a trailing whitespace
* rewrite the sentence about creating a namespace without labeling
* combine the sentences about not labeling for sidecar injection
When I tried testing the application with `curl`, I got `000` as response.
For my environment, escaping the braces results in the variable not being expanded.
But because of outputting to `/dev/null`, I didn't see the error message `curl: (6) Could not resolve host: ${GATEWAY_URL}`
I'm using zsh under macOS.
* Add initial doc changes related to tracing provider and support for zipkin backend
* Suggestion for way to incorporate more tracing backends - using text from lightstep PR #2844
* Update based on review comments. Moved lightstep content (from #2844 to subfolder
* Add more zipkin content and images
* Remove jaeger from dt page
* Updates following comments
* Updates to address comments
* initial version
* ServiceEntry -> service entry (in text)
* config map -> `ConfigMap`
* fix a link
* task -> example
* through such proxy -> through it
* elaborate what has been done after the proxy is deployed and tested
* split a long line
* explain why there is no need to define service entries for external services accessed through the proxy
* rewrite the sentence about simulating the proxy outside the cluster
* check the log and see your request -> check the log for your request
* HTTP CONNECT method -> the HTTP CONNECT method
* between the application and the proxies -> between the application and the proxy
* add explanation how this example is different from other egress examples
* update chart requirements
adding `helm dep up` which is required for the install to succeed
* note about relative refs
* remove redundant space
* grammer and passive voice
Co-Authored-By: itaysk <itay@itaysk.com>
* helm repo add
* documentation for end-user authencation on ingress-gateway (#2243)
* documentation for end-user authencation on ingress-gateway
* address comments
* address comments
* address comment
* Move end user authentication on Ingress section to securtity.
* Minor text change.
* Revert edit in traffic management doc.
* Remove Ingress example. Replace it with a single sentence.
* Addressed comment.
Vishal Yadav
Venil Noronha
Yossi Mesika
Vadim Eisenberg
Brian Avery
Jianfei Hu
Liam White
Rigs Caballero
Morven Cao
Lin Sun
Eric Van Norman
Etai Lev Ran
Steven Dake
He Cao
Martin Taillefer
Oliver Liu
Douglas Reid
Frank Budinsky
mtail
Joonas Bergius
Diem Vu
Yangmin Zhu
John Howard
Nick Travers
Mariam John
Martin Ostrowski
Spike Curtis
banix
Tim Swanson
lei-tang
Quanjie Lin
Daneyon Hansen
John Mazzitelli
Joe Searcy
Zefool
LisaFC
Lv Jiawei
Jesse Butler
Chunlin Yang
Megan O'Keefe
buptliuwei
Ram Vennam
salrashid123
Kevin Simper
Serge Bishyr
l10xbin
Hendrik Purmann
Xi Ning Wang
Gary Brown
Kuat
Tao Li
paassdc
cwocwo
Tiago Moreira Vieira
Itay Shakury
agmsb
Limin Wang
SataQiu
Linus Li
Julian Griggs