* WIP Add Kubernetes Installation landing page.
This adds the landing page and organizes the content to make it easier to navigate.
Signed-off-by: rcaballeromx <grca@google.com>
* Apply initial feedback on landing page content.
Signed-off-by: rcaballeromx <grca@google.com>
* Rename and move files to enhance navigation.
Added aliases to redirect after filename changes.
Signed-off-by: rcaballeromx <grca@google.com>
* Harmonize all installation guide titles and intros.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix all links affected by the restructure.
Fixed all internal links and added aliases to ensure external redirects.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix paths of images on the ZH content.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix additional links and apply feedback.
Signed-off-by: rcaballeromx <grca@google.com>
* Fix link error introduced by rebase.
Signed-off-by: rcaballeromx <grca@google.com>
* Remove redundant instances of "Istio" in titles.
Signed-off-by: rcaballeromx <grca@google.com>
- Add linter support to detect internal links to aliases. Those are now flagged as
bad links so the source needs to be updated to point to the real destination,
avoiding the user a redirect.
- Fixed occurences of links to aliases.
- Now only load popper.js on pages that use popups in order to improve
load times.
* Update mutual tls deepdive doc to reflect the new authn tls-check behavior
* Also update FAQ
* Correct grammar
* Update content/docs/tasks/security/mutual-tls/index.md
Co-Authored-By: diemtvu <25132401+diemtvu@users.noreply.github.com>
* Address comment
* Also include changes to fix#11825
* Change the example to show default DR to avoid confusion
* Correct change the example to show default DR to avoid confusion
* Update content/docs/tasks/security/mutual-tls/index.md
Co-Authored-By: diemtvu <25132401+diemtvu@users.noreply.github.com>
* Update content/docs/tasks/security/mutual-tls/index.md
Co-Authored-By: diemtvu <25132401+diemtvu@users.noreply.github.com>
* Update namespace for global destination rule
* Update content/docs/tasks/security/mutual-tls/index.md
Co-Authored-By: diemtvu <25132401+diemtvu@users.noreply.github.com>
* Reference helm install docs rather than duplicating
Multicluster gateway installation docs were out of sync from install docs. This changes them to just directly reference the main install docs to make things more clear.
* Fix syntax
* Kiali jaegerURL should use jaeger-query service.
Prior to change, while using the tracing service on port 90 for the jaegerURL, kiali would never get metrics to compose the service graphs.
Switching jaegerURL to jaeger-query service on port 16686 fixes the issue. After traffic is generated the service graphs are built and visible in kiali.
* Remove clusterIP Query for grafana and jaeger-query services
* Update the IBM Cloud Quick start
- Use a demo profile for lower resources
- Update to mention tested Kubernetes releases
- use helm-service-account-yaml
- updated helm commands for CRDS, etc.
* Review comments
* Rebase to pick up a new commit
* Change tip from previous to following
* Update CRD verification text
* Update CRD verification text
- Added a section for using the new Istio add-on for IKS clusters
- update IKS command to use --export. Mpt sure if we can totally move
new ks command syntax yet.
* Tidy up the installation instructions
We use our Istio.io charts distribution mechanism extensively in this
documentation rework. Helm is a great package manager, and does a pretty
decent job of distributing packages. These are not advanced features of
helm manifests - but insteead tried and tested CLI operations that have bee
around since the dawn of Helm. While we have made a call not to use advanced
features of helm manifests, using more advanced workflows (helm cli commands)
with Helm are expected by operators.
* Fix linting errors
The --name in helm template was istio-egressgateway. This generated a release name of istio-egressgateway. The one from the helm template was istio. This led to an error when attempting to apply.
* Adds documentation related to experimental RBAC
This adds documentation related to the newly introduced experimental
key.
Signed-off-by: Venil Noronha <veniln@vmware.com>
* Update experimental constraint key
This updates the experimental constraint key and related documentation.
