Authn policy concept and tutorial. #1128

diemtvu · 2018-03-31T00:18:14Z

No description provided.

wenchenglu · 2018-04-02T18:11:04Z

_docs/concepts/security/authn-policy.md

+## Overview
+Istio authentication policy enables admin to specify authentication requirements for a service (or services). Istio authentication policy is composed of two-part authentication:
+
+* Peer: verifies the party that make the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible to manage both client and server sides to enforce the policy.


the party that make -> the party, the direct peer, that makes

wenchenglu · 2018-04-02T18:11:27Z

_docs/concepts/security/authn-policy.md

+
+* Peer: verifies the party that make the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible to manage both client and server sides to enforce the policy.
+
+* Origin: verifies the party that make the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio will config server side to perform authentication, but will not enforce the client side to send the required certificate.


the party that make -> the party, the original client, that makes

wenchenglu · 2018-04-02T18:24:00Z

_docs/concepts/security/authn-policy.md

+ targets:
+ - name: product-page
+ - name: reviews
+   ports:


ni, would it be simpler to simple list ports after "ports:"?

This is because we chose the similar way to describe port as destination rule (basically, it can be number, like 80, or name, like "http")

wenchenglu · 2018-04-02T18:26:14Z

_docs/tasks/security/authn-policy.md

+---
+{% include home.html %}
+
+Through this task, you will learn how to:


should we add a section to describe how to enable both?

I add few sentences to the last section to mention peer authentication can be changed independently (from origin authn).

wenchenglu · 2018-04-02T20:15:56Z

/cc @lei-tang

lei-tang · 2018-04-02T20:46:49Z

_docs/concepts/security/authn-policy.md

+{% include home.html %}
+
+## Overview
+Istio authentication policy enables admin to specify authentication requirements for a service (or services). Istio authentication policy is composed of two-part authentication:


two-part authentication -> two parts

lei-tang · 2018-04-02T20:49:52Z

_docs/concepts/security/authn-policy.md

+## Overview
+Istio authentication policy enables admin to specify authentication requirements for a service (or services). Istio authentication policy is composed of two-part authentication:
+
+* Peer: verifies the party, the direct client, that makes the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible to manage both client and server sides to enforce the policy.


responsible to manage -> responsible for managing

lei-tang · 2018-04-02T20:51:55Z

_docs/concepts/security/authn-policy.md

+
+* Peer: verifies the party, the direct client, that makes the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible to manage both client and server sides to enforce the policy.
+
+* Origin: verifies the party, the original client, that makes the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio will config server side to perform authentication, but will not enforce the client side to send the required certificate.


config server -> configure the server

required certificate -> required token

lei-tang · 2018-04-02T20:54:30Z

_docs/concepts/security/authn-policy.md

+* Origin: verifies the party, the original client, that makes the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio will config server side to perform authentication, but will not enforce the client side to send the required certificate.
+
+
+Identities from both authentication parts, if applicable, will be output to the next layer (e.g authorization, mixer). To simplify the authorization rules, the policy can also specifies which identity (peer or origin) should be used as 'the principal'. By default, it is set to peer's identity.


specifies -> specify

peer's identity -> the peer's identity

lei-tang · 2018-04-02T20:56:13Z

_docs/concepts/security/authn-policy.md

+
+## Architecture
+
+Authentication policies are saved in Istio config store (in 0.7, the storage implementation using Kubernetes CRD), and distributed by Pilot. Pilot continously monitors the config store. Upon any change, it fetches the new policy and translates it into appropriate (sidecar) configs that are needed to enforce the policy. These configs are sent down to sidecar via regular discovery service APIs. Depends on the size of the mesh, this process may take few seconds to few minutes. During the transition, it might expect traffic lost or inconsistent authentication results.


using -> uses

Depends -> Depending

few seconds -> a few seconds
few minutes -> a few minutes

lei-tang · 2018-04-02T21:10:57Z

_docs/concepts/security/authn-policy.md

+Policy is scoped at namespace level, with (optional) target selector rules to narrow down the set of services (within the same namespace as the policy) on which the policy should be applied. This aligns with the ACL model based on Kubernetes RBAC. More specifically, only admin of the namespace can set policies for services in that namespace.
+
+
+Authentication engine is implemented on sidecar. For example, with Envoy sidecar, it is a combination of SSL settings and HTTP filters. If authentication fails, request will be rejected (either with SLL handshake error code, or http 401, depends on the type of authencation mechanism). If success, following authenticated attributes will be generated:


on sidecar -> on sidecars
request -> a request
SLL -> SSL
depends on -> depending on
If success -> If authentication succeeds
following authenticated -> the following authenticated

lei-tang · 2018-04-02T21:18:25Z

_docs/concepts/security/authn-policy.md

+
+### Target selectors
+
+Defines rule to find service(s) on which policy should be applied. If no rule provided, the policy will be matched to all services in the namespace, so call namespace-level policy (as opposed to service-level policy are those that have non-empty selector rules). Istio (pilot) will pick the service-level policy if available, otherwise fallback to namespace-level policy. If none define, it uses the default policy based on service mesh config.


service-level policy are those that -> service-level policies which
If none define -> if none is defined

lei-tang · 2018-04-02T21:19:27Z

_docs/concepts/security/authn-policy.md

+Defines rule to find service(s) on which policy should be applied. If no rule provided, the policy will be matched to all services in the namespace, so call namespace-level policy (as opposed to service-level policy are those that have non-empty selector rules). Istio (pilot) will pick the service-level policy if available, otherwise fallback to namespace-level policy. If none define, it uses the default policy based on service mesh config.
+
+
+Operators are responsible to avoid conflict, e.g create more than one service-level policy that match to the same service(s) (or more than one namespace-level policy on the same namespace).


conflict -> conflicts

lei-tang · 2018-04-02T21:22:15Z

_docs/concepts/security/authn-policy.md

+### Peer authentication
+
+
+Defines authentication methods (and associated parameters) that are supported for for peer authentication. It can list more than one methods; only one of them need to be satisfied for the authentication pass. However, in the early releases, only mutual TLS is supported. Omitting this if peer authentication is not needed.


for for -> for
one of them need -> one of them needs
the authentication pass -> the authentication to pass

lei-tang · 2018-04-02T21:24:59Z

_docs/concepts/security/authn-policy.md

+
+### Origin authentication
+
+Defines authentication methods (and associated parameters) that are supported for for origin authentication. Only JWT is supported for this, however, the policy can list multiple JWTs by diffrent issuers. Same as peers authentication, only one of the listed methods need to be satisfied for the authenticaiton pass.


for for -> for
diffrent -> different
one of the listed methods need -> one of the listed methods needs
the authenticaiton pass -> the authentication to pass

lei-tang · 2018-04-02T21:39:46Z

_docs/tasks/security/authn-policy.md

+
+## Having both namespace-level and service-level policy.
+
+Assuming we already add the namespace-level policy that enable mTLS for all services in namespace foo and observe that request from sleep.legacy to httpbin.foo are failing (see above). Now add another policy for httpbin service directly. This poicy doesn't define any method for peer authentication, which equivalent to disable mTLS.


that enable -> that enables
which equivalent -> which is equivalent

lei-tang · 2018-04-02T21:41:42Z

_docs/tasks/security/authn-policy.md

+EOF
+```
+
+Re-run request from sleep.legacy, we should see success return code again (200), confirming service-level policy is overrule the namespace-level policy.


success return code -> a success return code
is overrule -> overrules

lei-tang · 2018-04-02T21:42:32Z

_docs/tasks/security/authn-policy.md

+export TOKEN=<YOUR-TOKEN>
+```
+
+Also, for convenience, let expose httpbin.foo via ingress (for more details, see [ingress task]({{home}}/docs/tasks/traffic-management/ingress.html)).


let -> let's

lei-tang · 2018-04-02T21:44:44Z

_docs/tasks/security/authn-policy.md

+}
+```
+
+Now, let's add a policy that require end-user JWT for httpbin.foo. If you follow previous section, the 'httpbin' authentication policy might areadly exist (run `kubectl get policies.authentication.istio.io -n foo` to confirm). To avoid create conflicting policies for the same service, we run istio replace for the same policy name (httpbin). Note in the example policy below, peer authentication (mTLS) is kept, but it can be removed independently from origin authencation settings.


that require -> that requires
previous section -> the previous section
avoid create -> avoid creating
authencation -> authentication

lei-tang · 2018-04-02T21:45:25Z

_docs/tasks/security/authn-policy.md

+401
+```
+
+But will success (200) if token is attached to query.


will success -> will return success

liminw · 2018-04-02T22:17:37Z

_docs/concepts/security/authn-policy.md

+## Overview
+Istio authentication policy enables admin to specify authentication requirements for a service (or services). Istio authentication policy is composed of two-part authentication:
+
+* Peer: verifies the party, the direct client, that makes the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible to manage both client and server sides to enforce the policy.


"Istio will be responsible to manage both client and server sides to enforce the policy."=> Note that the authentication policy specifies the "requirements", not the "enforcement". In order to enforce mTLS, you need to ...

