* Edit and clean the multicluster installation.
Performed a major edit to enhance the clarity and accuracy of the content.
The edits include:
* Consistency and quality-of-content improvements including expanding
abbreviations on first use, adding or modifying markup for emphasis, and
adding lists.
* Grammar and spelling fixes including fixing passive voice and missing
articles.
* Content structure improvements to improve the readability and flow of the
content.
* Introduced heading tags to make identifying cross-references easier to
identify and maintain.
Signed-off-by: rcaballeromx <grca@google.com>
* Address typos
Signed-off-by: rcaballeromx <grca@google.com>
* Fix broken links with IDs.
Signed-off-by: rcaballeromx <grca@google.com>
* Implemented tabs for procedural options.
Alongside the tabs implementation, a warning and a note were added based on
comments.
* add initial sceleton of the wildcard https egress gateway blog post
* fixed the links and bare URLs
* add missing 'the'
* complete the Background section
* add before you begin and cleanup sections
* add initial configuration items and their cleanup
* add SNI with placeholder
* assume Istio with mutual TLS
* use two virtual services for the egress traffic
required due to https://github.com/istio/istio/issues/7361
* add wikipedia subset to the VirtualService
* add a step to check Envoy's statistics
* move the blog post to tasks
* convert blog post to task
fix weight, remove attribution and publish date, replace "blog post" with "task" in text
* change the title of the section for configuring the HTTPS traffic
* route the traffic from the gateway to www.wikipedia.org
* add a motivation for an additional forward proxy
* add instructions for deploying a new egress gateway
* add a config map for Nginx configuration
* escape $ signs in nginx config
* add empty events section to the nginx config
* create nginx config map in istio-system, use nginx.conf key
* add instructions to add nginx container to an egress gateway
* add directing the traffic in egress gateway to localhost
* replace istioctl by kubectl
* add missing apiVersion fields
* unite two virtual services into one
* use ISTIO_MUTUAL instead of MUTUAL
* move wildcard egress task to the advanced egress examples
* fix links and rename task to example
* run the SNI proxy on port 8443
* use full url of the sni-proxy and port 8443
* use ServiceEntry with static IP endpoint 127.0.0.1 for sni-proxy.local
* drop nginx prefix from sni-proxy items
* add a destination rule to disable mTLS to sni-proxy
* fix the logs of the Istio proxy and the SNI proxy
* remove deleting the SNI proxy
* make the name of the SNI proxy's ServiceEntry name to be sni-proxy
* unite the editing steps of the egress gateway with SNI proxy into one step with substeps
* restructure creating/deleting configuration items for egress gateway with SNI proxy
* clarify the virtual rule for egress gateway with SNI proxy
* add wildcarded to .spelling
https://en.wiktionary.org/wiki/wildcarded
* add "hostnames" to .spelling
* put localhost in backticks
* add 127.0.0.1 and localhost in parentheses
* mTLS -> mutual TLS
* add wikipedia to .spelling
* put *.com and *.org and * in backticks
* remove redundant empty line
* add using helm template configVolumes and additionalContainers
* add an explanation about Nginx
* move creating nginx configuration before creating egressgateway with sni proxy deployment
* add a comment about manual editing of the deployment yaml before Istio 1.1
* add a step for verifying that the sni proxy runs
* Configure Egress Gateway -> Configure an Egress Gateway
* we -> you
* remove double "mutual"
* add semicolon, "and", "also" to a sentence about multiple configuration items
* remove redundant the
* This could not always be the case -> However, this may not...
* IP -> IP address
* split the explanation about the requirement for SNI proxy into two paragraphs
* add a link to Envoy proxy
* IP -> IP address, host -> hosts
* split the motivation for the SNI proxy into one more paragraph
* remove two redundant commas
* requests to -> requests sent to
* request -> requests
* Let's reconfigure -> In this section you will configure
* arbitrary -> arbitrary, not preconfigured
* for that functionality -> to achieve that functionality
* split long lines
* add explanation about the port to listen and port to forward for the SNI proxy
* add an explanation about the Nginx configuration
* fix the name of the config map volume, add a link to Config Map Volume kubernetes description
* sent to, destined to -> destined for
* gateway's proxy -> gateway's Envoy proxy
* the counter for the SNI proxy -> the counter for traffic to the SNI proxy
* replace the cleanup section with a reference to the Egress Gateway's cleanup section
* add setting istio.globalNamespace option
* fix a typo in the name parameter of helm template
* add cpu.targetAverageUtilization to the egressgateway deployment
* remove the part: for Istio before 1.1
* rename the egressgateway proxy to be "istio-proxy"
* add printing mixer log
* in cleanup rename nginx-sni-proxy-config to sni-proxy-config
* split a long line
* add configuration for traffic without mTLS
* set-sni-for-egress-gateway -> egressgateway-for-wikipedia
* use local directory instead of $HOME
* create virtual service together with gateway and destination rule
they are depenedant on mTLS between the sidecar and the egress gateway
* add monitoring and policy subsection
* change connection event from close to open
* Cleanup of the monitoring and policy -> Cleanup of monitoring and policy enforcement
* move wildcard egress gateway into advanced gateways examples
* add missing dot at the end of the example description
* replace cat <<EOF | kubectl apply/create -f - with kubectl apply/create -f - <<EOF
* use -l with kubectl logs for the mixer log
* add egress gateway with SNI proxy diagram
* remove mTLS for TLS
* remove mTLS from the first part (without SNI proxy)
* make the section titles shorter
* fix the links to advanced gateway examples
* remove a redundant empty line
* our requests -> your requests
* send requests -> send requests to
* remove mentioning a destination rule to set destination SNI
* add explanation about SNI monitoring and policies
* Update Task/Enabling rate limits, remove validDuration in dimension that is not in redisquota, Move redisserverurl and connectionpoolsize
* Update Task/Enabling rate limits, remove validDuration in dimension that is not in redisquota, Move redisserverurl and connectionpoolsize
* Update index.md
More pods and services have been added since this doc has been written.