Signed-off-by: Venil Noronha <veniln@vmware.com>
* networking -> network connectivity
* single control plane topology -> single control plane topology with VPN connectivity
* a single control plane topology with VPN connectivity -> a single control plane with VPN connectivity topology
* Simplify instructions by using labels selector on the helloworld yaml
* Added missing local context
* Renamed secret and config names for the remote k8s api
* Wrap into a warning section
* local->cluster1 remote->cluster2
* Review comments addressed
* Review comments addressed
* Moved the gateway up to the cluster 1 setup section and make it a generic gateway
* Review comments addressed
* split single control plane topology into two cases,
with and without VPN connectivity, so all the three topologies will appear in
the table of contents, and could be referenced from other documents
* make titles of subsections shorter, make connectivity lower case
* The wording in step 3 (individual workloads view) is odd.
In step 3 (individual workloads view), workloads is plural, which it shouldn't be, and the sentences starting with "Also, gives", are worded oddly.
* Updated text as per review comments
* note HTTP-related attributes -> notice the HTTP-related attributes
* related to Istio sidecar -> related to the Istio sidecar
* rewrite the sentence about ports and the installation option
use port 8000 instead of 443, to generate less confusion
* no HTTP service or service entry -> no HTTP service and no service entry
* extend understanding what happened with the third approach
* change section titles
* split the cleanup section into cleanup subsections
* fix links
* must not -> do not need to
* rewrite the sentence about switching to the first approach
* per specific port, gaining -> for specific ports, enabling
* A caveat is that some ports, for example port 80, already have HTTP
services inside Istio by default
* In this approach, similarly to the previous one -> With this approach, like with the previous one
* approaches can be applied -> approaches can be used
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* split long lines
* split long lines
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Revert "Update content/docs/tasks/traffic-management/egress/index.md"
This reverts commit febb76edc9.
* rewrite the sentence about the installation option and add a link to installation options
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* remove duplicate text
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* Update content/docs/tasks/traffic-management/egress/index.md
Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>
* remove a redundant empty line
* address the reader directly
* document file names used in external certificate configuration
* rephrased to clarify based on PR feedabck
* note using different names requires reconfiguration
- Ensure that references to GitHub content use the proper annotations so
we get links to the correct branches.
- Added a check to make sure content is not using blockquotes (instead of
{{< warning >}}, {{< tip >}}, and {{< idea >}}. This check is currently
disabled, pending the Chinese content being updated.
- Fix a few violations of these new checks.
* Update the SDS doc.
* Small fix.
* Small fix.
* Small fix.
* Update content/docs/tasks/security/auth-sds/index.md
Co-Authored-By: myidpt <yonggangl@google.com>
* Apply suggestions from code review
Co-Authored-By: myidpt <yonggangl@google.com>
* Small fix according to the comments.
* Updated to install istio remote using values file
* Few unrelated doc fixes
* Remove zipkin and statsd flags as they are unsupported
* Revert "Few unrelated doc fixes"
This reverts commit 038096d137.
* Few more minor updates
* Switch to port 15443
* Break on-line helm commands
* Trailing space
* Put back some default istio features after verifying mc still works
* Add remote mixer addresses
* Formatting
* Specify container for cleaner output
* Wrong place
* use port 80 with protocol HTTPS for mTLS on egress gateway
* rewrite the instructions about why to apply mutual TLS
* make the protocol of 443 HTTPS
* allow monitor -> allow to monitor
* add Install Istio with access to all the external services by default
* fix a typo: copule -> couple
* add a call to cnn
* instal -> install
* replace ; with ,
* add a couple of requests to HTTPS services before changing the config map
to show that they are blocked
* do not delete pilot, it listens to the changes of the config map
* no need to reinstall/update -> no need to update
* add 'Change back to the blocking-by-default policy' section
* perfromed -> performed
* all the services -> all services
* instruct Istio proxy -> instruct the Istio proxy
* no HTTP service exist -> no HTTP service exists
* all the access ... will be blocked -> all accesses ... is blocked
* Unindent the block content
* blocked now -> now blocked
* Revert "add a couple of requests to HTTPS services before changing the config map"
This reverts commit 848171c041.