Ack. Per discussion, we do support both-sides enforcement for peer authn.

liminw · 2018-04-02T23:37:56Z

_docs/concepts/security/authn-policy.md

+Policy is scoped at namespace level, with (optional) target selector rules to narrow down the set of services (within the same namespace as the policy) on which the policy should be applied. This aligns with the ACL model based on Kubernetes RBAC. More specifically, only admin of the namespace can set policies for services in that namespace.
+
+
+Authentication engine is implemented on sidecars. For example, with Envoy sidecar, it is a combination of SSL settings and HTTP filters. If authentication fails, requests will be rejected (either with SLL handshake error code, or http 401, depending on the type of authencation mechanism). If authentication succeeds, the following authenticated attributes will be generated:


SLL -> SSL?

liminw · 2018-04-02T23:39:26Z

_docs/concepts/security/authn-policy.md

+
+- **source.principal**: peer principal. If peer authentiation is not used, the attribute is not set.
+- **request.auth.principal**: depends on the policy principal binding, this could be peer principal (if USE_PEER) or origin principal (if USE_ORIGIN).
+- **request.auth.aud**: reflect the audience (*aud*) claim within the origin-JWT (JWT that is used for origin authentication)


request.auth.aud -> request.auth.audience

liminw · 2018-04-02T23:41:00Z

_docs/concepts/security/authn-policy.md

+- **source.principal**: peer principal. If peer authentiation is not used, the attribute is not set.
+- **request.auth.principal**: depends on the policy principal binding, this could be peer principal (if USE_PEER) or origin principal (if USE_ORIGIN).
+- **request.auth.aud**: reflect the audience (*aud*) claim within the origin-JWT (JWT that is used for origin authentication)
+- **request.auth.presenter**: similarly, reflect the authorize presenter (*azp*) claim.


reflect the authorized presenter (azp) claim of the origin-JWT.

liminw · 2018-04-02T23:42:52Z

_docs/concepts/security/authn-policy.md

+- **request.auth.presenter**: similarly, reflect the authorize presenter (*azp*) claim.
+- **request.auth.claims**: all raw string claims from origin-JWT.
+
+Origin principal is not explicitely output. In general, it can always be reconstructed from issuer (*iss*) and subject (*sub*) claims. If principal binding is USE_ORIGIN, it is also the same as **request.auth.principal**.


Give an example of origin principal?

liminw · 2018-04-02T23:44:21Z

_docs/concepts/security/authn-policy.md

+### Target selectors
+
+Defines rule to find service(s) on which policy should be applied. If no rule provided, the policy will be matched to all services in the namespace, so call namespace-level policy (as opposed to service-level policies which have non-empty selector rules). Istio (pilot) will pick the service-level policy if available, otherwise fallback to namespace-level policy. If neither is define, it uses the default policy based on service mesh config.
+


Give a pointer to definition of mesh config?

liminw · 2018-04-03T00:26:27Z

_docs/tasks/security/authn-policy.md

+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "enable-mtls"


Missing namespace in metadata.

It's intentional :). I highlight the word in the sentence above to mention namespace is set in the command line

I see. Does it change the config (adding namespace) after you run "-n" command?

liminw · 2018-04-03T00:26:46Z

_docs/tasks/security/authn-policy.md

+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "enable-mtls"


missing namespace in metadata.

liminw · 2018-04-03T00:26:58Z

_docs/tasks/security/authn-policy.md

+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "httpbin"


missing namespace in metadata.

liminw · 2018-04-03T00:32:34Z

_docs/tasks/security/authn-policy.md

+  - mtls:
+  origins:
+  - jwt:
+      issuer: "https://www.googleapis.com"


issuer should be the service account email.

Is this just a regular practice or smt we want to enforce? (i.e validate issuer as part of policy validation).

It's a general practice for service account signed JWT.