* Added more verbose information
Added `Option 1` and `Option 3` outputs.
Signed-off-by: JJ Asghar <jja@ibm.com>
* Fixed formatting.
Opps.
Signed-off-by: JJ Asghar <jja@ibm.com>
* Removed the output
Put the command to verify the setup, but removed the output per
rcaballeromx's suggestion.
Signed-off-by: JJ Asghar <jja@ibm.com>
* Fixed per rcaballeromx suggestions.
- reformatted and fixed the wording.
Signed-off-by: JJ Asghar <jja@ibm.com>
* Istio, not ingress.
🤦
Signed-off-by: JJ Asghar <jja@ibm.com>
* Copy paste mess up.
Removed a dangling copy paste.
Signed-off-by: JJ Asghar <jja@ibm.com>
* Grammar, I think.
- fixed the optionally have line.
Signed-off-by: JJ Asghar <jja@ibm.com>
* More Grammar.
🤘
Signed-off-by: JJ Asghar <jja@ibm.com>
Minikube does the right thing (as of 0.28.1 at least) with creating the embedded CA. The extra-config parameters appear to have been necessary previously and were resolved to use the "right" credentials built by Minikube directly. In fact, passing those parameters appears to break current minikube deployments, making it impossible to create new service accounts and resources that rely on them. (like a tiller service account for a helm deployment of Istio...)
I found this bug that referenced this issue: https://github.com/kubernetes/minikube/issues/1647 which is now closed.
* add Kiali Task to istio.io
add deprecation notice to the SerivceGraph Task
* add some more instructions on getting the Kiali UI to help assist those on environments like minikube
* add cleanup instructions for kiali
* simplify the section to determine kiali url
* use present tense
* more present tense changes
split up the "Send traffic" item into two actions.
* more verb tense changes to get things more into present tense
* updates based on some feedback
* re-write the "determine kiali url" section
* split login step into two steps - visit with browser, then login
* reword some of the steps involving logging in and looking at the initial pages.
* reword the graph type step - use list items, not numbered, for the different types. Adds the new service graph type.
* reword the examine istio config step
* changes to the api section
* some final changes of the api section and the cleanup section
* trivial fix to capitalization
* some small trivial changes
- Auto-generate tables of template->adapters and adapter->templates
- Make the "Edit this page on GitHub" menu option track the branch correctly instead of always pointing to master.
- Update the reference docs.
The destination.service attribute is being deprecated in the favor of
destination.service.host. This commit updates the match expression in
the TCP metrics guide to reflect the same.
Signed-off-by: Venil Noronha <veniln@vmware.com>
Partner components (adapters not controlled by the Istio org) are now
called out as such on their page. Component authors have a chance to put
all sorts of info about their component to make it easy for customers
to find and use their component.
* Site improvements.
- For SVG images, authors no longer need to specify image ratios
(which is a constant source of errors)
- Move more icons into the new icons.svg file to further reduce
average page load times.
- Rationalize Istio logo file names.
- Improve underlining behavior for sidebar headers and the RSS feed
Subscribe link.
- Made the RSS feed subscribe link open in a new tab.
- Increase the constract ratio for some elements in dark mode
text blocks (namely, YAML field names)
- Reduce the "brightness" of the light bulb icon which helps it
not pop so much in dark mode.
- Optimize the fonts we load and the order we load them in so as to improve page load time and
reduce the initial render time.
* Sadly, embedding SVGs into the HTML results in duplicate element ids, which is invalid HTML :-(
- Use a new approach to managing icons. This has two primary benefits:
- It makes it possible to color the icons such that they look good in the
dark theme. Previously, the icons were rendered in black on dark grey when
using the dark theme.
- The average payload size for our web pages is reduced and we better use the
browser cache.
- The new icon approach makes it possible to remove our dependency on the fontawesome
package, which further slims down our payload requirement
- Refresh our iconography for a slightly lighter look.
- Remove the extra thick left-hand border of text blocks to lighten the
look.
- Added a "NN minutes to read" indication on top of each page. This is
only displayed if the count is > 1 minute.