* Correct command to append output to istio.yaml, instead of replacing
* Also correct the command to enable mTLS globally. control plane and global mtls need to be set to true together, at least for now.
* Refactor the authorization task
- Move the permissive mode to a standalone task
- Rename the group/list claim support to align with other tasks
- Re-order to put the basic HTTP/TCP task first
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
* Fix links.
* resove comments.
* Address comments.
Currently, the command line snippet for setting up multi-cluster Istio
with Helm is confined to a single line. This makes it difficult to read
without having to scroll horizontally to read the entire command.
Update the command to be multi-line.
Signed-off-by: Nick Travers <n.e.travers@gmail.com>
Updated tablegen.py to process the configuration options from the values.yaml
files under /istio/install/kubernetes/heml/subcharts directory and the
remaining configuration options like global, istiocoredns, istio_cni from
values.yaml under /istio/install/kubernetes/helm/istio directory.
* add a step to confirm that Bookinfo is running without ingress
to verify that the app with Istio runs correctly without ingress,
to separate Istio installation errors from Ingress configuration
errors, to prevent questions like these
https://stackoverflow.com/questions/54307216/istio-proxy-unable-to-connect-to-istio-pilot
* fix the links to the renamed section (confirm the app is accessible...)
* put the instructions to kill the pod after checking that the key/certificate are loaded
* add "if you created the secret, but..." before killing the pod
* the secret <secret name> -> the <secret name> secret
* kill -> delete
* Add new setup instructions about istio-cni
* Fix review nits.
* Add Istio CNI to about/features as an alpha status feature
* Reword intro and installation steps
* Add sidecar injection compatibility info
* fix review comments
* Fix wording nits from sdake
* Fix nits and formatting comments from geeknoid.
* Added general CNI spec link and Istio k8s requirements link.
* Add a user guide for Istio Vault CA integration
* Fix lint errors
* Use helm template values to simplify the config
* Address review comments
* Fix the link in a command
* Small fixes
- Fix formatting for the Subscribe link on blog pages. That got broken in some refactoring I did a while back.
- Remove a few *NOTE* and _NOTE_ instances and replace with the canonical icons
- Add a link to our community repo in the Getting Involved page.
* add a tab section about mTLS
* remove leftover ";done"
* remove SNI monitoring and policy enforcement section
* add explanation why mTLS between sidecars and egress gateways is needed
* add mTLS enabled/disabled tabs to the egress MongoDB blog post
* remove placeholder SNI in logs
* add forward_downstream_sni and sni_verifier filters for wildcard TLS hosts
* add a required empty line
* make the sentence about enabling mTLS a note
* add inline comment in the yamls regarding the SNI filters
* a couple of filters -> Envoy filters
* rewrite the sentence why the SNI filters are used
* fix "so that policies will be enforced based on the original SNI value"
* prevents a possibility for deceiving Mixer -> prevents Mixer from being deceived
* will not match -> does not match
* make note ('>') one line to make lint happy
* initial version
* split a long line
* rephrase the sentence "Now, you configured..."
* add a requirement that mTLS is enabled
* remove leftover ';done'
* add monitoring and policy enforcement of SNI and source identity
* the logentry -> logentry
* that will allow -> that allows
* replace URL with Wikipedia in English
* clarify the examples in SNI monitoring, blocked vs. allowed
* Extend the introduction to monitoring/policies by source identity
* replace backticks with italics for sleep-us and sleep-canada
* the logentry -> logentry
* the sidecar proxy -> the sidecar proxies
* fix the names of the service accounts in cleanup
* it should be -> it must be
* services -> applications
* add: Access to other Wikipedia sites will be blocked
* inline the command to kill mixer pods
* add clarification about the access to Wikipedia sites from sleep-canada
* fix format of cleanup of monitoring/policies by source
* replace italics with backticks for sleep-us and sleep-canada due to spellchecker
* add a missing empty line
* Revert "inline the command to kill mixer pods"
This reverts commit 780913253d.
* of the source of traffic -> of the traffic source
* allows access -> allows to access
* delete "namely"
* Wikipedia -> the Wikipedia
Martin Taillefer