liminw · 2018-04-03T00:34:39Z

_docs/tasks/security/per-service-mtls.md

@@ -53,6 +53,11 @@ kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}
 command terminated with exit code 56
 ```

+## Disable mutual TLS authentication for "httpbin" service using authentication policy.


Do you plan to replace this doc with the authentication policy task doc?

Yes, indeed. I remove this section and add note in the beginning of this task to refer to authn policy task. I think we will need to rewrite all these once we got authN policy working smoothly.

wattli · 2018-04-03T16:43:51Z

_docs/tasks/security/mutual-tls.md

@@ -62,6 +65,13 @@ For example, after starting the [Bookinfo]({{home}}/docs/guides/bookinfo.html)
 sample application you can ssh into the Envoy container of `productpage` service,
 and send request to other services by curl.

+Note: by default istio proxy image does not have curl installed. To try this


This is already mentioned in line 103.

Removed the other.

lei-tang · 2018-04-03T17:08:38Z

/approve

istio-testing · 2018-04-03T17:08:41Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lei-tang
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: geeknoid

Assign the PR to them by writing /assign @geeknoid in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

diemtvu · 2018-04-03T17:11:19Z

/assign geeknoid

liminw · 2018-04-03T17:32:32Z

_docs/tasks/security/authn-policy.md

+  - mtls:
+  origins:
+  - jwt:
+      issuer: "frod@gserviceaccount.com"


"ford@gserviceaccount.com" -> YOUR_SERVICE_ACCOUNT_EMAIL

liminw · 2018-04-03T17:35:47Z

_docs/tasks/security/authn-policy.md

+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "enable-mtls"


I see. Does it change the config (adding namespace) after you run "-n" command?

liminw · 2018-04-03T17:37:57Z

_docs/concepts/security/authn-policy.md

+
+Defines rule to find service(s) on which policy should be applied. If no rule provided, the policy will be matched to all services in the namespace, so call namespace-level policy (as opposed to service-level policies which have non-empty selector rules). Istio (pilot) will pick the service-level policy if available, otherwise fallback to namespace-level policy. If neither is defined, it uses the default policy based on service mesh config and/or service annotation, which can only set mutual TLS setting (these are pre-0.7 mechanisms to config mutual TLS for Istio service mesh). See [testing Istio nutual TLS]({{home}}/docs/tasks/security/mutual-tls.html) and [per-service mutual TLS enablement]({{home}}/docs/tasks/security/per-service-mtls.html) for more details.
+
+Operators are responsible for avoiding conflicts, e.g create more than one service-level policy that match to the same service(s) (or more than one namespace-level policy on the same namespace).


How do we resolve it if we see such conflicts? Randomly pick one? Or return any validation failure?

More or lest random at the moment (or whatever the order of the all CRDs when we request). In any case, there is no guarantee what will be picked, at least at this point so I think it simpler to make customer aware of that.

About validation, ideally, we should check for conflict when policy is submitted (via istioctl). However, the current framework allows us to look at the new one only. It could be something we can improve in the near future.

Understood. I was just wondering if we need to document the consequence of policy conflict (e.g., if there is a conflict, there is no guarantee which policy is picked). But that's a minor point. I will leave it to you to decide.

geeknoid · 2018-04-03T17:54:23Z

_docs/concepts/security/authn-policy.md

@@ -0,0 +1,101 @@
+---
+title: Istio authentication policy


Capitalize please

geeknoid · 2018-04-03T17:54:44Z

_docs/concepts/security/authn-policy.md

+{% include home.html %}
+
+## Overview
+Istio authentication policy enables admin to specify authentication requirements for a service (or services). Istio authentication policy is composed of two-parts authentication:


admin -> operators

two-parts authentication -> two parts

geeknoid · 2018-04-03T17:56:04Z

_docs/concepts/security/authn-policy.md

+* Origin: verifies the party, the original client, that makes the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio will configure the server side to perform authentication, but will not enforce the client side to send the required token.
+
+
+Identities from both authentication parts, if applicable, will be output to the next layer (e.g authorization, mixer). To simplify the authorization rules, the policy can also specify which identity (peer or origin) should be used as 'the principal'. By default, it is set to the peer's identity.


mixer -> Mixer

geeknoid · 2018-04-03T18:47:42Z

_docs/concepts/security/authn-policy.md

+## Overview
+Istio authentication policy enables admin to specify authentication requirements for a service (or services). Istio authentication policy is composed of two-parts authentication:
+
+* Peer: verifies the party, the direct client, that makes the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible for managing both client and server sides to enforce the policy.


Istio will be -> Istio is

geeknoid · 2018-04-03T18:47:59Z

_docs/concepts/security/authn-policy.md

+
+* Peer: verifies the party, the direct client, that makes the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible for managing both client and server sides to enforce the policy.
+
+* Origin: verifies the party, the original client, that makes the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio will configure the server side to perform authentication, but will not enforce the client side to send the required token.


will configure -> configures
will not enforce the client side to send -> doesn't enforce that the client side sends

geeknoid · 2018-04-03T19:01:08Z

_docs/tasks/security/authn-policy.md

+sleep.legacy to httpbin.bar: 200
+```
+
+## Enable mTLS for single service httpbin.bar.


Remove trailing period

geeknoid · 2018-04-03T19:01:28Z

_docs/tasks/security/authn-policy.md

+No resources found.
+```
+
+## Enable mTLS for all services in namespace `foo`.


Remove trailing period.

geeknoid · 2018-04-03T19:01:59Z

_docs/tasks/security/authn-policy.md

@@ -0,0 +1,300 @@
+---
+title: Basic Istio authentication policy


Capitalize Authentication Policy

geeknoid · 2018-04-03T19:02:14Z

_docs/tasks/security/authn-policy.md

@@ -0,0 +1,300 @@
+---
+title: Basic Istio authentication policy
+overview: This task shows you how to use Istio authentication policy to setup mutual TLS and simple end-user authentication.


Remove "This task"

geeknoid · 2018-04-03T19:02:39Z

_docs/tasks/security/authn-policy.md

+
+Through this task, you will learn how to:
+
+* Using authentication policy to setup mutual TLS.


Using -> Use, here and below

geeknoid · 2018-04-03T22:06:44Z

_docs/concepts/security/authn-policy.md

@@ -0,0 +1,101 @@
+---
+title: Istio Authentication Policy
+overview: Describes Istio Authentication policy


Authentication -> authentication

geeknoid · 2018-04-03T22:07:33Z

_docs/concepts/security/authn-policy.md

+* Origin: verifies the party, the original client, that makes the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio configures the server side to perform authentication, but doesn't enforce that the client side sends the required token.
+
+
+Identities from both authentication parts, if applicable, will be output to the next layer (e.g authorization, Mixer). To simplify the authorization rules, the policy can also specify which identity (peer or origin) should be used as 'the principal'. By default, it is set to the peer's identity.


will be -> are

geeknoid · 2018-04-03T22:09:01Z

_docs/concepts/security/authn-policy.md

+
+## Architecture
+
+Authentication policies are saved in Istio config store (in 0.7, the storage implementation uses Kubernetes CRD), and distributed by Pilot. Pilot continously monitors the config store. Upon any change, it fetches the new policy and translates it into appropriate (sidecar) configs that are needed to enforce the policy. These configs are sent down to sidecar via regular discovery service APIs. Depending on the size of the mesh, this process may take a few seconds to a few minutes. During the transition, it might expect traffic lost or inconsistent authentication results.


From the point of view of someone using the mesh, it is sufficient to just say that there's a propagation delay between the time the policy is applied vs. when it is enforced. The implementation details are not important IMO.

geeknoid · 2018-04-03T22:09:34Z

_docs/concepts/security/authn-policy.md

+
+
+
+Policy is scoped to namespaces, with (optional) target selector rules to narrow down the set of services (within the same namespace as the policy) on which the policy should be applied. This aligns with the ACL model based on Kubernetes RBAC. More specifically, only admin of the namespace can set policies for services in that namespace.


only admin -> only the admin

geeknoid · 2018-04-03T22:10:00Z

_docs/concepts/security/authn-policy.md

+Policy is scoped to namespaces, with (optional) target selector rules to narrow down the set of services (within the same namespace as the policy) on which the policy should be applied. This aligns with the ACL model based on Kubernetes RBAC. More specifically, only admin of the namespace can set policies for services in that namespace.
+
+
+Authentication is implemented by the Istio sidecars. For example, with Envoy sidecar, it is a combination of SSL settings and HTTP filters. If authentication fails, requests will be rejected (either with SSL handshake error code, or http 401, depending on the type of authencation mechanism). If authentication succeeds, the following authenticated attributes will be generated:


with Envoy -> with an Envoy

geeknoid · 2018-04-03T22:26:05Z

_docs/tasks/security/authn-policy.md

+EOF  
+```
+
+The same curl command before will return with 401 error code, as a result of sever is expecting JWT but none provide:


before -> from before

geeknoid · 2018-04-03T22:26:45Z

_docs/tasks/security/authn-policy.md

+401
+```
+
+Attaching the valid token generate above will return success:


the valid token generate -> the token generated
will return -> returns

geeknoid · 2018-04-03T22:27:00Z

_docs/tasks/security/authn-policy.md

+```
+
+
+You may want to try to modify token and/or policy (e.g change issuer, audiences, expiry date etc) to observe other aspect of JWT validation.


the token or the policy

aspect -> aspects

geeknoid · 2018-04-03T22:28:00Z

_docs/tasks/security/mutual-tls.md

@@ -62,6 +65,13 @@ For example, after starting the [Bookinfo]({{home}}/docs/guides/bookinfo.html)
 sample application you can ssh into the Envoy container of `productpage` service,
 and send request to other services by curl.

+> By default istio proxy image does not have curl installed. To try this


default istio proxy image -> default, the Istio proxy image

Put curl inside backticks

geeknoid · 2018-04-03T22:28:23Z

_docs/tasks/security/mutual-tls.md

@@ -62,6 +65,13 @@ For example, after starting the [Bookinfo]({{home}}/docs/guides/bookinfo.html)
 sample application you can ssh into the Envoy container of `productpage` service,
 and send request to other services by curl.

+> By default istio proxy image does not have curl installed. To try this
+feature, please add --debug flag when running kube-inject, i.e.,


the --debug

geeknoid · 2018-04-04T18:55:36Z

_docs/tasks/security/authn-policy.md

+EOF
+```
+
+The same curl command from before will return with 401 error code, as a result of sever is expecting JWT but none provide:


sever -> server
none provide -> none was provided

wattli · 2018-04-04T19:02:02Z

_docs/tasks/security/mutual-tls.md

@@ -62,6 +65,13 @@ For example, after starting the [Bookinfo]({{home}}/docs/guides/bookinfo.html)
 sample application you can ssh into the Envoy container of `productpage` service,
 and send request to other services by curl.

+> By default, istio proxy image does not have `curl` installed. To try this


It could be misleading, currently --debug flag is turned on in bookinfo demo: https://screenshot.googleplex.com/cRRdeeJWRjt, so chances are many customers don't have this issue at all and put the curl warning here is unnecessary. And please refer to line 103-114 in this file for more info. I feel that's more accurate (customer don't have to redeploy if they already have curl installed)

I lost track why I made this change in the first place. Reverted to origin.

geeknoid · 2018-04-06T21:12:24Z

_docs/concepts/security/authn-policy.md

+---
+{% include home.html %}
+
+## Overview


You can remove the Overview header, there's already a title overlayed above by the web site.

geeknoid · 2018-04-06T21:12:42Z

_docs/concepts/security/authn-policy.md

+{% include home.html %}
+
+## Overview
+Istio authentication policy enables operators to specify authentication requirements for a service (or services). Istio authentication policy is composed of two parts authentication:


two parts authentication: -> two parts:

geeknoid · 2018-04-06T21:18:05Z

_docs/concepts/security/authn-policy.md

+
+## Architecture
+
+Authentication policies are saved in Istio config store (in 0.7, the storage implementation uses Kubernetes CRD), and distributed by control plane. Depending on the size of the mesh, configs propagation may take a few seconds to a few minutes. During the transition, it might expect traffic lost or inconsistent authentication results.


it might -> you can expect

This sentence worries me. Is this implying that if I'm going from valid state A to valid state B, some requests may be allowed through that shouldn't be because the system is in some sort of transient state?

Right. Authn policy rollout is something we need to address next. This is required some features from v2 (http/https multiplex, port routing rule etc).

Also, inconsistency mainly because not all replicas get updates at the same time. Per instance, it is consistent.

geeknoid · 2018-04-06T21:21:47Z

_docs/concepts/security/authn-policy.md

+### Peer authentication
+
+
+Defines authentication methods (and associated parameters) that are supported for peer authentication. It can list more than one method; only one of them needs to be satisfied for the authentication to pass. However, starting with the 0.7 release, only mutual TLS is supported. Omitting this if peer authentication is not needed.


Ommiting this -> Omit this

geeknoid · 2018-04-06T21:23:41Z

_docs/concepts/security/authn-policy.md

+  - mtls:
+```  
+
+> Starting with the  0.7 release, mtls settings doesn't require any parameter (hence `- mtls:` or `- mtls: null` declaration is sufficient). In future, it may carry arguments to provide different mTLS implementations.


the 0.7 release -> Istio 0.7
mtls settings setting -> the mtls setting
parameter -> parameters

geeknoid · 2018-04-06T21:24:56Z

_docs/concepts/security/authn-policy.md

+
+### Principal binding
+
+Defines what is the principal from the authentiation. By default, this will be the peer's principal (and if peer authentication is not applied, it would be left unset). Policy writer can choose to overwrite it with USE_ORIGIN. In future, we will also support *conditional-binding* (e.g USE_PEER when peer is X, otherwise USE_ORIGIN)


it would be -> it will be
writer -> writers

geeknoid · 2018-04-06T21:26:29Z

_docs/tasks/security/authn-policy.md

+
+kubectl create ns legacy
+kubectl apply -f samples/sleep/sleep.yaml -n legacy
+


Remove blank line

geeknoid · 2018-04-06T21:27:01Z

_docs/tasks/security/authn-policy.md

+
+* For demo, create two namespaces `foo` and `bar`, and deploy [httpbin](https://github.com/istio/istio/tree/master/samples/httpbin) and [sleep](https://github.com/istio/istio/tree/master/samples/sleep) with sidecar on both of them. Also, run another sleep app without sidecar (to keep it separate, run it in `legacy` namespace)
+
+```bash


Indent this code block by 3 spaces so that it renders as part of the previous bullet item.

geeknoid · 2018-04-06T21:29:00Z

_docs/tasks/security/authn-policy.md

+
+* Verifying setup by sending an http request (using curl command) from any sleep pod (among those in namespace `foo`, `bar` or `legacy`) to either `httpbin.foo` or `httpbin.bar`. All requests should success with http code 200.
+
+For example, here is a command to check `sleep.bar` to `httpbin.foo` reachability:


If the tex below is supposed to be under the above bullet item, it all needs to be indented by 3.

geeknoid · 2018-04-06T21:30:17Z

_docs/tasks/security/authn-policy.md

+enable-mtls   1m
+```
+
+Run the same testing command above. We should see request from `sleep.legacy` to `httpbin.foo` start to fail, as the result of enabling mTLS for `httpbin.foo` but `sleep.legacy` doesn't have sidecar to support it. On the other hand, for clients with sidecar (`sleep.foo` and `sleep.bar`), Istio automatically configures them to using mTLS where talking `http.foo`, so they continue to work. Also, requests to `httpbin.bar` are not affected as policy is effective on `foo` namespace only.


talking http.foo -> talking to http.foo

geeknoid · 2018-04-08T00:23:26Z

_docs/concepts/security/authn-policy.md


