From 3ccf8672520cb3efe301bcbb701484b5e18c4152 Mon Sep 17 00:00:00 2001 From: Daniel Hawton Date: Wed, 4 May 2022 09:36:33 -0600 Subject: [PATCH 01/21] add tests to gateway setup --- .../setup/additional-setup/gateway/index.md | 2 +- .../setup/additional-setup/gateway/snips.sh | 167 ++++++++++++++++++ .../setup/additional-setup/gateway/test.sh | 65 +++++++ 3 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 content/en/docs/setup/additional-setup/gateway/snips.sh create mode 100644 content/en/docs/setup/additional-setup/gateway/test.sh diff --git a/content/en/docs/setup/additional-setup/gateway/index.md b/content/en/docs/setup/additional-setup/gateway/index.md index d62d8bcf84bc..91c9065e824e 100644 --- a/content/en/docs/setup/additional-setup/gateway/index.md +++ b/content/en/docs/setup/additional-setup/gateway/index.md @@ -4,7 +4,7 @@ description: Install and customize Istio Gateways. weight: 40 keywords: [install,gateway,kubernetes] owner: istio/wg-environments-maintainers -test: no +test: yes --- Along with creating a service mesh, Istio allows you to manage [gateways](/docs/concepts/traffic-management/#gateways), diff --git a/content/en/docs/setup/additional-setup/gateway/snips.sh b/content/en/docs/setup/additional-setup/gateway/snips.sh new file mode 100644 index 000000000000..e8cfaceba01b --- /dev/null +++ b/content/en/docs/setup/additional-setup/gateway/snips.sh @@ -0,0 +1,167 @@ +#!/bin/bash +# shellcheck disable=SC2034,SC2153,SC2155,SC2164 + +# Copyright Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#################################################################################################### +# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE: +# docs/setup/additional-setup/gateway/index.md +#################################################################################################### + +! read -r -d '' snip_deploying_a_gateway_1 <<\ENDSNIP +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: ingressgateway + namespace: istio-ingress + enabled: true + label: + # Set a unique label for the gateway. This is required to ensure Gateways + # can select this workload + istio: ingressgateway + values: + gateways: + istio-ingressgateway: + # Enable gateway injection + injectionTemplate: gateway +ENDSNIP + +snip_deploying_a_gateway_2() { +kubectl create namespace istio-ingress +istioctl install -f ingress.yaml +} + +snip_deploying_a_gateway_3() { +kubectl create namespace istio-ingress +helm install istio-ingress istio/gateway -n istio-ingress +} + +! read -r -d '' snip_deploying_a_gateway_4 <<\ENDSNIP +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + namespace: istio-ingress +spec: + type: LoadBalancer + selector: + istio: ingressgateway + ports: + - port: 80 + name: http + - port: 443 + name: https +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway + namespace: istio-ingress +spec: + selector: + matchLabels: + istio: ingressgateway + template: + metadata: + annotations: + # Select the gateway injection template (rather than the default sidecar template) + inject.istio.io/templates: gateway + labels: + # Set a unique label for the gateway. This is required to ensure Gateways can select this workload + istio: ingressgateway + # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name" + sidecar.istio.io/inject: "true" + spec: + containers: + - name: istio-proxy + image: auto # The image will automatically update each time the pod starts. +--- +# Set up roles to allow reading credentials for TLS +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds + namespace: istio-ingress +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds + namespace: istio-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: default +ENDSNIP + +snip_deploying_a_gateway_5() { +kubectl create namespace istio-ingress +kubectl apply -f ingress.yaml +} + +! read -r -d '' snip_gateway_selectors_1 <<\ENDSNIP +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: gateway +spec: + selector: + istio: ingressgateway +... +ENDSNIP + +! read -r -d '' snip_canary_upgrade_advanced_1 <<\ENDSNIP +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway-canary + namespace: istio-ingress +spec: + selector: + matchLabels: + istio: ingressgateway + template: + metadata: + annotations: + inject.istio.io/templates: gateway + labels: + istio: ingressgateway + istio.io/rev: canary # Set to the control plane revision you want to deploy + spec: + containers: + - name: istio-proxy + image: auto +ENDSNIP + +snip_canary_upgrade_advanced_2() { +kubectl get endpoints -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name" +} + +! read -r -d '' snip_canary_upgrade_advanced_2_out <<\ENDSNIP +NAME PODS +istio-ingressgateway istio-ingressgateway-788854c955-8gv96,istio-ingressgateway-canary-b78944cbd-mq2qf +ENDSNIP diff --git a/content/en/docs/setup/additional-setup/gateway/test.sh b/content/en/docs/setup/additional-setup/gateway/test.sh new file mode 100644 index 000000000000..4d8546eddf23 --- /dev/null +++ b/content/en/docs/setup/additional-setup/gateway/test.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +set -u + +set -o pipefail + +# @setup profile=none +function rebuild() { + istioctl x uninstall --purge --skip-confirmation + kubectl delete namespace istio-ingress + istioctl install --skip-confirmation --set profile=minimal +} + +# rewrite-repo invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses +# local files +# shellcheck disable=SC2001 +function rewrite-repo() { + # get function definition: https://stackoverflow.com/a/6916952/374797 + cmd="$(type "${1:?snip}" | sed '1,3d;$d')" + cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')" + cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')" + cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')" + eval "${cmd} --set global.tag=${ISTIO_IMAGE_VERSION=SHOULD_BE_SET}.${ISTIO_LONG_SHA=latest} --wait" +} + +istioctl install --skip-confirmation --set profile=minimal +_wait_for_deployment istio-system istiod + +# shellcheck disable=SC2154 +cat <ingress.yaml +$snip_deploying_a_gateway_1 +EOF + +echo y | snip_deploying_a_gateway_2 +_wait_for_deployment istio-ingress ingressgateway + +rebuild +rewrite-repo snip_deploying_a_gateway_3 +_wait_for_deployment istio-ingress istio-ingress + +rebuild +# shellcheck disable=SC2154 +cat <ingress.yaml +$snip_deploying_a_gateway_4 +EOF +snip_deploying_a_gateway_5 +_wait_for_deployment istio-ingress istio-ingressgateway + +# @cleanup + +kubectl delete namespace istio-ingress \ No newline at end of file From cb00e024a4ee973a635711c977205ea06788bb6e Mon Sep 17 00:00:00 2001 From: Daniel Hawton Date: Wed, 4 May 2022 10:24:55 -0600 Subject: [PATCH 02/21] manually cleanup the minimal istio install --- content/en/docs/setup/additional-setup/gateway/test.