- Added a calendar icon next to the blog post date.
- Exposed a bunch of strings that were buried in CSS/JS to translation.
- Add the 'keywords:' front-matter fields to the Hugo archetypes.
* Add docker-for-desktop installation note
A default istio helm install under kubernetes running in docker-for-desktop wasn't working because pilot was reserving too much memory. Added documentation to work around this
* Update index.md
* Create index.md
* Update index.md
* Update index.md
* Update index.md
* Rename content/docs/setup/kubernetes/platform-setup/index.md to content/docs/setup/kubernetes/platform-setup/docker-for-desktop/index.md
* Update index.md
* Update index.md
quoted memory allocation, capitalized Kubernetes
* check the logs of all the telemetry pods
* filter log entries
remove entries sent to pilot, telemetry, policy and unknown destinations
* use kubectl logs -l instead of applying kubectl logs on selected pods
* documentation for RBAC policy permissive mode
* update permissive mode sample for global RBAC config
* address comment
* move permissive section to the top
* add more words for expected user experience
* seperate two senarios to use permissive
1. turn on RBAC 0 -> 1
2. add new policy
* rename rbac->authorization, move to concept page
* address comment
* address comment
* initial version
* add the steps to Generate client and server certificates and keys section
* extend the description of the example
explain about the NGINX service
* add creating namespace, secrets and nginx configuration
* add creating of nginx-configmap
* add deployment of NGINX
* finalize the NGINX config
* move creating client certificates into the section of redeploying Egress gateway
* add instructions for generating and deploying istio-egressgateway.yaml
* update the description
* nginx.example.com -> my-nginx.mesh-external.svc.cluster.local
* change the title and description to mutual TLS to extrnal services
* add mTLS origination and cleanup
* change the port of nginx to 443
* update the output and the log with actual content
* add test NGINX deployment section
* add missing dot in page description
* Nginx -> NGINX
* change dots to semicolons before command blocks
* add volumes to the sleep deployment
* add sending requests to the NGINX server
* renamed the directory: mtls-egress-gateway -> egress-gateway-mtls-origination
* remove redundant whitespaces
* fix dead link (missing leading slash)
* change the name of the port 443 to be https and protocol HTTPS
* add endpoints section to the service entry
* replace internal kubernetes address with nginx.example.com
* change we to you
* expand the introduction to explain using NGINX and nginx.example.com
* remove before you begin section
* use sleep container in the default namespace to test both NGINX and egress gateway
* add port 80 to the ServiceEntry
* remove the second definition of the ServiceEntry
* use resolve option in testing mTLS
* change container name from egressgateway to istio-proxy
* simplify the introduction
* make Egress Gateway lower case
* make the introduction present tense
* replace pushd/popd with cd, since they are not POSIX
* add missing article
* remove cross referencing with regard to generating certificates/keys
* add "namely" to mesh-external namespace
* the NGINX -> the NGINX server
* sleep container -> sleep pod
* rephrase the text about --resolve option of curl
* rephrase the sentence about prompts
When prompted, select `y` for all the questions. ->
Select `y` for all prompts that appear.
* move egress-gateway-mtls-origination into advaanced gateway examples
* fixed links to the advanced gateways examples
* add "configuring NAT devices to drop packets that do not originate at the egress gateways"
* add Network Policy section
* make sentences present tense
* remove the labels
* rewrite the additional security considerations section
* Network Policy -> network policy
* add cleanup step for the configuring HTTPS egress gateway section
* a malicious application attacks -> attackers bypass
* egressgateway -> egress gateway
* kube-system DNS service -> the kube-system DNS service
* test-egress namespace -> the test-egress namespace
* no Istio sidecar was attached -> with no Istio sidecar attached
* must succeed -> will succeed
* by first enabling, then redeploy
* Add setup doc for ICP
* Modify the title "Upgrate and Rollback" to "Upgrate or Rollback"
* add diagrams to highlight action
* fix some spelling errors
* use consistent font for UI items and fix some grammatical mistake.
If mTLS is enabled we need an additional instruction in the
DestinationRule object, otherwise we break traffic to httpbin
service.
While on that, also change the Mirroring task note to be the same.
Chunlin Yang
Shriram Rajagopalan
John Mazzitelli
Jonh Wendell
Brian Avery
Frank Budinsky
Rigs Caballero
xavierbaude
mtail
Quanjie Lin
x15zhang
l10xbin
Vadim Eisenberg
Jinming Yue
Yangmin Zhu
Guilherme Baufaker Rêgo
Jason Young
Julien Senon
Pedro Spagiari
JJ Asghar
Robert Starmer
Kent Hua
Vincent
Martin Taillefer
Clement Labbe
Tao Li
Fernando Carletti
Venil Noronha
hackerman
Lin Sun
lei-tang
AdamDang
Oliver Liu
sshucker
Dmitri Dolguikh
Steven Dake
Medya Gh
Guihua Zhu
Rachael Graham
Matthieu Maquevice
skeeey
flydragon