 ```
  peers:
  - mtls:
 ```  

-> Starting with the  0.7 release, mtls settings doesn't require any parameter (hence `- mtls:` or `- mtls: null` declaration is sufficient). In future, it may carry arguments to provide different mTLS implementations.
+> Starting with Istio 0.7, the `mtls` settings doesn't require any parameters (hence `-mtls: {}`, `- mtls:` or `- mtls: null` declaration is sufficient). In future, it may carry arguments to provide different mTLS implementations.


settings -> setting

geeknoid · 2018-04-08T00:25:18Z

_docs/tasks/security/authn-policy.md

@@ -106,7 +101,7 @@ NAME          AGE
 enable-mtls   1m
 ```

-Run the same testing command above. We should see request from `sleep.legacy` to `httpbin.foo` start to fail, as the result of enabling mTLS for `httpbin.foo` but `sleep.legacy` doesn't have sidecar to support it. On the other hand, for clients with sidecar (`sleep.foo` and `sleep.bar`), Istio automatically configures them to using mTLS where talking `http.foo`, so they continue to work. Also, requests to `httpbin.bar` are not affected as policy is effective on `foo` namespace only.
+Run the same testing command above. We should see request from `sleep.legacy` to `httpbin.foo` start to fail, as the result of enabling mTLS for `httpbin.foo` but `sleep.legacy` doesn't have sidecar to support it. On the other hand, for clients with sidecar (`sleep.foo` and `sleep.bar`), Istio automatically configures them to using mTLS where talking to `http.foo`, so they continue to work. Also, requests to `httpbin.bar` are not affected as the policy is effective on `foo` namespace only.


is effective on the foo namespace

geeknoid · 2018-04-08T00:26:03Z

_docs/tasks/security/authn-policy.md

@@ -124,7 +119,7 @@ sleep.legacy to httpbin.bar: 200

 ## Enable mTLS for single service `httpbin.bar`

-Run this command to set another policy for only for `httpbin.bar` service. Note in this example, we do **not** specify namespace in metadata but put it in commandline (`-n bar`). They should work the same.
+Run this command to set another policy only for `httpbin.bar` service. Note in this example, we do **not** specify namespace in metadata but put it in commandline (`-n bar`). They should work the same.


put it in the command-line

geeknoid · 2018-04-08T00:26:24Z

_docs/tasks/security/authn-policy.md

@@ -166,7 +161,7 @@ spec:
 EOF
 ```

-This new policy will apply only to `httpbin` service on port `1234`. As a result, mTLS is disabled (again) on port `8000` and request from `sleep.legacy` will resume working.
+This new policy will apply only to the `httpbin` service on port `1234`. As a result, mTLS is disabled (again) on port `8000` and request from `sleep.legacy` will resume working.


request -> requests

geeknoid · 2018-04-08T00:26:42Z

_docs/tasks/security/authn-policy.md

@@ -176,9 +171,9 @@ kubectl exec $(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metad
 200
 ```

-## Having both namespace-level and service-level policy.
+## Having both namespace-level and service-level policy


