* Updated to install istio remote using values file
* Few unrelated doc fixes
* Remove zipkin and statsd flags as they are unsupported
* Revert "Few unrelated doc fixes"
This reverts commit 038096d137.
* Few more minor updates
* Switch to port 15443
* Break on-line helm commands
* Trailing space
* Put back some default istio features after verifying mc still works
* Add remote mixer addresses
* Formatting
* Specify container for cleaner output
* Wrong place
* use port 80 with protocol HTTPS for mTLS on egress gateway
* rewrite the instructions about why to apply mutual TLS
* make the protocol of 443 HTTPS
* allow monitor -> allow to monitor
* add a step to confirm that Bookinfo is running without ingress
to verify that the app with Istio runs correctly without ingress,
to separate Istio installation errors from Ingress configuration
errors, to prevent questions like these
https://stackoverflow.com/questions/54307216/istio-proxy-unable-to-connect-to-istio-pilot
* fix the links to the renamed section (confirm the app is accessible...)
- Fix formatting for the Subscribe link on blog pages. That got broken in some refactoring I did a while back.
- Remove a few *NOTE* and _NOTE_ instances and replace with the canonical icons
- Add a link to our community repo in the Getting Involved page.
* add a tab section about mTLS
* remove leftover ";done"
* remove SNI monitoring and policy enforcement section
* add explanation why mTLS between sidecars and egress gateways is needed
* add mTLS enabled/disabled tabs to the egress MongoDB blog post
* remove placeholder SNI in logs
* add forward_downstream_sni and sni_verifier filters for wildcard TLS hosts
* add a required empty line
* make the sentence about enabling mTLS a note
* add inline comment in the yamls regarding the SNI filters
* a couple of filters -> Envoy filters
* rewrite the sentence why the SNI filters are used
* fix "so that policies will be enforced based on the original SNI value"
* prevents a possibility for deceiving Mixer -> prevents Mixer from being deceived
* will not match -> does not match
* make note ('>') one line to make lint happy
* initial version
* split a long line
* rephrase the sentence "Now, you configured..."
* add a requirement that mTLS is enabled
* remove leftover ';done'
* add monitoring and policy enforcement of SNI and source identity
* the logentry -> logentry
* that will allow -> that allows
* replace URL with Wikipedia in English
* clarify the examples in SNI monitoring, blocked vs. allowed
* Extend the introduction to monitoring/policies by source identity
* replace backticks with italics for sleep-us and sleep-canada
* the logentry -> logentry
* the sidecar proxy -> the sidecar proxies
* fix the names of the service accounts in cleanup
* it should be -> it must be
* services -> applications
* add: Access to other Wikipedia sites will be blocked
* inline the command to kill mixer pods
* add clarification about the access to Wikipedia sites from sleep-canada
* fix format of cleanup of monitoring/policies by source
* replace italics with backticks for sleep-us and sleep-canada due to spellchecker
* add a missing empty line
* Revert "inline the command to kill mixer pods"
This reverts commit 780913253d.
* of the source of traffic -> of the traffic source
* allows access -> allows to access
* delete "namely"
* Wikipedia -> the Wikipedia
* An example for configuring and verifying split horizon EDS
* Add period to end of description
* Minor change
* Minor typo
* Comments by Lin Sun addressed
* Addressed @frankbu review comments and cross referenced with the concept doc
* add before-you-begin-egress boilerplate and use it in one case
* move the boilerplate into content
* replace before-you-begin section for egress task/examples
* remove egress related details from the boilerplate
- The width value now defaults to 100%, so it doesn't need to be specified explicitly
in many cases.
- The ratio value can now be computed automatically for PNG and JPG files, so it doesn't need
to be specified explicitly.
Force merge because circleci errors are unrelated.
* which will be used -> which you will use
* note that any pod ... will do -> note that you can use any pod that ...
* add missing "example" word
* Create a shell variable to hold -> Create the `SOURCE_POD` environment variable to store
* remove "if you use the sleep sample"
* For this example -> For the sake of this example only
* by a Kubernetes service -> by the domain name of a Kubernetes service
* showed how you can -> shows how to
* Update content/docs/examples/advanced-gateways/http-proxy/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* cases when you must use -> cases require
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Simplify the sentence about using any pod with curl
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* simplify the sentence about creating SOURCE_POD
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Remove "for the sake of"
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* the pod of the proxy -> the proxy's pod
* TCP (!) -> TCP (not HTTP!)