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/en/docs/setup/additional-setup/gateway/test.sh b/content/en/docs/setup/additional-setup/gateway/test.sh index 4d8546eddf23..b8dd0192a6ae 100644 --- a/content/en/docs/setup/additional-setup/gateway/test.sh +++ b/content/en/docs/setup/additional-setup/gateway/test.sh @@ -62,4 +62,6 @@ _wait_for_deployment istio-ingress istio-ingressgateway # @cleanup +istioctl x uninstall --purge --skip-confirmation +kubectl delete namespace istio-system kubectl delete namespace istio-ingress \ No newline at end of file From dc95da6b4347e91faba5c443e92e1c13f847f8f3 Mon Sep 17 00:00:00 2001 From: Daniel Hawton Date: Thu, 5 May 2022 12:31:16 -0600 Subject: [PATCH 03/21] Add canary upgrade test --- .../en/docs/setup/additional-setup/gateway/index.md | 4 ++-- .../en/docs/setup/additional-setup/gateway/snips.sh | 4 ++-- .../en/docs/setup/additional-setup/gateway/test.sh | 12 ++++++++++++ 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/content/en/docs/setup/additional-setup/gateway/index.md b/content/en/docs/setup/additional-setup/gateway/index.md index 91c9065e824e..d421a50c5669 100644 --- a/content/en/docs/setup/additional-setup/gateway/index.md +++ b/content/en/docs/setup/additional-setup/gateway/index.md @@ -291,9 +291,9 @@ spec: When this deployment is created, you will then have two versions of the gateway, both selected by the same Service: {{< text bash >}} -$ kubectl get endpoints -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name" +$ kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name" NAME PODS -istio-ingressgateway istio-ingressgateway-788854c955-8gv96,istio-ingressgateway-canary-b78944cbd-mq2qf +istio-ingressgateway istio-ingressgateway-...,istio-ingressgateway-canary-... {{< /text >}} {{< image width="50%" link="canary-upgrade.svg" caption="Canary upgrade in progress" >}} diff --git a/content/en/docs/setup/additional-setup/gateway/snips.sh b/content/en/docs/setup/additional-setup/gateway/snips.sh index e8cfaceba01b..26e4b13d4697 100644 --- a/content/en/docs/setup/additional-setup/gateway/snips.sh +++ b/content/en/docs/setup/additional-setup/gateway/snips.sh @@ -158,10 +158,10 @@ spec: ENDSNIP snip_canary_upgrade_advanced_2() { -kubectl get endpoints -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name" +kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name" } ! read -r -d '' snip_canary_upgrade_advanced_2_out <<\ENDSNIP NAME PODS -istio-ingressgateway istio-ingressgateway-788854c955-8gv96,istio-ingressgateway-canary-b78944cbd-mq2qf +istio-ingressgateway istio-ingressgateway-...,istio-ingressgateway-canary-... ENDSNIP diff --git a/content/en/docs/setup/additional-setup/gateway/test.sh b/content/en/docs/setup/additional-setup/gateway/test.sh index b8dd0192a6ae..2edeacf967d0 100644 --- a/content/en/docs/setup/additional-setup/gateway/test.sh +++ b/content/en/docs/setup/additional-setup/gateway/test.sh @@ -60,6 +60,18 @@ EOF snip_deploying_a_gateway_5 _wait_for_deployment istio-ingress istio-ingressgateway +istioctl install --skip-confirmation --set profile=minimal --set revision=canary +_wait_for_deployment istio-system istiod-canary + +# shellcheck disable=SC2154 +cat < Date: Wed, 27 Apr 2022 19:50:34 -0700 Subject: [PATCH 04/21] Automator: update istio.io@ reference docs (#11237) --- content/en/docs/reference/commands/install-cni/index.html | 6 ++++++ content/en/docs/reference/commands/istioctl/index.html | 6 ++++++ content/en/docs/reference/commands/operator/index.html | 6 ++++++ content/en/docs/reference/commands/pilot-agent/index.html | 6 ++++++ .../en/docs/reference/commands/pilot-discovery/index.html | 6 ++++++ 5 files changed, 30 insertions(+) diff --git a/content/en/docs/reference/commands/install-cni/index.html b/content/en/docs/reference/commands/install-cni/index.html index d879820e2054..75b7386708b9 100644 --- a/content/en/docs/reference/commands/install-cni/index.html +++ b/content/en/docs/reference/commands/install-cni/index.html @@ -682,6 +682,12 @@

Environment variables

Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT. +ENABLE_AUTO_SNI +Boolean +false +If enabled, automatically set SNI when `DestinationRules` do not specify the same + + ENABLE_CA_SERVER Boolean true diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html index d2be5be5db09..4e6aed19ae6d 100644 --- a/content/en/docs/reference/commands/istioctl/index.html +++ b/content/en/docs/reference/commands/istioctl/index.html @@ -6997,6 +6997,12 @@

Environment variables

Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT. +ENABLE_AUTO_SNI +Boolean +false +If enabled, automatically set SNI when `DestinationRules` do not specify the same + + ENABLE_CA_SERVER Boolean true diff --git a/content/en/docs/reference/commands/operator/index.html b/content/en/docs/reference/commands/operator/index.html index 65eb0f663c41..2fb1c99ae9c0 100644 --- a/content/en/docs/reference/commands/operator/index.html +++ b/content/en/docs/reference/commands/operator/index.html @@ -333,6 +333,12 @@

Environment variables

Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT. +ENABLE_AUTO_SNI +Boolean +false +If enabled, automatically set SNI when `DestinationRules` do not specify the same + + ENABLE_CA_SERVER Boolean true diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html index 740d9efe31c9..438730e18346 100644 --- a/content/en/docs/reference/commands/pilot-agent/index.html +++ b/content/en/docs/reference/commands/pilot-agent/index.html @@ -1066,6 +1066,12 @@

Environment variables

Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT. +ENABLE_AUTO_SNI +Boolean +false +If enabled, automatically set SNI when `DestinationRules` do not specify the same + + ENABLE_CA_SERVER Boolean true diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html index 5ed60436405f..bb027d882a30 100644 --- a/content/en/docs/reference/commands/pilot-discovery/index.html +++ b/content/en/docs/reference/commands/pilot-discovery/index.html @@ -506,6 +506,12 @@

Environment variables

Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT. +ENABLE_AUTO_SNI +Boolean +false +If enabled, automatically set SNI when `DestinationRules` do not specify the same + + ENABLE_CA_SERVER Boolean true From 5f88ecb38def6174565a7108d9c1089ec2d20f49 Mon Sep 17 00:00:00 2001 From: my-git9 Date: Thu, 28 Apr 2022 20:58:33 +0800 Subject: [PATCH 05/21] zh-translation: traffic-management/index.md (#11217) --- content/zh/docs/concepts/traffic-management/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/zh/docs/concepts/traffic-management/index.md b/content/zh/docs/concepts/traffic-management/index.md index 1652fa150e12..12594b252987 100644 --- a/content/zh/docs/concepts/traffic-management/index.md +++ b/content/zh/docs/concepts/traffic-management/index.md @@ -471,6 +471,10 @@ spec: 在配置了网络,包括故障恢复策略之后,可以使用 Istio 的故障注入机制来为整个应用程序测试故障恢复能力。故障注入是一种将错误引入系统以确保系统能够承受并从错误条件中恢复的测试方法。使用故障注入特别有用,能确保故障恢复策略不至于不兼容或者太严格,这会导致关键服务不可用。 +{{< warning >}} +目前,故障注入配置不能与同一个虚拟服务上的重试或超时配置相结合,请参见[流量管理问题](/zh/docs/ops/common-problems/network-issues/#virtual-service-with-fault-injection-and-retry-timeout-policies-not-working-as-expected)。 +{{< /warning >}} + 与其他错误注入机制(如延迟数据包或在网络层杀掉 Pod)不同,Istio 允许在应用层注入错误。这使您可以注入更多相关的故障,例如 HTTP 错误码,以获得更多相关的结果。 您可以注入两种故障,它们都使用[虚拟服务](#virtual-services)配置: From 7f2c293c43126ac515815c80c39cc203f5467822 Mon Sep 17 00:00:00 2001 From: John Howard Date: Thu, 28 Apr 2022 13:00:33 -0700 Subject: [PATCH 06/21] security-vulnerabilities: add more info about base images (#11236) --- .../releases/security-vulnerabilities/index.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/content/en/docs/releases/security-vulnerabilities/index.md b/content/en/docs/releases/security-vulnerabilities/index.md index aadf1073878a..36291a90f022 100644 --- a/content/en/docs/releases/security-vulnerabilities/index.md +++ b/content/en/docs/releases/security-vulnerabilities/index.md @@ -42,6 +42,7 @@ Don't send a vulnerability report if: - You need help tuning Istio components for security. - You need help applying security related updates. - Your issue is not security related. +- Your issue is related to base image dependencies (see [Base Images](#base-images)) ## Evaluation @@ -87,3 +88,18 @@ branches. As much as possible this announcement will be actionable, and include any mitigating steps customers can take prior to upgrading to a fixed version. The recommended target time for these announcements is 16:00 UTC from Monday to Thursday. This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia. + +## Base Images + +Istio offers two sets of docker images, based on `ubuntu` (default) and based on `distroless` (see [Harden Docker Container Images](/docs/ops/configuration/security/harden-docker-images/)). +These base images occasionally have CVEs. +The Istio security team has automated scanning to ensure base images are kept free of CVEs. + +When CVEs are detected in our images, new images are automatically built and used for all future builds. +Additionally, the security team analyzes the vulnerabilities to see if they are exploitable in Istio directly. +In most cases, these vulnerabilities may be present in packages within the base image, but are not exploitable in the way Istio uses them. +For these cases, new releases will not typically be released just to resolve these CVEs, and the fixes will be included in the next regularly scheduled release. + +As a result, base image CVEs should not be [reported](#reporting-a-vulnerability) unless there is evidence it may be exploitable within Istio. + +The [`distroless`](/docs/ops/configuration/security/harden-docker-images/) base images are strongly encouraged if reducing base image CVEs is important to you. From c0d9d9f411fa58c061b1646581dee0f625bb831d Mon Sep 17 00:00:00 2001 From: Ihor Sychevskyi Date: Sun, 1 May 2022 23:57:36 +0300 Subject: [PATCH 07/21] rollback of unnecessary changes (#11246) --- src/sass/base/_constants.scss | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sass/base/_constants.scss b/src/sass/base/_constants.scss index f0ccb19cba4d..a7590edc69c9 100644 --- a/src/sass/base/_constants.scss +++ b/src/sass/base/_constants.scss @@ -32,7 +32,7 @@ $floating-button-z: 15; $glossary-letter-z: 10; $toolbar-button-z: 1; $promotion-z: 1; -$footer-z: 2; +$footer-z: 0; // various manifest constants $border-radius: 4px; From e546cf9177e67bc50b8744031db89e603fee6664 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Sun, 1 May 2022 16:24:37 -0700 Subject: [PATCH 08/21] Automator: update istio@ test reference (#11249) --- go.mod | 12 ++++++------ go.sum | 24 ++++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index a84e4f4e229c..a2587383dadf 100644 --- a/go.mod +++ b/go.mod @@ -11,8 +11,8 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5 require ( github.com/golang/sync v0.0.0-20180314180146-1d60e4601c6f github.com/pmezard/go-difflib v1.0.0 - istio.io/istio v0.0.0-20220422184250-d315965155f4 - istio.io/pkg v0.0.0-20220422005710-7533399e2655 + istio.io/istio v0.0.0-20220429194846-53aa699f7ad9 + istio.io/pkg v0.0.0-20220426123005-aba87f29dab6 k8s.io/apimachinery v0.23.5 k8s.io/client-go v0.23.5 ) @@ -55,7 +55,7 @@ require ( github.com/docker/distribution v2.8.1+incompatible // indirect github.com/docker/docker v20.10.12+incompatible // indirect github.com/docker/docker-credential-helpers v0.6.4 // indirect - github.com/envoyproxy/go-control-plane v0.10.2-0.20220420171917-689c2bccf0ec // indirect + github.com/envoyproxy/go-control-plane v0.10.2-0.20220428052930-ec95b9f870a8 // indirect github.com/envoyproxy/protoc-gen-validate v0.6.7 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect @@ -204,8 +204,8 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect helm.sh/helm/v3 v3.8.2 // indirect - istio.io/api v0.0.0-20220422171451-c26918059821 // indirect - istio.io/client-go v1.12.0-alpha.5.0.20220422172151-983ac5efbd0b // indirect + istio.io/api v0.0.0-20220426122505-56c53d9fe8c5 // indirect + istio.io/client-go v1.12.0-alpha.5.0.20220426123505-18c671f36061 // indirect k8s.io/api v0.23.5 // indirect k8s.io/apiextensions-apiserver v0.23.5 // indirect k8s.io/cli-runtime v0.23.5 // indirect @@ -215,7 +215,7 @@ require ( k8s.io/kubectl v0.23.5 // indirect k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect sigs.k8s.io/controller-runtime v0.11.2 // indirect - sigs.k8s.io/gateway-api v0.4.1-0.20220411164207-d6bbc338d351 // indirect + sigs.k8s.io/gateway-api v0.4.1-0.20220419214231-03f50b47814e // indirect sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect sigs.k8s.io/kustomize/api v0.10.