policy -> policies

geeknoid · 2018-04-08T00:27:32Z

_docs/tasks/security/authn-policy.md

@@ -240,7 +235,7 @@ Get ingress IP
 export INGRESS_HOST=$(kubectl get ing -n foo -o=jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')
 ```

-And run test query
+And a run test query


a run -> run a

@ayj

* add example for disabling injection (istio#1021) * Updated reference docs. (istio#1045) * Add task for Istio CA health check. (istio#1038) * Add task for Istio CA health check. * Small fix. * Small fix. * Updates troubleshooting guide to add pilot (istio#1037) * Fix misnamed link (istio#1050) * update document generation for istioctl (istio#1047) * Hack to get ownership of Google analytics account for the site. * Don't need the analytics hack no more... * Make the rake test ensure that we use {{home}} consistently. (istio#1053) We now generate the test site into a subdirectory such that we can ensure all links are correctly using {{home}}, which makes the site work correctly once archived. Fixed a bunch of broken cases. * Reduce the visual weight of code blocks so they don't break up the page so much. (istio#1054) * Introduce support for building the site in "preliminary" mode. (istio#1052) * Notes for 0.6 (istio#1048) * Refresh version selection menu given 0.6. * update instructions for mesh expansion (istio#1056) * update instructions for mesh expansion * remove ISTIO_STAGING references * Specify --debug option to use docker.io/istio/proxy_debug image for (istio#1057) deployment. * Update reference docs. * Update Quick start Doc (istio#1059) Fix Typo * Update Istio RBAC document to relfect sample changes. (istio#1062) * Fix typo in Cleanup section (istio#1061) * clarify verification of injected proxy with automatic injection (istio#1024) * Fixe wrong port number (istio#1041) * Sidecar proxy help (istio#1044) * Use same instance name in Mixer config example (istio#1051) * Add a bunch of redirects for old pages (istio#1066) The Google Crawl Engine reported a bunch of broken links pointing into istio.io. This adds redirects so that these links work. Add a hack such that the gear menu logic that lets you time travel through versions of the site will insist that if a page existed in a given version, it must also exist in subsequent versions. This will ensure we always create redirects when we move site content, and thus avoid breaking links into the site. If a page is moved or removed, this will lead to rake test errors when checking the content of archive.istio.io. * Update reference docs. * Fix bad formatting. * Fix typos. * Update reference docs. * Eliminate flickering on page load. (istio#1068) - Fix another issue with my arch-nemesis, the Copy button. My last fix for Copy button issues resulted in screen flickering upon page loading. This is now fixed. - Pin the size of the gear and magnifying glass icons in the header to avoid flicker as the fonts for those renders a few ms too late and lead to flickering on page load. - Cleaned up the site's JavaScript for clarity, and include minimized versions in the site for improved perf. * Improve formatting. (istio#1070) - Remove the silly right indent used for list items. This was throwing away a lot of useful screen real estate on mobile. * Add support for dynamically inserting file content into the site. (istio#1069) This is useful for pulling in content straight from GitHub on the fly, rather than cut & pasting it into the site. * Update sidecar AWS verification (istio#1060) * Update sidecar AWS verification Add verification without ssh access on master node. Perform check directly with kubectl client. * Update sidecar injection Docs Update with @ayj remarks * Update link Update link for managing tls in a cluster, add a '/' * Fix links. (istio#1073) - Add a / to links pointing to directories - Switch a bunch of links from http: to https: * master branch is now server from preliminary.istio.io (istio#1075) * Setup 0.7. * Forgot to update releases.yml. * Update README * Consolidate cluster prerequisites for webhooks into k8s quick start (istio#1077) The automatic sidecar injection has its own set of k8s install instructions for webhooks. This overlaps with the general k8s install instructions. We'll also introduce server-side configuration webhooks which need the same prerequisites. * Add missing .html suffix on some links. (istio#1080) * A few more link fixes (istio#1081) * Fix handling of legacy community links. * Add missing .html extension on search page reference. * Add Certificate lifetime configuration in FAQ. (istio#1079) * Update reference docs. * Fix some newly broken links. (istio#1082) * Update reference docs. * Remove empty document. (istio#1085) * Update Ansible documentation to reflect change in Jaeger addon (istio#1049) * Update Ansible documentation to reflect change in Jaeger addon Relates to: istio/istio#3603 * Small polish to Ansible documentation * Remove extra tilde in the docs (istio#1087) Fixes istio#1004 * [WIP] Update traffic routing tasks to use v1alpha3 config (istio#1067) * use v1alpha3 route rules * circuit breaking task updated to v1alpha3 * convert mirroring task to v1alpha3 * convert egress task to v1alpha3 * Egress task corrections and clarifications * use simpler rule names * move new tasks to separate folder (keep old versions around for now) * update example outputs * egress tcp task * fix broken refs * more broken refs * imporove wording * add missing include home.html * remove ingress task - will create a replacement in followup PR * Improve sorting algorithm to use document title and not just document URL. (istio#1089) This makes it so documents in the same directory get sorted by document title instead of by the URL name (unless they have an order: directive, which takes precedence over alpha order) * Istio RBAC doc fix. (istio#1093) * Improve readability * Add one more faq for secret encryption (istio#1096) * Add note to have debug version of proxy for curl command (istio#1097) * Delete some old stuff we don't need anymore. * Delete some old stuff we don't need anymore. * Fix problem preventing proper section indices in the "About" section of the site. * Revise note to install curl (istio#1098) * Revise note to install curl * Revise note to install curl * Address comment * Fix bug with the Copy button and proto documentation. - HTML generated from protos encode preformatted blocks with <pre><code></code></pre>, while HTML generated through Jekyll's markdown converter wraps an extra <div> around the block. The logic to insert the Copy button on preformatted was assuming the presence of this DIV. If the DIV is not present on input, we now explicitly add one which makes things work. * Update reference docs. * Fix bug that was messing up all the index pages in the site. (istio#1100) Fix newly broken k8s link along the way... * Revise curl instruction in master branch (istio#1107) * Update intro.md (istio#1110) * Update intro.md Updating info per Wencheng's suggestion * Update intro.md * WIP - Combined ingress/gateway task for v1alpha3 (istio#1094) * First pass combined ingress/gateway task * Add verifying gateway section * clarifications * fix broken link * fix build broken * address review comments * fix small grammar issue (istio#1112) * Fix a few bugs and add a feature. (istio#1111) - Link injection for document headers has been broken for a while due to my misunderstanding of the "for in" syntax in JavaScript. This now works as expected. - Same problem also prevented the feature that causes every link to outside of istio.io to be opened in a separate window. This now works as intended. - Made the gear dropdown menu be right-aligned such that it doesn't go off-screen on portrait mode tablets. - Stop importing Popper.js since it's only needed for dropdown menus that aren't in the nav bar. Ours is in a nav bar... - Added link injection for <dt> terms, which makes it easy to create links to individual glossary entries. * 0.7 notes (istio#1101) * Add an entry about creating quality hyperlinks. (istio#1114) * 0.2.12 typo fix + doc link should be to docs/ directly + ... (istio#1115) * 0.2.12 doc link should be to docs/ directly + note about shell security * fix typo (for for) * Revise wording and linking Drop the double TOC (this page has very little traffic anyway) * Fix inconsistent header use in this doc. * Fix invalid index page. * Update servicegraph docs with new viz. (istio#1074) * Fix mobile navigation issues. (istio#1118) When on mobile, the left sidebar is hidden by default. To make navigation easier, we allow the user to browse the site entirely through the various index sections which provide links to all articles. This wasn't working for the About and Blog links at the top of the page since they send you to a direct page instead of to the relevant navigation page. So... - Made the About link point to the about section's index page. - Each blog page now contains a link to the next and previous blog post. * [ImgBot] optimizes images (istio#1120) /_docs/tasks/telemetry/img/servicegraph-example.png -- 41.49kb -> 28.62kb (31.03%) * Add documentation for upgrade (istio#1108) * Add upgrade doc and fixing a broken link. * revert one file. * Refine the doc. * Move the doc. * Fix syntax. * Fix syntax * Fix syntax * Make non-manifest based installers have similar titles and overviews (istio#1086) * Make the setup page a little more consistent. * Make non-manifest based installers have similar titles and overviews * Shorten the overview,tidy up the title, and add a helm.html redirect * Installation typo in both files * Fix inconsistent header use in this doc. (istio#1117) * Improve layout on phone. - We shrink the height of the header and footer when on mobile. - We shrink the header font based on screen width, to avoid the nav bar being split on two lines which leads to all sorts of bad things happening * Since we shrink the brand more aggressively, allow the navbar to be displayed until the next bp. * Oops, left a debugging change in accidentally, reverting. * Add Istio mTLS support for https service demo (istio#1121) * Add Istio mTLS support for https service demo * Address comment * Address comment * Address comment * Fix more headers. (istio#1126) * Update procedures to access the team drive. * Fix broken links, causing HTML proofer in circleci gates to fail (istio#1132) * Fix broken links, causing HTML proofer in circleci gates to fail * Add the same missing links to sidecar-injection.md * Refine Helm installation warning. (istio#1133) Helm charts are unstable prior to 0.7. Remove the red warning and instead add a simple notice that Helm charts =<0.7 are not functional. * Fix typo In AWS (w/Kops) section: "openned" should be "opened"? * prepare_proxy was refactored into istio-proxy (istio#1134) * In Note 1: Consul modified to Eureka (istio#1122) * Revamped nav header for better mobile experience. (istio#1129) - We now only use the skinny version of the navbar instead of dynamically switching based on viewport size. This looks cleaner, giving more screen space to the content rather than our chrome. - The search textbox is replaced with a search button. Clicking the button brings up the search textbox. This looks less cluttered and works considerably better on smaller screens. - When on a phone and the nav links are collapsed into a hamburger menu, cleanly show the search box in the menu that comes up when you click the hamburger. - Remove the down arrow next to the cog, it's superfluous and things look cleaner without it. * Add one faq item for istio on https service (istio#1127) * Add one faq item for istio on https service * Address comment * Address comment * Simplify the demo of plugin ca cert. (istio#1138) * Update IBM Cloud Container Service (IKS) k8s setup instructions (istio#1136) Copy IKS specific instructions from istio#1072 to general k8s setup page. * Revamp the footer. (istio#1137) - Remove all the redundant stuff and emphasize community resource via icons. - Move the "Report a doc bug" and "Edit this page on GitHub" options to the gear menu. - Use Jekyll "include" support to store the landing page's artwork in external SVG files instead of directly embedded in the HTML. Much nicer. * Switching to 0.8. * Update README * Add placeholder 0.8 file to fix rake tests * Create Owners * Fix markdown (istio#1140) * Cleans up the readability of the Ansible Installation (istio#1130) * Cleans up the readability of the Ansible Installation Run through a yaml linter Run through spell | sort | uniq Reorganized to semi-match the Helm installation page as they have similar functionality There are things I like about how this document is structured now and will carry those over to the Helm documentation in the future as time permits. * Remove customization example as suggested during the review * Change Openshift->OpenShift * Add labels over community icons in the footer. (istio#1142) * Remove $ sign in command since it breaks the copy button (istio#1143) * Update 0.7.md (istio#1144) helm is working in master branch but not in 0.7.1 * Fix bug caused by istio#1138 (istio#1145) * Switch back to normal html-proofer (istio#1146) As my pr was merged Fixes istio#849 * Setup for linting markdown files. (istio#1147) - linters.sh will run spell-checking and a style checker on markdown files. - Fix a whole bunch of typos and bad markdown content throughout. There are many more fixes to come before we can enable the linters as a checkin gate, but this takes care of a majority of items. More to come later. * Finish fixing remaining lint errors * Make spell checking and style checking part of our doc checkin gate. (istio#1154) * Update * Inline the TOC on mobile. - For small screens that don't have room for the righthand TOC, we now display the TOC inline in the main document. This substantially improves navigation on mobile. - Fix the scroll offset which was off by a bit since the switch to the skinny header. * Update reference docs. * Improve mobile experience. (istio#1158) - The two call to action buttons on the landing page are now displayed one of top of the other on small screens instead of next to one another. - On mobile, when you scroll down a page, an arrow shows up in the top right of the screen to let you scroll back to the top of the page. This is mighty handy since on mobile there isn't a TOC available to click on. - Add some convenient links on the docs' section landing page. * Accessibility improvements. (istio#1159) * www.yaml.org went missing - yaml.org seems to work. (istio#1166) sdake@falkor-08:~/go/src/istio.io/istio.github.io/_docs$ dig www.yaml.org ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.yaml.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.yaml.org. IN A ;; Query time: 917 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Apr 08 09:10:51 MST 2018 * Authn policy concept and tutorial. (istio#1128) * fix service account names in the instructions for OpenShift (istio#1083) This commit replaces the service account names for grafana and prometheus in the instructions to set the security context constraints for OpenShift. * Improve plugin cert task for better UX. (istio#1150) * Update Security section in Istio overview (istio#1170) * Update Security section in Istio overview * Fix comment * Update documentation for automatic sidecar injection webhook. (istio#1169) * Add multicluster deployment documentation to Istio (istio#1139) * Add multicluster deployment documentation to Istio * Change *Ip to *Endpoint a per request * Fix a typo * Address all reviewer comments Note, SVG diagram will be handled as a follow-on PR. * Fix legitimate spelling errors found by gate * Some backticks to fix spelling errors and other misc cleanups * some spelling and backticks. * Expand spelling exemptions dictionary slightly * Correctly spell routable. * Address reviewer comments. Needed a rebase in the process. * A minor consistency change * Address reviewer comments. * Add a caveats and known issue tracker to the documentation Early on during review of this PR, I believe there was a review asking for caveats, but it has disappeared from the github comments. * Make istio.io support quality print output. (istio#1163) - Get rid of all the chrome when printing a page. So no headers, sidebars, etc. - Ensure that PRE blocks are fully expanded when printing instead of showing a scroll bar. - Generate endnotes for each page printed which lists the URLs of the various links on the page. Each link site is annotated with a superscript number referencing this table. * Update doc for TCP periodical report. (istio#1095) * Update doc for TCP periodical report. * Add report response arrow into svg. * Reference: https://istio.io/docs/reference/config/istio.routing.v1alpha1.html#StringMatch (istio#1180) * Fix broken links caused by changes in istio/istio. * Update reference docs. * Improve sidenav behavior on mobile. (istio#1173) The sidenav now hovers over the main text instead of pushing the main text sideways. The rendering of the sidenav toggler button now matches the "back to top" button I added last week. * Bunch of improvements (istio#1181) - New visuals for the sailboat in the header. It now overflows the header. - The TOC now highlights the currently displayed portion of the current page. As you scroll through the doc, the selected entry updates accordingly. - Add previous/next page links in every doc page. These used to be present only in blog posts, but they're useful everywhere. - Fix a few off-by-one formatting errors that stemed from using a mixed of min-width and max-width throughout the stylesheet. This caused some strange formatting to happen at specific window widths. Now, we're consistently using min-width and everything lines up properly. - Improved footer formatting so it looks better on mobile. - Only display the TOC on XL screens, otherwise it wraps too much. Screens smaller than XL now all get the inlined TOC instead. - Add support for pages to request that the TOC be generated inline instead of in a sidebar. This is useful for pages that have headings which cause too much wrapping in the TOC, such as the Troubleshooting Guide. - Add some blank space between an inlined TOC and the main text so that things don't look so crowded, especially when printing. - Inline the sailboat SVG into each page. This avoids a network roundtrip and allows the SVG to be controlled with the same CSS as everything else. - Eliminate a huge amount of redundancy in the four main layout file for the site. They now share a single primary.html include file which carries most of the weight. This will avoid having to constantly make the same change in four different files. - Improve the generated HTML for <figure> elements which makes things better for screen readers. - Simplify the HTML & CSS for the footer. * Fix indent issue (istio#1182) * Rename Isito CA to Citadel. (istio#1179) * Update feature-stages.md (istio#1183) Updates to features as of 0.7 release * Update Helm Documentation (istio#1168) * Modify minimum pin of Istio version with Helm and improve prereqs * Add section describing briefly how to use helm without tiller * Change heading description for Helm method and add upgrade warning * Make common customization options table match current master * Subsection the two methods for installing with Helm * Remove Helm keys from .spelling. Add FQDNs as an acronym. * Backtick the keys and defaults, values.yaml, and fix 1 spelling error * Add uninstall instructions for both kubectl and helm with tiller * Place backticks around architecture platforms and correctly list them * Show both uninstall methods (kubectl & Helm) * Remove two extra CRs * Fix yaml linting errors * Link to requirements for automatic sidecar injection. * Change istio-auth to istio for rendering * Address reviewer comments. * Fix linting error. * Notify operator they need capability to install service accounts. * Fix lint error * Switch to PrismJS for syntax highlighting. (istio#1184) Instead of doing syntax highlighting statically in Jekyll, we now go back to the PrimsJS library we used in the 0.2-0.4 timeframe. It used to be problematic, but the cause for the problems have been addressed a while ago. This gives us highlighting for non-markdown content, such as dynamically loaded PRE blocks and PRE blocks that come from HTML generated from protos. * Adding info about new expression language methods. (istio#1186) Adding info about dnsName, email, and uri functions. * Fix typo liveliness -> liveness (istio#1188) * Fix typo liveliness -> liveness Add mdspell dependency to gem installations * Add backticks around firebase deploy command * Fix a few bugs. (istio#1187) - The slide-in sidenav used on mobile went all crazy when text got too long in the expanded panel. We now set a max width to trigger controlled wrapping and avoid the nasties. - The hamburger menu that replaces the link in the top header on small screens didn't render right on medium-sized screens (a.k.a. portrait-mode tablets). I had one of my breakpoints set inconsistently. - Dynamically loaded PRE blocks were not being syntax colored, now they are. - The Links endnote section created for printing pages was not dedupping identical links. - The Links endnote section contained entries for the next/previous links which are normally at the bottom of each page. These links aren't visible when printing and so shouldn't appear in the Links endnote section. * Add rocket chat to our footer & community page. (istio#1189) Also, update the mailing list icon on the community page to match what we use in the footer. * Add instructions to integrate Istio with existing Endpoints services. (istio#1164) * Add multitenancy blog (istio#1119) * Add multitenancy blog * Update soft-multitenancy.md * Update soft-multitenancy.md * Add multitenancy blog * Add blog entry for configuring aws nlb for istio ingress (istio#1165) * Don't add links from figures into endnotes. (istio#1192) - The prior design for avoiding links for figures was brittle and was in fact broken. Now it's more robust. * [ImgBot] optimizes images (istio#1193) *Total -- 683.39kb -> 440.68kb (35.52%) /_blog/2018/img/roles_summary.png -- 101.32kb -> 61.03kb (39.77%) /_blog/2018/img/policies.png -- 244.70kb -> 148.25kb (39.41%) /_blog/2018/img/attach_policies.png -- 48.65kb -> 31.59kb (35.06%) /_blog/2018/img/createpolicyjson.png -- 120.21kb -> 80.63kb (32.93%) /_blog/2018/img/create_policy.png -- 86.38kb -> 60.62kb (29.82%) /_blog/2018/img/createpolicystart.png -- 82.12kb -> 58.55kb (28.7%) * Update circuit break use existing file. (istio#1091) * Add proper link to Helm and Multicluster feature stages (istio#1196) * Update multicluster installation to match master (istio#1195) * Add a trailing / on an URL that was returning a 301 * Update multicluster intallation to match master Big usability improvements have been made. Document the new workflow for multicluster. * Address reviewer comments. * Fix linting problem * Fix docker run command (istio#1201) The command as it stands will fail with "Gemfile not found". The working directory should be set to $(pwd) as well to start execution in the istio.github.io directory and find the Gemfile. * remove installation instructions for prometheus (istio#1199) * remove installation instructions for prometheus * more doc fixes for 0.8 * Add request.auth.claims and update source.user, source.principal, and (istio#1205) request.auth.principal * Fix command to build & serve site locally using docker (bad workdir) (istio#1206) * Add attributes into documentation. (istio#1200) * add a step to define ingress gateway in bookinfo guide (istio#1207) * add a step to define ingress gateway in bookinfo guide following istio/istio#5113 * make ingress gateway lower case * Fix broken link in README.md (istio#1209) * Adding Azure support instructions (istio#1202) * adding docs for Azure * minor misspelling fix * adding acronyms * removing blank line * changing bash output to reflect only necessary flags * fixing grammar errors * Fix link to IBM cloud private (istio#1216) * Typo fix (istio#1208) * clarify we support more than just k8s (istio#1212) * Update