* rewrite the sentence about Squid and HTTPS proxy
* clarify the automatic sidecar injection for the new namespace
* clarify the sentence about the IP address of the pod
* variable to hold -> variable to store
* clarified the summary after the deployment and testing of HTTPS proxy
* its traffic is controlled by Istio -> Istio controls its traffic
* by a Kubernetes service -> by the domain name of a Kubernetes service
* shows how you to -> shows how to
* remove a leftover from a previous editing
* split a long line
* though -> through
* outside the cluster -> outside of the cluster
* remove redundant whitespace
* rewrite the sentence about starting sleep sample
* HTTP CONNECT -> HTTP Connect
* rewrite the motivation for TCP service entry instead of HTTP
* rewrite another case of passive voice related to using HTTP CONNECT
* In this example -> in this case, hold -> store
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* proxy outside the cluster -> proxy being outside the cluster
* The next step is to -> Next, you must
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* has sidecar injected -> has a sidecar
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* rewrite understanding what happend section to make it as a list
* simplify Understanding what happened section
make it more high level
* remove a trailing whitespace
* rewrite the sentence about creating a namespace without labeling
* combine the sentences about not labeling for sidecar injection
When I tried testing the application with `curl`, I got `000` as response.
For my environment, escaping the braces results in the variable not being expanded.
But because of outputting to `/dev/null`, I didn't see the error message `curl: (6) Could not resolve host: ${GATEWAY_URL}`
I'm using zsh under macOS.
* initial version
* ServiceEntry -> service entry (in text)
* config map -> `ConfigMap`
* fix a link
* task -> example
* through such proxy -> through it
* elaborate what has been done after the proxy is deployed and tested
* split a long line
* explain why there is no need to define service entries for external services accessed through the proxy
* rewrite the sentence about simulating the proxy outside the cluster
* check the log and see your request -> check the log for your request
* HTTP CONNECT method -> the HTTP CONNECT method
* between the application and the proxies -> between the application and the proxy
* add explanation how this example is different from other egress examples
* add initial sceleton of the wildcard https egress gateway blog post
* fixed the links and bare URLs
* add missing 'the'
* complete the Background section
* add before you begin and cleanup sections
* add initial configuration items and their cleanup
* add SNI with placeholder
* assume Istio with mutual TLS
* use two virtual services for the egress traffic
required due to https://github.com/istio/istio/issues/7361
* add wikipedia subset to the VirtualService
* add a step to check Envoy's statistics
* move the blog post to tasks
* convert blog post to task
fix weight, remove attribution and publish date, replace "blog post" with "task" in text
* change the title of the section for configuring the HTTPS traffic
* route the traffic from the gateway to www.wikipedia.org
* add a motivation for an additional forward proxy
* add instructions for deploying a new egress gateway
* add a config map for Nginx configuration
* escape $ signs in nginx config
* add empty events section to the nginx config
* create nginx config map in istio-system, use nginx.conf key
* add instructions to add nginx container to an egress gateway
* add directing the traffic in egress gateway to localhost
* replace istioctl by kubectl
* add missing apiVersion fields
* unite two virtual services into one
* use ISTIO_MUTUAL instead of MUTUAL
* move wildcard egress task to the advanced egress examples
* fix links and rename task to example
* run the SNI proxy on port 8443
* use full url of the sni-proxy and port 8443
* use ServiceEntry with static IP endpoint 127.0.0.1 for sni-proxy.local
* drop nginx prefix from sni-proxy items
* add a destination rule to disable mTLS to sni-proxy
* fix the logs of the Istio proxy and the SNI proxy
* remove deleting the SNI proxy
* make the name of the SNI proxy's ServiceEntry name to be sni-proxy
* unite the editing steps of the egress gateway with SNI proxy into one step with substeps
* restructure creating/deleting configuration items for egress gateway with SNI proxy
* clarify the virtual rule for egress gateway with SNI proxy
* add wildcarded to .spelling
https://en.wiktionary.org/wiki/wildcarded
* add "hostnames" to .spelling
* put localhost in backticks
* add 127.0.0.1 and localhost in parentheses
* mTLS -> mutual TLS
* add wikipedia to .spelling
* put *.com and *.org and * in backticks
* remove redundant empty line
* add using helm template configVolumes and additionalContainers
* add an explanation about Nginx
* move creating nginx configuration before creating egressgateway with sni proxy deployment
* add a comment about manual editing of the deployment yaml before Istio 1.1
* add a step for verifying that the sni proxy runs
* Configure Egress Gateway -> Configure an Egress Gateway
* we -> you
* remove double "mutual"
* add semicolon, "and", "also" to a sentence about multiple configuration items
* remove redundant the
* This could not always be the case -> However, this may not...