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect diff --git a/go.sum b/go.sum index 548fdec8ca1b..de7713691369 100644 --- a/go.sum +++ b/go.sum @@ -623,8 +623,8 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ= -github.com/envoyproxy/go-control-plane v0.10.2-0.20220420171917-689c2bccf0ec h1:np2MDgE07uAw/Z/0N5bPLVRzlPd8aAHng6cNKQUhxu0= -github.com/envoyproxy/go-control-plane v0.10.2-0.20220420171917-689c2bccf0ec/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220428052930-ec95b9f870a8 h1:ZqKqxZ7mtvDKhP9H9eqQpbX2VwSiN7HKCU4SHqOPjM0= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220428052930-ec95b9f870a8/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34= github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= @@ -2904,14 +2904,14 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY= -istio.io/api v0.0.0-20220422171451-c26918059821 h1:JG8lpe9IYL44UunbqdrYnTnZ/+xsBrP//JaM21wyG7E= -istio.io/api v0.0.0-20220422171451-c26918059821/go.mod h1:qGm6l1okCpLqVKyXSfYjB+UXXgpE/LCggALuK25cSFY= -istio.io/client-go v1.12.0-alpha.5.0.20220422172151-983ac5efbd0b h1:cwBAFo9e2jhHYwX4dFpexc6E2AveVSNWRPJPIsMuVRY= -istio.io/client-go v1.12.0-alpha.5.0.20220422172151-983ac5efbd0b/go.mod h1:5pTd0Szh95h6FJCfPEWF9Fi/czyS4Y1J8ry3lHU95RU= -istio.io/istio v0.0.0-20220422184250-d315965155f4 h1:0q233dVMzhzIqQ3kkJP/QDNKiLqYbz6QByJolqiMSjQ= -istio.io/istio v0.0.0-20220422184250-d315965155f4/go.mod h1:H+AFs55ZCXIEZF9HRjZBVNN+JQk1odfM8N2jjrqjHjw= -istio.io/pkg v0.0.0-20220422005710-7533399e2655 h1:Phikti+a0oa03NA2ZYJkCV9dHUpLeuKMv5loxdFhfZw= -istio.io/pkg v0.0.0-20220422005710-7533399e2655/go.mod h1:kcBYN5TiyGFM2bs4b7K81j+YeDZ4JrINP+brV9ehZe0= +istio.io/api v0.0.0-20220426122505-56c53d9fe8c5 h1:jnCjFoosOPcVVgtUKHiCwjMenUgHAgTE/m4qNzEn8t0= +istio.io/api v0.0.0-20220426122505-56c53d9fe8c5/go.mod h1:qGm6l1okCpLqVKyXSfYjB+UXXgpE/LCggALuK25cSFY= +istio.io/client-go v1.12.0-alpha.5.0.20220426123505-18c671f36061 h1:giM89Xq3+zpENum4vHpXAhrt7wMc3n49K59gNUna8lA= +istio.io/client-go v1.12.0-alpha.5.0.20220426123505-18c671f36061/go.mod h1:uebNBYUGN8Y51vJ7yAH0YM9Z83LIIhpMg0FOVbuEvBw= +istio.io/istio v0.0.0-20220429194846-53aa699f7ad9 h1:ET24y3c3vOVxWKYbSHRjBoLpMKHVs3C51MXngAiNv10= +istio.io/istio v0.0.0-20220429194846-53aa699f7ad9/go.mod h1:5rCW+rOsxWnD0VfsgyCwFwd4mSq6KXTU5am+P1rRL6k= +istio.io/pkg v0.0.0-20220426123005-aba87f29dab6 h1:4QSeo79CuEe4cjCpXsfFenHKzAKaQXtnUY5Gd5jWdCs= +istio.io/pkg v0.0.0-20220426123005-aba87f29dab6/go.mod h1:kcBYN5TiyGFM2bs4b7K81j+YeDZ4JrINP+brV9ehZe0= k8s.io/api v0.0.0-20180904230853-4e7be11eab3f/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA= k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= @@ -3082,8 +3082,8 @@ sigs.k8s.io/controller-runtime v0.11.2 h1:H5GTxQl0Mc9UjRJhORusqfJCIjBO8UtUxGggCw sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8MRFsn4dWF7O4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/controller-tools v0.7.0/go.mod h1:bpBAo0VcSDDLuWt47evLhMLPxRPxMDInTEH/YbdeMK0= -sigs.k8s.io/gateway-api v0.4.1-0.20220411164207-d6bbc338d351 h1:4F7lwe6YevlYObT2HRPr1G4y63hb+NLyI2pxICJ3BoA= -sigs.k8s.io/gateway-api v0.4.1-0.20220411164207-d6bbc338d351/go.mod h1:Gj2je/oOS/22fEU/U4xJ/nRH0wuQ3/kcfJUmLqtqXV4= +sigs.k8s.io/gateway-api v0.4.1-0.20220419214231-03f50b47814e h1:PQOYjMWqURIPBmIEHw9OQAbtNb1DnwAVwAj/TC9l+24= +sigs.k8s.io/gateway-api v0.4.1-0.20220419214231-03f50b47814e/go.mod h1:Gj2je/oOS/22fEU/U4xJ/nRH0wuQ3/kcfJUmLqtqXV4= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= From 63cd3d6a29234af5e735040b8cafd71f49e9e1f8 Mon Sep 17 00:00:00 2001 From: my-git9 Date: Mon, 2 May 2022 15:59:37 +0800 Subject: [PATCH 09/21] [zh] Sync en docs in docs/concepts/_index.md (#11245) [zh] Sync en docs in docs/concepts/_index.md --- content/zh/docs/concepts/_index.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/zh/docs/concepts/_index.md b/content/zh/docs/concepts/_index.md index 9217b3c4ff0b..24594b491227 100644 --- a/content/zh/docs/concepts/_index.md +++ b/content/zh/docs/concepts/_index.md @@ -2,6 +2,5 @@ title: 概念 description: 一些概念,理解它们有助于您更好地了解 Istio 系统的不同部分及其使用的抽象。 weight: 10 -icon: concepts -test: n/a +test: table-of-contents --- From 56f143759c6dc3441a0b961781d9732fa90dc3ca Mon Sep 17 00:00:00 2001 From: kinzhi Date: Mon, 2 May 2022 19:08:38 +0800 Subject: [PATCH 10/21] zh-translation:Update content/en/about/faq/security/verify-mtls-encryption.md (#11248) --- content/en/about/faq/security/verify-mtls-encryption.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/faq/security/verify-mtls-encryption.md b/content/en/about/faq/security/verify-mtls-encryption.md index 1ae4d107dfe2..abc027ca232b 100644 --- a/content/en/about/faq/security/verify-mtls-encryption.md +++ b/content/en/about/faq/security/verify-mtls-encryption.md @@ -3,4 +3,4 @@ title: How can I verify that traffic is using mutual TLS encryption? weight: 25 --- -If you installed Istio with `values.global.proxy.privileged=true`, you can use `tcpdump` to determine encryption status. Also in Kubernetes 1.23 and later, as an alternative to installing Istio as privileged, you can use `kubectl debug` to run `tcpdump` in an [ephemeral container](https://kubernetes.io/docs/tasks/debug-application-cluster/debug-running-pod/#ephemeral-container). See [Istio mutual TLS migration](/docs/tasks/security/authentication/mtls-migration) for instructions. +If you installed Istio with `values.global.proxy.privileged=true`, you can use `tcpdump` to determine encryption status. Also in Kubernetes 1.23 and later, as an alternative to installing Istio as privileged, you can use `kubectl debug` to run `tcpdump` in an [ephemeral container](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container). See [Istio mutual TLS migration](/docs/tasks/security/authentication/mtls-migration) for instructions. \ No newline at end of file From aa7c3f7763da4e9823722a7271b94e60f02a994e Mon Sep 17 00:00:00 2001 From: Jason Wang <7304774+jasonwzm@users.noreply.github.com> Date: Mon, 2 May 2022 13:14:05 -0700 Subject: [PATCH 11/21] Add Statsig as a user (#11238) --- data/companies.yml | 3 +++ static/logos/statsig.svg | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 static/logos/statsig.svg diff --git a/data/companies.yml b/data/companies.yml index 0512b9b54d24..b9b410ce4332 