reference docs. (istio#1219) * Quiet GitHub warning * v1alpha3 routing blog (istio#1190) * Clarify istio.io/preliminary.istio.io stuff (istio#1221) * add galley.enabled option to helm instructions (istio#1222) * Fix naming collision (istio#1226) ingressgateway and ingress both match the grep, resulting in incorect ingress name being produced in troubleshooting guide. * adding the recommended namespace (istio#1218) * adding the recommended namespace istio/old_issues_repo#312 * add the recommended namespace * add creating the namespace * correct typos * only need to create namespace for the template approach * Introduce support for new fangled PRE blocks. (istio#1224) Instead of having to have two PRE blocks, one for commands and one for the output, we can now have a single PRE block and we take care of rendering things to show the command vs. the output. The Copy button on such a thing only copy the command, and not the output. We now also show a $ on command-lines, but the Copy button doesn't copy that and knows to just copy the usable part of the command-line. * 0.8 release notes. (istio#1223) * Fix incorrect behavior of the sidenav when dealing with long non-wrapping page titles. (istio#1229) - When I was last fiddling with the sidenav on mobile, I messed up the sizing for non-mobile cases. This cause the sidenav to grow beyond its expected size when presented with long non-wrapping page titles. The text is now wrapped instead as it should. - Shrank the font size of the list items in the sidenav to 85% to reduce the amount of wrapping that happens. - Reduce the right margin in the side nav to again try to reduce the amount of wrapping. * Update content to help upcoming migration from Jekyll to Hugo (istio#1232) - In front matter, order: and overview: are now weight: and description: - In front matter, we generally don't need layout: and use config to assign layouts automatically - Remove the useless type: front-matter entries, the type is infered from the file extension. * Improves multicluster documentation (istio#1217) * Improves multicluster documentation Improve documentation based upon fresh eyes running through the documented process. * Address reviewer comments. * More refinement. * Exclude rule MD028 Rule 028 is: https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md028---blank-line-inside-blockquote The rationale below cut and pasted from markdownlint seems valid for the general case, however, our MD parser always produces seprate block-quotes, which is what I am after in this PR. I think other people will prefer our renders of blockquotes (separate blockquotes); Rationale: Some markdown parsers will treat two blockquotes separated by one or more blank lines as the same blockquote, while others will treat them as separate blockquotes. * Improve the doc to apply istio-auth.yaml (istio#1227) * Fix doc (istio#1228) * Task/guide updates for v1alpha3 (istio#1231) * Task/guide updates for v1alpha3 * fix typo * remove trailing spaces * tweaks * Corrections and clarifications (istio#1238) * clarify https external services support (istio#1239) * clarify https external services support * spelling error * Hopefully finally really fix the issues with the sidenav on small screens. (istio#1240) * fix manual sidecar injection docs for helm template changes (istio#1211) Addresses istio#1210 * Switch most uses of ```bash to ```command. (istio#1242) This takes advantage of the new rendering for command-lines and their outputs. * Fixes to the doc after testing/reviewing it with release-0.8 istio branch (istio#1244) * update format of a tcp ServiceEntry (istio#1237) * Remove broken link. (istio#1250) * WIP PR for v1alpha3 task corrections (istio#1247) * ingress task corrections * fault injection task version wrong * Fault task corrections (istio#1253) * update samples to align with latest proto definition (istio#1254) * Traffic Shifting Review - Fixed wrong links (istio#1259) * rbac.md: unindent yaml files (istio#1257) also fixed a typo Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com> * Create istio namespace before install remote cluster. (istio#1243) * update instructions for gke-iam (istio#1260) * Remove a broken link. (istio#1263) * Fix another broken link. (istio#1265) * [ImgBot] optimizes images (istio#1264) *Total -- 73.77kb -> 65.13kb (11.72%) /_docs/setup/kubernetes/img/dm_gcp_iam_role.png -- 38.54kb -> 33.47kb (13.15%) /_docs/setup/kubernetes/img/dm_gcp_iam.png -- 35.23kb -> 31.65kb (10.15%) * Fixes istio#1241 (istio#1258) * Added namespace when create helm template. (istio#1234) * Add istioctl proxy-config to the troubleshooting section (istio#1267) * Fix istioctl proxy-config link to not point at prelim docs (istio#1269) Because that would be a dumb thing to do * Update how we insert images to make a transition from Jekyll to Hugo easier. (istio#1275) * Change publish_date front-matter to publishdate to aid in the Jekyll to Hugo migration. (istio#1276) * Remove stray quotes. * Shorten long titles and descriptions. (istio#1278) * Fix aspect ratio of a couple images. (istio#1277) The incorrect aspect ratio value was leading to spurious top/bottom padding on the images. Also, delete unecessary .png version of some .svg files.

@ayj

* Rebase from Istio Master (#2) * add example for disabling injection (#1021) * Updated reference docs. (#1045) * Add task for Istio CA health check. (#1038) * Add task for Istio CA health check. * Small fix. * Small fix. * Updates troubleshooting guide to add pilot (#1037) * Fix misnamed link (#1050) * update document generation for istioctl (#1047) * Hack to get ownership of Google analytics account for the site. * Don't need the analytics hack no more... * Make the rake test ensure that we use {{home}} consistently. (#1053) We now generate the test site into a subdirectory such that we can ensure all links are correctly using {{home}}, which makes the site work correctly once archived. Fixed a bunch of broken cases. * Reduce the visual weight of code blocks so they don't break up the page so much. (#1054) * Introduce support for building the site in "preliminary" mode. (#1052) * Notes for 0.6 (#1048) * Refresh version selection menu given 0.6. * update instructions for mesh expansion (#1056) * update instructions for mesh expansion * remove ISTIO_STAGING references * Specify --debug option to use docker.io/istio/proxy_debug image for (#1057) deployment. * Update reference docs. * Update Quick start Doc (#1059) Fix Typo * Update Istio RBAC document to relfect sample changes. (#1062) * Fix typo in Cleanup section (#1061) * clarify verification of injected proxy with automatic injection (#1024) * Fixe wrong port number (#1041) * Sidecar proxy help (#1044) * Use same instance name in Mixer config example (#1051) * Add a bunch of redirects for old pages (#1066) The Google Crawl Engine reported a bunch of broken links pointing into istio.io. This adds redirects so that these links work. Add a hack such that the gear menu logic that lets you time travel through versions of the site will insist that if a page existed in a given version, it must also exist in subsequent versions. This will ensure we always create redirects when we move site content, and thus avoid breaking links into the site. If a page is moved or removed, this will lead to rake test errors when checking the content of archive.istio.io. * Update reference docs. * Fix bad formatting. * Fix typos. * Update reference docs. * Eliminate flickering on page load. (#1068) - Fix another issue with my arch-nemesis, the Copy button. My last fix for Copy button issues resulted in screen flickering upon page loading. This is now fixed. - Pin the size of the gear and magnifying glass icons in the header to avoid flicker as the fonts for those renders a few ms too late and lead to flickering on page load. - Cleaned up the site's JavaScript for clarity, and include minimized versions in the site for improved perf. * Improve formatting. (#1070) - Remove the silly right indent used for list items. This was throwing away a lot of useful screen real estate on mobile. * Add support for dynamically inserting file content into the site. (#1069) This is useful for pulling in content straight from GitHub on the fly, rather than cut & pasting it into the site. * Update sidecar AWS verification (#1060) * Update sidecar AWS verification Add verification without ssh access on master node. Perform check directly with kubectl client. * Update sidecar injection Docs Update with @ayj remarks * Update link Update link for managing tls in a cluster, add a '/' * Fix links. (#1073) - Add a / to links pointing to directories - Switch a bunch of links from http: to https: * master branch is now server from preliminary.istio.io (#1075) * Setup 0.7. * Forgot to update releases.yml. * Update README * Consolidate cluster prerequisites for webhooks into k8s quick start (#1077) The automatic sidecar injection has its own set of k8s install instructions for webhooks. This overlaps with the general k8s install instructions. We'll also introduce server-side configuration webhooks which need the same prerequisites. * Add missing .html suffix on some links. (#1080) * A few more link fixes (#1081) * Fix handling of legacy community links. * Add missing .html extension on search page reference. * Add Certificate lifetime configuration in FAQ. (#1079) * Update reference docs. * Fix some newly broken links. (#1082) * Update reference docs. * Remove empty document. (#1085) * Update Ansible documentation to reflect change in Jaeger addon (#1049) * Update Ansible documentation to reflect change in Jaeger addon Relates to: istio/istio#3603 * Small polish to Ansible documentation * Remove extra tilde in the docs (#1087) Fixes #1004 * [WIP] Update traffic routing tasks to use v1alpha3 config (#1067) * use v1alpha3 route rules * circuit breaking task updated to v1alpha3 * convert mirroring task to v1alpha3 * convert egress task to v1alpha3 * Egress task corrections and clarifications * use simpler rule names * move new tasks to separate folder (keep old versions around for now) * update example outputs * egress tcp task * fix broken refs * more broken refs * imporove wording * add missing include home.html * remove ingress task - will create a replacement in followup PR * Improve sorting algorithm to use document title and not just document URL. (#1089) This makes it so documents in the same directory get sorted by document title instead of by the URL name (unless they have an order: directive, which takes precedence over alpha order) * Istio RBAC doc fix. (#1093) * Improve readability * Add one more faq for secret encryption (#1096) * Add note to have debug version of proxy for curl command (#1097) * Delete some old stuff we don't need anymore. * Delete some old stuff we don't need anymore. * Fix problem preventing proper section indices in the "About" section of the site. * Revise note to install curl (#1098) * Revise note to install curl * Revise note to install curl * Address comment * Fix bug with the Copy button and proto documentation. - HTML generated from protos encode preformatted blocks with <pre><code></code></pre>, while HTML generated through Jekyll's markdown converter wraps an extra <div> around the block. The logic to insert the Copy button on preformatted was assuming the presence of this DIV. If the DIV is not present on input, we now explicitly add one which makes things work. * Update reference docs. * Fix bug that was messing up all the index pages in the site. (#1100) Fix newly broken k8s link along the way... * Revise curl instruction in master branch (#1107) * Update intro.md (#1110) * Update intro.md Updating info per Wencheng's suggestion * Update intro.md * WIP - Combined ingress/gateway task for v1alpha3 (#1094) * First pass combined ingress/gateway task * Add verifying gateway section * clarifications * fix broken link * fix build broken * address review comments * fix small grammar issue (#1112) * Fix a few bugs and add a feature. (#1111) - Link injection for document headers has been