* IP -> IP address
* split the explanation about the requirement for SNI proxy into two paragraphs
* add a link to Envoy proxy
* IP -> IP address, host -> hosts
* split the motivation for the SNI proxy into one more paragraph
* remove two redundant commas
* requests to -> requests sent to
* request -> requests
* Let's reconfigure -> In this section you will configure
* arbitrary -> arbitrary, not preconfigured
* for that functionality -> to achieve that functionality
* split long lines
* add explanation about the port to listen and port to forward for the SNI proxy
* add an explanation about the Nginx configuration
* fix the name of the config map volume, add a link to Config Map Volume kubernetes description
* sent to, destined to -> destined for
* gateway's proxy -> gateway's Envoy proxy
* the counter for the SNI proxy -> the counter for traffic to the SNI proxy
* replace the cleanup section with a reference to the Egress Gateway's cleanup section
* add setting istio.globalNamespace option
* fix a typo in the name parameter of helm template
* add cpu.targetAverageUtilization to the egressgateway deployment
* remove the part: for Istio before 1.1
* rename the egressgateway proxy to be "istio-proxy"
* add printing mixer log
* in cleanup rename nginx-sni-proxy-config to sni-proxy-config
* split a long line
* add configuration for traffic without mTLS
* set-sni-for-egress-gateway -> egressgateway-for-wikipedia
* use local directory instead of $HOME
* create virtual service together with gateway and destination rule
they are depenedant on mTLS between the sidecar and the egress gateway
* add monitoring and policy subsection
* change connection event from close to open
* Cleanup of the monitoring and policy -> Cleanup of monitoring and policy enforcement
* move wildcard egress gateway into advanced gateways examples
* add missing dot at the end of the example description
* replace cat <<EOF | kubectl apply/create -f - with kubectl apply/create -f - <<EOF
* use -l with kubectl logs for the mixer log
* add egress gateway with SNI proxy diagram
* remove mTLS for TLS
* remove mTLS from the first part (without SNI proxy)
* make the section titles shorter
* fix the links to advanced gateway examples
* remove a redundant empty line
* our requests -> your requests
* send requests -> send requests to
* remove mentioning a destination rule to set destination SNI
* add explanation about SNI monitoring and policies
- Use a new approach to managing icons. This has two primary benefits:
- It makes it possible to color the icons such that they look good in the
dark theme. Previously, the icons were rendered in black on dark grey when
using the dark theme.
- The average payload size for our web pages is reduced and we better use the
browser cache.
- The new icon approach makes it possible to remove our dependency on the fontawesome
package, which further slims down our payload requirement
- Refresh our iconography for a slightly lighter look.
- Remove the extra thick left-hand border of text blocks to lighten the
look.
- Added a "NN minutes to read" indication on top of each page. This is
only displayed if the count is > 1 minute.
- Added a calendar icon next to the blog post date.
- Exposed a bunch of strings that were buried in CSS/JS to translation.
- Add the 'keywords:' front-matter fields to the Hugo archetypes.
* initial version
* add the steps to Generate client and server certificates and keys section
* extend the description of the example
explain about the NGINX service
* add creating namespace, secrets and nginx configuration
* add creating of nginx-configmap
* add deployment of NGINX
* finalize the NGINX config
* move creating client certificates into the section of redeploying Egress gateway
* add instructions for generating and deploying istio-egressgateway.yaml
* update the description
* nginx.example.com -> my-nginx.mesh-external.svc.cluster.local
* change the title and description to mutual TLS to extrnal services
* add mTLS origination and cleanup
* change the port of nginx to 443
* update the output and the log with actual content
* add test NGINX deployment section
* add missing dot in page description
* Nginx -> NGINX
* change dots to semicolons before command blocks
* add volumes to the sleep deployment
* add sending requests to the NGINX server
* renamed the directory: mtls-egress-gateway -> egress-gateway-mtls-origination
* remove redundant whitespaces
* fix dead link (missing leading slash)
* change the name of the port 443 to be https and protocol HTTPS
* add endpoints section to the service entry
* replace internal kubernetes address with nginx.example.com
* change we to you
* expand the introduction to explain using NGINX and nginx.example.com
* remove before you begin section
* use sleep container in the default namespace to test both NGINX and egress gateway
* add port 80 to the ServiceEntry
* remove the second definition of the ServiceEntry
* use resolve option in testing mTLS
* change container name from egressgateway to istio-proxy
* simplify the introduction
* make Egress Gateway lower case
* make the introduction present tense
* replace pushd/popd with cd, since they are not POSIX
* add missing article
* remove cross referencing with regard to generating certificates/keys
* add "namely" to mesh-external namespace
* the NGINX -> the NGINX server
* sleep container -> sleep pod
* rephrase the text about --resolve option of curl
* rephrase the sentence about prompts
When prompted, select `y` for all the questions. ->
Select `y` for all prompts that appear.
* move egress-gateway-mtls-origination into advaanced gateway examples
* fixed links to the advanced gateways examples
* add "configuring NAT devices to drop packets that do not originate at the egress gateways"
* add Network Policy section
* make sentences present tense
* remove the labels
* rewrite the additional security considerations section
* Network Policy -> network policy
* add cleanup step for the configuring HTTPS egress gateway section
* a malicious application attacks -> attackers bypass
* egressgateway -> egress gateway
* kube-system DNS service -> the kube-system DNS service
* test-egress namespace -> the test-egress namespace
* no Istio sidecar was attached -> with no Istio sidecar attached
* must succeed -> will succeed
* by first enabling, then redeploy
Yossi Mesika
Frank Budinsky
Vadim Eisenberg
Martin Taillefer
Eric Van Norman
Daneyon Hansen
Chunlin Yang
Hendrik Purmann
Shriram Rajagopalan