100644 --- a/data/companies.yml +++ b/data/companies.yml @@ -457,6 +457,9 @@ users: - name: "Spotify" logo: "/logos/spotify.svg" url: "https://www.spotify.com/" + - name: "Statsig" + logo: "/logos/statsig.svg" + url: "https://www.statsig.com/" - name: "Stilingue" logo: "/logos/stilingue.svg" url: "https://stilingue.com.br" diff --git a/static/logos/statsig.svg b/static/logos/statsig.svg new file mode 100644 index 000000000000..dab30224ede6 --- /dev/null +++ b/static/logos/statsig.svg @@ -0,0 +1,4 @@ + + + + From 1a1837feeafe7588c11caf6052e4d3589d94c5e4 Mon Sep 17 00:00:00 2001 From: lei-tang <32078630+lei-tang@users.noreply.github.com> Date: Mon, 2 May 2022 14:46:04 -0700 Subject: [PATCH 12/21] User guide for Istio TLS configuration (#11166) * User guide for Istio TLS configuration * Address review comments * Fix indention * Fix lint * Address reviewer comments * Address review comment --- .../security/tls-configuration/_index.md | 6 ++ .../workload-min-tls-version/index.md | 93 +++++++++++++++++++ .../workload-min-tls-version/snips.sh | 67 +++++++++++++ .../workload-min-tls-version/test.sh | 43 +++++++++ 4 files changed, 209 insertions(+) create mode 100644 content/en/docs/tasks/security/tls-configuration/_index.md create mode 100644 content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/index.md create mode 100644 content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/snips.sh create mode 100644 content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/test.sh diff --git a/content/en/docs/tasks/security/tls-configuration/_index.md b/content/en/docs/tasks/security/tls-configuration/_index.md new file mode 100644 index 000000000000..724c0b8fc347 --- /dev/null +++ b/content/en/docs/tasks/security/tls-configuration/_index.md @@ -0,0 +1,6 @@ +--- +title: TLS Configuration +description: TLS configuration in Istio. +weight: 40 +test: n/a +--- \ No newline at end of file diff --git a/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/index.md b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/index.md new file mode 100644 index 000000000000..0488fa6972ca --- /dev/null +++ b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/index.md @@ -0,0 +1,93 @@ +--- +title: Istio Workload Mininum TLS Version Configuration +description: Shows how to configure the minimum TLS version for Istio workloads. +weight: 90 +keywords: [security,TLS] +aliases: +- /docs/tasks/security/workload-min-tls-version/ +owner: istio/wg-security-maintainers +test: yes +--- + +This task shows how to configure the minimum TLS version for Istio workloads. +The maximum TLS version for Istio workloads is 1.3. + +## Configuration of minimum TLS version for Istio workloads + +* Install Istio through `istioctl` with the minimum TLS version configured. + The `IstioOperator` custom resource used to configure Istio in the `istioctl install` command + contains a field for the minimum TLS version for Istio workloads. + The `minProtocolVersion` field specifies the minimum TLS version for the TLS connections + among Istio workloads. In the following example, + the minimum TLS version for Istio workloads is configured to be 1.3. + + {{< text bash >}} + $ cat < ./istio.yaml + apiVersion: install.istio.io/v1alpha1 + kind: IstioOperator + spec: + meshConfig: + meshMTLS: + minProtocolVersion: TLSV1_3 + EOF + $ istioctl install -f ./istio.yaml + {{< /text >}} + +## Check the TLS configuration of Istio workloads + +After configuring the minimum TLS version of Istio workloads, +you can verify that the minimum TLS version was configured and works as expected. + +* Deploy two workloads: `httpbin` and `sleep`. Deploy these into a single namespace, + for example `foo`. Both workloads run with an Envoy proxy in front of each. + + {{< text bash >}} + $ kubectl create ns foo + $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo + $ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo + {{< /text >}} + +* Verify that `sleep` successfully communicates with `httpbin` using this command: + + {{< text bash >}} + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n" + 200 + {{< /text >}} + +{{< warning >}} +If you don’t see the expected output, retry after a few seconds. +Caching and propagation can cause a delay. +{{< /warning >}} + +In the example, the minimum TLS version was configured to be 1.3. +To check that TLS 1.3 is allowed, you can run the following command: + + {{< text bash >}} + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_3 -connect httpbin.foo:8000 | grep "TLSv1.3" + {{< /text >}} + +The text output should include: + + {{< text plain >}} + TLSv1.3 + {{< /text >}} + +To check that TLS 1.2 is not allowed, you can run the following command: + + {{< text bash >}} + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_2 -connect httpbin.foo:8000 | grep "Cipher is (NONE)" + {{< /text >}} + +The text output should include: + + {{< text plain >}} + Cipher is (NONE) + {{< /text >}} + +## Cleanup + +* To remove the `foo` and `istio-system` namespaces: + + {{< text bash >}} + $ kubectl delete ns foo istio-system + {{< /text >}} \ No newline at end of file diff --git a/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/snips.sh b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/snips.sh new file mode 100644 index 000000000000..5f495ed7b96b --- /dev/null +++ b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/snips.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# shellcheck disable=SC2034,SC2153,SC2155,SC2164 + +# Copyright Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#################################################################################################### +# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE: +# docs/tasks/security/tls-configuration/workload-min-tls-version/index.md +#################################################################################################### + +snip_configuration_of_minimum_tls_version_for_istio_workloads_1() { +cat < ./istio.yaml +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + meshMTLS: + minProtocolVersion: TLSV1_3 +EOF +istioctl install -f ./istio.yaml +} + +snip_check_the_tls_configuration_of_istio_workloads_1() { +kubectl create ns foo +kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n foo +kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo +} + +snip_check_the_tls_configuration_of_istio_workloads_2() { +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n" +} + +! read -r -d '' snip_check_the_tls_configuration_of_istio_workloads_2_out <<\ENDSNIP +200 +ENDSNIP + +snip_check_the_tls_configuration_of_istio_workloads_3() { +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_3 -connect httpbin.foo:8000 | grep "TLSv1.3" +} + +! read -r -d '' snip_check_the_tls_configuration_of_istio_workloads_4 <<\ENDSNIP +TLSv1.3 +ENDSNIP + +snip_check_the_tls_configuration_of_istio_workloads_5() { +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_2 -connect httpbin.foo:8000 | grep "Cipher is (NONE)" +} + +! read -r -d '' snip_check_the_tls_configuration_of_istio_workloads_6 <<\ENDSNIP +Cipher is (NONE) +ENDSNIP + +snip_cleanup_1() { +kubectl delete ns foo istio-system +} diff --git a/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/test.sh b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/test.sh new file mode 100644 index 000000000000..3ec49b6c04a2 --- /dev/null +++ b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/test.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC2154 + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# shellcheck disable=SC2001 + +set -e +set -u +set -o pipefail + +# @setup profile=none + +export VERIFY_TIMEOUT=300 + +echo y | snip_configuration_of_minimum_tls_version_for_istio_workloads_1 +_wait_for_deployment istio-system istiod + +snip_check_the_tls_configuration_of_istio_workloads_1 +_wait_for_deployment foo httpbin +_wait_for_deployment foo sleep + +# Send request from sleep to httpbin +_verify_contains snip_check_the_tls_configuration_of_istio_workloads_2 "$snip_check_the_tls_configuration_of_istio_workloads_2_out" + +_verify_contains snip_check_the_tls_configuration_of_istio_workloads_3 "$snip_check_the_tls_configuration_of_istio_workloads_4" + +_verify_contains snip_check_the_tls_configuration_of_istio_workloads_5 "$snip_check_the_tls_configuration_of_istio_workloads_6" + +# @cleanup +snip_cleanup_1 \ No newline at end of file From 1a46e5e7a0b7c379a09aa16fe92be5377b7064db Mon Sep 17 00:00:00 2001 From: yanrongshi Date: Tue, 3 May 2022 15:23:53 +0800 Subject: [PATCH 13/21] Create istio-has-applied-to-join-the-cncf.md (#11260) Co-authored-by: yanrong.shi --- .../events/banners/istio-has-applied-to-join-the-cncf.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 content/zh/events/banners/istio-has-applied-to-join-the-cncf.md diff --git a/content/zh/events/banners/istio-has-applied-to-join-the-cncf.md b/content/zh/events/banners/istio-has-applied-to-join-the-cncf.md new file mode 100644 index 000000000000..2c1c37d9ad30 --- /dev/null +++ b/content/zh/events/banners/istio-has-applied-to-join-the-cncf.md @@ -0,0 +1,8 @@ +--- +title: Istio has applied to join the CNCF +period_start: 2022-04-24 +period_end: 2022-04-29 +max_impressions: 12 +--- + +Istio 已申请加入 CNCF![阅读更多信息](/zh/blog/2022/istio-has-applied-to-join-the-cncf/),或者[立即参加 IstioCon](https://events.istio.io/istiocon-2022/)。 \ No newline at end of file From 54306b72aa9a34e7eac963638ff3c3c2471d3cee Mon Sep 17 00:00:00 2001 From: yanrongshi Date: Tue, 3 May 2022 17:32:08 +0800 Subject: [PATCH 14/21] zh:/news/releases/1.12.x/announcing-1.12/_index.md (#10730) * Create _index.md * Update _index.md --- .../releases/1.12.x/announcing-1.12/_index.md | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 content/zh/news/releases/1.12.x/announcing-1.12/_index.md diff --git a/content/zh/news/releases/1.12.x/announcing-1.12/_index.md b/content/zh/news/releases/1.12.x/announcing-1.12/_index.md new file mode 100644 index 000000000000..8065a272fc5c --- /dev/null +++ b/content/zh/news/releases/1.12.x/announcing-1.12/_index.md @@ -0,0 +1,79 @@ +--- +title: Istio 1.12 公告 +linktitle: 1.12 +subtitle: 重大更新 +description: Istio 1.12 发布公告。 +publishdate: 2021-11-18 +release: 1.12.0 +skip_list: true +aliases: + - /zh/news/announcing-1.12 + - /zh/news/announcing-1.12.0 +--- + +我们很高兴地宣布 Istio 1.12 的发布! + +{{< relnote >}} + +这是 2021 年的最后一个版本。我们要感谢整个 Istio 社区,特别是来自 Red Hat 的发行经理 [Daniel Grimm](https://github.com/dgn) 和来自 Aspen Mesh 的 [Kenan O'Neal](https://github.com/Kmoneal),感谢他们帮助我们发布了 1.12.0。 + +{{< tip >}} +Istio 1.12.0 在 Kubernetes `1.19` 到 `1.22` 版本上得到了官方支持。 +{{< /tip >}} + +以下是该版本的一些亮点: + +## WebAssembly API{#WebAssembly-API} + +[WebAssembly](/zh/docs/concepts/wasm/) 一直是一个重要的项目,已经开发了 [3 年多](/zh/blog/2020/wasm-announce/),通过允许用户在运行时动态加载自定义扩展,为 Istio 带来高级的可扩展性。 +然而,到目前为止,配置 WebAssembly 插件还处于实验阶段,并且很难使用。 + +在 Istio 1.12 中,我们增加了一流的 API 来配置 WebAssembly 插件,从而改善了这种体验:[WasmPlugin](/zh/docs/reference/config/proxy_extensions/wasm-plugin/)。 + +使用 `WasmPlugin`,您可以很容易地将自定义插件部署到单个代理,甚至整个网格。 + +该 API 目前处于 alpha 阶段并在不断发展。感谢[您的反馈](/zh/get-involved/)! + +## Telemetry API{#Telemetry-API} + +在 Istio 1.11 中,我们引入了一个全新的 [`Telemetry` API](/zh/docs/reference/config/telemetry/),带来了一个标准化的 API,用于在 Istio 中配置跟踪、日志记录和指标。 + +在 1.12 中,我们继续朝这个方向努力,扩展了对 API 配置指标和访问日志记录的支持。 + +要开始,请查看以下文档: + +* [Telemetry API 概述](/zh/docs/tasks/observability/telemetry/) +* [追踪](/zh/docs/tasks/observability/distributed-tracing/) +* [指标](/zh/docs/tasks/observability/metrics/) +* [访问日志](/zh/docs/tasks/observability/logs/access-log/) + +该 API 目前处于 alpha 阶段并在不断发展。感谢[您的反馈](/zh/get-involved/)! + +## Helm 支持{#helm-support} + +Istio 1.12 对我们的 [Helm 安装支持](/zh/docs/setup/install/helm/)进行了许多改进,并为该功能在未来升级到测试版铺平了道路。 + +一个官方的 Helm 库已经发布,以进一步简化加载流程,适应了[最流行的 GitHub 特性请求](https://github.com/istio/istio/issues/7505)之一。 +查看新的[入门](/zh/docs/setup/install/helm/#prerequisites)说明以获取更多信息。 + +这些图表也可以在 [ArtifactHub](https://artifacthub.io/packages/search?org=istio) 上找到。 + +此外,还发布了新的精制的 [`gateway` chart](https://artifacthub.io/packages/helm/istio-official/gateway) 图表。 +这个 chart 取代了旧的 `istio-ingressgateway` 和 `istio-egressgateway` charts,极大地简化了网关的管理,并遵循 Helm 的最佳实践。请访问网关注入页面,了解迁移到 helm chart 的说明。 + +## Kubernetes Gateway API{#Kubernetes-Gateway-API} + +Istio 已经完全支持 `v1alpha2` 版本的 [Kubernetes Gateway API](http://gateway-api.org/)。 +该 API 的目的是统一 Istio、Kubernetes `Ingress` 和其他代理使用的各种 API 集,以定义一个强大的、可扩展的 API 来配置流量路由。 + +虽然 API 还没有针对生产工作负载,但 API 和 Istio 的实现正在迅速发展。 +要试用它,请查看 [Kubernetes Gateway API](/zh/docs/tasks/traffic-management/ingress/gateway-api/) 文档。 + +## 还有很多很多{#and-much-much-more} + +* Default Retry Policies 已经被添加到 [Mesh Config](/zh/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig),允许用户在单个位置配置默认的重试策略,而不是在每个 VirtualService 中重复配置。 +* 一个新的 `failoverPriority` 配置已经添加到[Locality Load Balancing 配置](/zh/docs/reference/config/networking/destination-rule/#LocalityLoadBalancerSetting)中,允许自定义 Pod 的优先级。例如,同一网络中的 Pod 可以被赋予额外的优先级。 +* 添加了新的配置使[安全 TLS 发起更简单](/zh/docs/ops/best-practices/security/#configure-tls-verification-in-destination-rule-when-using-tls-origination)。 +* 如果您错过了:已经为 [gRPC 原生 "Proxyless" Service Mesh](/zh/blog/2021/proxyless-grpc/) 添加了初始支持。 +* [添加了](https://github.com/istio/istio/wiki/Experimental-QUIC-and-HTTP-3-support-in-Istio-gateways)对 HTTP/3 Gateway 的额实验性支持。 +* 有关更改的完整列表,请参阅 [Change Notes](/zh/news/releases/1.12.x/announcing-1.12/change-notes/)。 From fe958e7db6c279b959fc060761c86e5d8faa1cca Mon Sep 17 00:00:00 2001 From: yanrongshi Date: Tue, 3 May 2022 17:32:17 +0800 Subject: [PATCH 15/21] zh:/blog/2021/direct-upgrade/index.md (#10741) * Create index.md * Update index.md * Update index.md --- content/zh/blog/2021/direct-upgrade/index.md | 63 ++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 content/zh/blog/2021/direct-upgrade/index.md diff --git a/content/zh/blog/2021/direct-upgrade/index.md b/content/zh/blog/2021/direct-upgrade/index.md new file mode 100644 index 000000000000..505d51aa69f0 --- /dev/null +++ b/content/zh/blog/2021/direct-upgrade/index.md @@ -0,0 +1,63 @@ +--- +title: "宣布支持 1.8 到 1.10 的直接升级" +description: "迈向更顺畅的升级过程。" +publishdate: 2021-05-24 +attribution: "Mitch Connors (Google), Sam Naser (Google)" +keywords: [更新,Istio,补丁] +--- + +随着 Service Mesh 技术从尖端转向稳定的基础架构,许多用户表示有兴趣减少升级他们的 Service Mesh 的频率,因为验证新的小版本可能需要很多时间。对于跟不上新版本的用户来说,升级尤其困难,因为 Istio 不支持跨多个小版本的升级。要升级 `1.6.x` 到 `1.8.x`,用户首先必须升级到 `1.7.x` 然后再到 `1.8.x`。 + +随着 Istio 1.10 的发布,我们宣布支持 Istio Alpha 级别的升级将直接从 `1.8.x` 升级到 `1.10.x`,而不升级到 `1.9.x`。我们希望这将减轻运行 Istio 的运营负担,与我们 2021 年改善 Day 2 Operations 的主题保持一致。 + +## 从 1.8 升级到 1.10 + +对于直接升级,我们建议使用金丝雀升级方法,以便在将工作负载切换到新版本之前验证控制平面功能。我们还将在本指南中使用[修订标签](/zh/blog/2021/revision-tags/),这是对 1.10 中引入的金丝雀升级的改进,因此用户在升级时不必更改命名空间上的标签。 + +首先,使用版本 `1.10` 或更高版本的 `istioctl`,创建一个版本标签 `stable` ,指向现有的 `1.8` 版本。从现在开始,让我们假设这个修订版本叫做 `1-8-5`: + +{{< text bash >}} +$ istioctl x revision tag set stable --revision 1-8-5 +{{< /text >}} + +如果您的 1.8 安装没有相关的修订,我们可以使用以下命令创建此修订标记: + +{{< text bash >}} +$ istioctl x revision tag set stable --revision default +{{< /text >}} + +现在,重新用 `istio.io/rev=stable` 标签标记以前标记为 `istio-injection=enabled` 或者 `istio.io/rev=` 的名称空间。下载 Istio 1.10.0 版本并安装带有修订版的新控制平面: + +{{< text bash >}} +$ istioctl install --revision 1-10-0 -y +{{< /text >}} + +现在评估 `1.10` 版本是否正确出现并且是健康的。一旦对新版本的稳定性感到满意,您可以将版本标签设置为新版本: + +{{< text bash >}} +$ istioctl x revision tag set stable --revision 1-10-0 --overwrite +{{< /text >}} + +验证修订标签 `stable` 是否指向新的修订: + +{{< text bash >}} +$ istioctl x revision tag list +TAG REVISION NAMESPACES +stable 1-10-0 ... +{{< /text >}} + +一旦准备好将现有工作负载转移到新的 1.10 版本,就必须重新启动工作负载,以便 sidecar 代理使用新的控制平面。我们可逐个遍历名空间,并将工作负载滚动到新版本: + +{{< text bash >}} +$ kubectl rollout restart deployments -n … +{{< /text >}} + +在将工作负载转移到新的 Istio 版本后,注意到了一个问题吗?没问题!因为您用的是金丝雀升级,旧的控制平面仍在运行,我们可以切换回去。 + +{{< text bash >}} +$ istioctl x revision tag set prod --revision 1-8-5 +{{< /text >}} + +然后在触发另一次部署后,您的工作负载将返回到旧版本。 + +我们期待听到您关于直接升级的体验,并期待在未来改进和扩展此功能。 From cbb04639a520bec6ca5fafb009a7d28f0c65ff89 Mon Sep 17 00:00:00 2001 From: yanrongshi Date: Tue, 3 May 2022 18:17:08 +0800 Subject: [PATCH 16/21] Update:zh-update-/releases/security-vulnerabilities/index.md (#11258) * Update index.md * Update index.md Co-authored-by: yanrong.shi --- content/zh/docs/releases/security-vulnerabilities/index.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/content/zh/docs/releases/security-vulnerabilities/index.md b/content/zh/docs/releases/security-vulnerabilities/index.md index c795c7958844..caf973c402ea 100644 --- a/content/zh/docs/releases/security-vulnerabilities/index.md +++ b/content/zh/docs/releases/security-vulnerabilities/index.md @@ -37,6 +37,7 @@ test: n/a - 您需要帮助调整 Istio 组件的安全性。 - 您需要使用安全更新相关的帮助。 - 您的问题与安全性无关。 +- 您的问题与基本映像依赖关系有关(查看 [基础镜像](#base-images)) ## 评估{#evaluation} @@ -72,3 +73,9 @@ Istio 项目维护了一个邮件列表,用于在私下及早的公开安全 - Slack 上的 [#announcements](https://istio.slack.com/messages/CFXS256EQ/) 频道 该公告将尽可能包含客户在升级到固定版本之前能够采取的任何缓解措施,这些公告的建议发布时间是 UTC 时间星期一至四的 16:00。这意味着该公告将在太平洋时间的早上、欧洲傍晚和亚洲傍晚发布。 + +## 基础镜像{#base-images} + +Istio 提供了两组基于 `ubuntu` 和基于 `distroless` 的默认 docker 镜像,更多详情请查阅([Harden Docker Container Images](/zh/docs/ops/configuration/security/harden-docker-images/))。 +这些镜像中偶尔会存在一些新发现的 CVE 安全漏洞。 +Istio 安全团队会对这些镜像进行自动扫描,以确保基础镜像中没有已知的 CVE 安全漏洞。 \ No newline at end of file From a1b251052abb9bf0d8012eeb46cf5959b50b9fd3 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 3 May 2022 09:21:35 -0700 Subject: [PATCH 17/21] Automator: update common-files@master in istio/istio.io@master (#11263) --- .gitattributes | 1 + common/.commonfiles.sha | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitattributes b/.gitattributes index 297d227c811a..eea5a1ec8659 100644 --- a/.gitattributes +++ b/.gitattributes @@ -8,3 +8,4 @@ *.gen.yaml linguist-generated=true *.gen.json linguist-generated=true *_pb2.py linguist-generated=true +go.sum merge=union diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index e41057a75651..8280a8797987 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -78d4a03042d695220b4ade5c17f071898d466b58 +d40d1b75c481bb08a4e5de631c26a4352d7039fd From 915c6ef9a8ab5c8c0c9e573c0ffe3940643606f9 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 May 2022 04:25:36 +0800 Subject: [PATCH 18/21] fix multicluster prometheus (#11221) --- .../telemetry/monitoring-multicluster-prometheus/index.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/content/en/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md b/content/en/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md index bae6279ddee8..d9b74665f0c2 100644 --- a/content/en/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md +++ b/content/en/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md @@ -81,8 +81,7 @@ scrape_configs: params: 'match[]': - - '{job="pilot"}' - - '{job="envoy-stats"}' + - '{job="kubernetes-pods"}' static_configs: - targets: @@ -136,8 +135,7 @@ scrape_configs: params: 'match[]': - - '{job="pilot"}' - - '{job="envoy-stats"}' + - '{job="kubernetes-pods"}' static_configs: - targets: From f4953a46eaabe0fc3d89345343ded533f69a8b0d Mon Sep 17 00:00:00 2001 From: yanrongshi Date: Wed, 4 May 2022 17:18:39 +0800 Subject: [PATCH 19/21] Update index.md (#11265) Co-authored-by: yanrong.shi --- .../telemetry/monitoring-multicluster-prometheus/index.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/content/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md b/content/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md index 0c29d0975030..47f4c0130aa8 100644 --- a/content/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md +++ b/content/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md @@ -71,8 +71,7 @@ scrape_configs: params: 'match[]': - - '{job="pilot"}' - - '{job="envoy-stats"}' + - '{job="kubernetes-pods"}' static_configs: - targets: @@ -121,8 +120,7 @@ scrape_configs: params: 'match[]': - - '{job="pilot"}' - - '{job="envoy-stats"}' + - '{job="kubernetes-pods}' static_configs: - targets: From b15b8af507fe02cb0e89ff006ccf41fe92b9d31a Mon Sep 17 00:00:00 2001 From: Daniel Hawton Date: Thu, 5 May 2022 15:59:04 -0600 Subject: [PATCH 20/21] refactor rewrite-helm command into helpers util --- .../install/external-controlplane/test.sh | 14 +------------- content/en/docs/setup/install/helm/test.sh | 18 +++--------------- tests/util/helpers.sh | 13 +++++++++++++ 3 files changed, 17 insertions(+), 28 deletions(-) diff --git a/content/en/docs/setup/install/external-controlplane/test.sh b/content/en/docs/setup/install/external-controlplane/test.sh index 554404899e1f..72e54434814a 100644 --- a/content/en/docs/setup/install/external-controlplane/test.sh +++ b/content/en/docs/setup/install/external-controlplane/test.sh @@ -21,18 +21,6 @@ set -e set -u set -o pipefail -# rewrite-repo invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses -# local files -# shellcheck disable=SC2001 -function rewrite-repo() { - # get function definition: https://stackoverflow.com/a/6916952/374797 - cmd="$(type "${1:?snip}" | sed '1,3d;$d')" - cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')" - cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')" - cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')" - eval "${cmd}" -} - kubectl_get_egress_gateway_for_remote_cluster() { response=$(kubectl get pod -l app=istio-egressgateway -n external-istiod --context="${CTX_REMOTE_CLUSTER}" -o jsonpath="{.items[*].status.phase}") echo "$response" @@ -122,7 +110,7 @@ _verify_contains snip_deploy_a_sample_application_4 "Hello version: v1" echo y | snip_enable_gateways_1 # And egress with helm -rewrite-repo snip_enable_gateways_4 +_rewrite_helm_repo snip_enable_gateways_4 _verify_same kubectl_get_egress_gateway_for_remote_cluster "Running" diff --git a/content/en/docs/setup/install/helm/test.sh b/content/en/docs/setup/install/helm/test.sh index 81e90049b0ab..79245b61f75c 100644 --- a/content/en/docs/setup/install/helm/test.sh +++ b/content/en/docs/setup/install/helm/test.sh @@ -18,30 +18,18 @@ set -u set -o pipefail -# rewrite-repo invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses -# local files -# shellcheck disable=SC2001 -function rewrite-repo() { - # get function definition: https://stackoverflow.com/a/6916952/374797 - cmd="$(type "${1:?snip}" | sed '1,3d;$d')" - cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')" - cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')" - cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')" - eval "${cmd} --set global.tag=${ISTIO_IMAGE_VERSION=SHOULD_BE_SET}.${ISTIO_LONG_SHA=latest}" -} - # @setup profile=none # Delete a vailidatingwebhookconfiguration that seems to have been left around from a prior test. kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io istiod-default-validator --ignore-not-found snip_create_istio_system_namespace -rewrite-repo snip_install_base +_rewrite_helm_repo snip_install_base -rewrite-repo snip_install_discovery +_rewrite_helm_repo snip_install_discovery _wait_for_deployment istio-system istiod -rewrite-repo snip_install_ingressgateway +_rewrite_helm_repo snip_install_ingressgateway _wait_for_deployment istio-ingress istio-ingress # shellcheck disable=SC2154 diff --git a/tests/util/helpers.sh b/tests/util/helpers.sh index c86f81ebec31..0252a512e009 100644 --- a/tests/util/helpers.sh +++ b/tests/util/helpers.sh @@ -112,3 +112,16 @@ _wait_for_istio() { _urlencode() { python3 -c "import urllib.parse; print(urllib.parse.quote('''$1'''))" } + +# Invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses +# local files +# usage: _rewrite_helm_repo +# shellcheck disable=SC2001 +_rewrite_helm_repo() { + # get function definition: https://stackoverflow.com/a/6916952/374797 + cmd="$(type "${1:?snip}" | sed '1,3d;$d')" + cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')" + cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')" + cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')" + eval "${cmd} --set global.tag=${ISTIO_IMAGE_VERSION=SHOULD_BE_SET}.${ISTIO_LONG_SHA=latest}" +} \ No newline at end of file From 412f52473e1a1322e3bc76d7bca6f62dd818468a Mon Sep 17 00:00:00 2001 From: Daniel Hawton Date: Fri, 6 May 2022 11:56:09 -0600 Subject: [PATCH 21/21] change gateway setup to new helm rewrite helper --- .../en/docs/setup/additional-setup/gateway/test.sh | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/content/en/docs/setup/additional-setup/gateway/test.sh b/content/en/docs/setup/additional-setup/gateway/test.sh index 2edeacf967d0..f2b4d675230a 100644 --- a/content/en/docs/setup/additional-setup/gateway/test.sh +++ b/content/en/docs/setup/additional-setup/gateway/test.sh @@ -25,18 +25,6 @@ function rebuild() { istioctl install --skip-confirmation --set profile=minimal } -# rewrite-repo invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses -# local files -# shellcheck disable=SC2001 -function rewrite-repo() { - # get function definition: https://stackoverflow.com/a/6916952/374797 - cmd="$(type "${1:?snip}" | sed '1,3d;$d')" - cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')" - cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')" - cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')" - eval "${cmd} --set global.tag=${ISTIO_IMAGE_VERSION=SHOULD_BE_SET}.${ISTIO_LONG_SHA=latest} --wait" -} - istioctl install --skip-confirmation --set profile=minimal _wait_for_deployment istio-system istiod @@ -49,7 +37,7 @@ echo y | snip_deploying_a_gateway_2 _wait_for_deployment istio-ingress ingressgateway rebuild -rewrite-repo snip_deploying_a_gateway_3 +_rewrite_helm_repo snip_deploying_a_gateway_3 _wait_for_deployment istio-ingress istio-ingress rebuild