broken for a while due to my misunderstanding of the "for in" syntax in JavaScript. This now works as expected. - Same problem also prevented the feature that causes every link to outside of istio.io to be opened in a separate window. This now works as intended. - Made the gear dropdown menu be right-aligned such that it doesn't go off-screen on portrait mode tablets. - Stop importing Popper.js since it's only needed for dropdown menus that aren't in the nav bar. Ours is in a nav bar... - Added link injection for <dt> terms, which makes it easy to create links to individual glossary entries. * 0.7 notes (#1101) * Add an entry about creating quality hyperlinks. (#1114) * 0.2.12 typo fix + doc link should be to docs/ directly + ... (#1115) * 0.2.12 doc link should be to docs/ directly + note about shell security * fix typo (for for) * Revise wording and linking Drop the double TOC (this page has very little traffic anyway) * Fix inconsistent header use in this doc. * Fix invalid index page. * Update servicegraph docs with new viz. (#1074) * Fix mobile navigation issues. (#1118) When on mobile, the left sidebar is hidden by default. To make navigation easier, we allow the user to browse the site entirely through the various index sections which provide links to all articles. This wasn't working for the About and Blog links at the top of the page since they send you to a direct page instead of to the relevant navigation page. So... - Made the About link point to the about section's index page. - Each blog page now contains a link to the next and previous blog post. * [ImgBot] optimizes images (#1120) /_docs/tasks/telemetry/img/servicegraph-example.png -- 41.49kb -> 28.62kb (31.03%) * Add documentation for upgrade (#1108) * Add upgrade doc and fixing a broken link. * revert one file. * Refine the doc. * Move the doc. * Fix syntax. * Fix syntax * Fix syntax * Make non-manifest based installers have similar titles and overviews (#1086) * Make the setup page a little more consistent. * Make non-manifest based installers have similar titles and overviews * Shorten the overview,tidy up the title, and add a helm.html redirect * Installation typo in both files * Fix inconsistent header use in this doc. (#1117) * Improve layout on phone. - We shrink the height of the header and footer when on mobile. - We shrink the header font based on screen width, to avoid the nav bar being split on two lines which leads to all sorts of bad things happening * Since we shrink the brand more aggressively, allow the navbar to be displayed until the next bp. * Oops, left a debugging change in accidentally, reverting. * Add Istio mTLS support for https service demo (#1121) * Add Istio mTLS support for https service demo * Address comment * Address comment * Address comment * Fix more headers. (#1126) * Update procedures to access the team drive. * Fix broken links, causing HTML proofer in circleci gates to fail (#1132) * Fix broken links, causing HTML proofer in circleci gates to fail * Add the same missing links to sidecar-injection.md * Refine Helm installation warning. (#1133) Helm charts are unstable prior to 0.7. Remove the red warning and instead add a simple notice that Helm charts =<0.7 are not functional. * Fix typo In AWS (w/Kops) section: "openned" should be "opened"? * prepare_proxy was refactored into istio-proxy (#1134) * In Note 1: Consul modified to Eureka (#1122) * Revamped nav header for better mobile experience. (#1129) - We now only use the skinny version of the navbar instead of dynamically switching based on viewport size. This looks cleaner, giving more screen space to the content rather than our chrome. - The search textbox is replaced with a search button. Clicking the button brings up the search textbox. This looks less cluttered and works considerably better on smaller screens. - When on a phone and the nav links are collapsed into a hamburger menu, cleanly show the search box in the menu that comes up when you click the hamburger. - Remove the down arrow next to the cog, it's superfluous and things look cleaner without it. * Add one faq item for istio on https service (#1127) * Add one faq item for istio on https service * Address comment * Address comment * Simplify the demo of plugin ca cert. (#1138) * Update IBM Cloud Container Service (IKS) k8s setup instructions (#1136) Copy IKS specific instructions from #1072 to general k8s setup page. * Revamp the footer. (#1137) - Remove all the redundant stuff and emphasize community resource via icons. - Move the "Report a doc bug" and "Edit this page on GitHub" options to the gear menu. - Use Jekyll "include" support to store the landing page's artwork in external SVG files instead of directly embedded in the HTML. Much nicer. * Switching to 0.8. * Update README * Add placeholder 0.8 file to fix rake tests * Create Owners * Fix markdown (#1140) * Cleans up the readability of the Ansible Installation (#1130) * Cleans up the readability of the Ansible Installation Run through a yaml linter Run through spell | sort | uniq Reorganized to semi-match the Helm installation page as they have similar functionality There are things I like about how this document is structured now and will carry those over to the Helm documentation in the future as time permits. * Remove customization example as suggested during the review * Change Openshift->OpenShift * Add labels over community icons in the footer. (#1142) * Remove $ sign in command since it breaks the copy button (#1143) * Update 0.7.md (#1144) helm is working in master branch but not in 0.7.1 * Fix bug caused by #1138 (#1145) * Switch back to normal html-proofer (#1146) As my pr was merged Fixes #849 * Setup for linting markdown files. (#1147) - linters.sh will run spell-checking and a style checker on markdown files. - Fix a whole bunch of typos and bad markdown content throughout. There are many more fixes to come before we can enable the linters as a checkin gate, but this takes care of a majority of items. More to come later. * Finish fixing remaining lint errors * Make spell checking and style checking part of our doc checkin gate. (#1154) * Update * Inline the TOC on mobile. - For small screens that don't have room for the righthand TOC, we now display the TOC inline in the main document. This substantially improves navigation on mobile. - Fix the scroll offset which was off by a bit since the switch to the skinny header. * Update reference docs. * Improve mobile experience. (#1158) - The two call to action buttons on the landing page are now displayed one of top of the other on small screens instead of next to one another. - On mobile, when you scroll down a page, an arrow shows up in the top right of the screen to let you scroll back to the top of the page. This is mighty handy since on mobile there isn't a TOC available to click on. - Add some convenient links on the docs' section landing page. * Accessibility improvements. (#1159) * www.yaml.org went missing - yaml.org seems to work. (#1166) sdake@falkor-08:~/go/src/istio.io/istio.github.io/_docs$ dig www.yaml.org ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.yaml.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.yaml.org. IN A ;; Query time: 917 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Apr 08 09:10:51 MST 2018 * Authn policy concept and tutorial. (#1128) * fix service account names in the instructions for OpenShift (#1083) This commit replaces the service account names for grafana and prometheus in the instructions to set the security context constraints for OpenShift. * Improve plugin cert task for better UX. (#1150) * Update Security section in Istio overview (#1170) * Update Security section in Istio overview * Fix comment * Update documentation for automatic sidecar injection webhook. (#1169) * Add multicluster deployment documentation to Istio (#1139) * Add multicluster deployment documentation to Istio * Change *Ip to *Endpoint a per request * Fix a typo * Address all reviewer comments Note, SVG diagram will be handled as a follow-on PR. * Fix legitimate spelling errors found by gate * Some backticks to fix spelling errors and other misc cleanups * some spelling and backticks. * Expand spelling exemptions dictionary slightly * Correctly spell routable. * Address reviewer comments. Needed a rebase in the process. * A minor consistency change * Address reviewer comments. * Add a caveats and known issue tracker to the documentation Early on during review of this PR, I believe there was a review asking for caveats, but it has disappeared from the github comments. * Make istio.io support quality print output. (#1163) - Get rid of all the chrome when printing a page. So no headers, sidebars, etc. - Ensure that PRE blocks are fully expanded when printing instead of showing a scroll bar. - Generate endnotes for each page printed which lists the URLs of the various links on the page. Each link site is annotated with a superscript number referencing this table. * Update doc for TCP periodical report. (#1095) * Update doc for TCP periodical report. * Add report response arrow into svg. * Reference: https://istio.io/docs/reference/config/istio.routing.v1alpha1.html#StringMatch (#1180) * Fix broken links caused by changes in istio/istio. * Update reference docs. * Improve sidenav behavior on mobile. (#1173) The sidenav now hovers over the main text instead of pushing the main text sideways. The rendering of the sidenav toggler button now matches the "back to top" button I added last week. * Bunch of improvements (#1181) - New visuals for the sailboat in the header. It now overflows the header. - The TOC now highlights the currently displayed portion of the current page. As you scroll through the doc, the selected entry updates accordingly. - Add previous/next page links in every doc page. These used to be present only in blog posts, but they're useful everywhere. - Fix a few off-by-one formatting errors that stemed from using a mixed of min-width and max-width throughout the stylesheet. This caused some strange formatting to happen at specific window widths. Now, we're consistently using min-width and everything lines up properly. - Improved footer formatting so it looks better on mobile. - Only display the TOC on XL screens, otherwise it wraps too much. Screens smaller than XL now all get the inlined TOC instead. - Add support for pages to request that the TOC be generated inline instead of in a sidebar. This is useful for pages that have headings which cause too much wrapping in the TOC, such as the Troubleshooting Guide. - Add some blank space between an inlined TOC and the main text so that things don't look so crowded, especially when printing. - Inline the sailboat SVG into each page. This avoids a network roundtrip and allows the SVG to be controlled with the same CSS as everything else. - Eliminate a huge amount of redundancy in the four main layout file for the site. They now share a single primary.html include file which carries most of the weight. This will avoid having to constantly make the same change in four different files. - Improve the generated HTML for <figure> elements which makes things better for screen readers. - Simplify the HTML & CSS for the footer. * Fix indent issue (#1182) * Rename Isito CA to Citadel. (#1179) * Update feature-stages.md (#1183) Updates to features as of 0.7 release * Update Helm Documentation (#1168) * Modify minimum pin of Istio version with Helm and improve prereqs * Add section describing briefly how to use helm without tiller * Change heading description for Helm method and add upgrade warning * Make common customization options table match current master * Subsection the two methods for installing with Helm * Remove Helm keys from .spelling. Add FQDNs as an acronym. * Backtick the keys and defaults, values.yaml, and fix 1 spelling error * Add uninstall instructions for both kubectl and helm with tiller * Place backticks around architecture platforms and correctly list them * Show both uninstall methods (kubectl & Helm) * Remove two extra CRs * Fix yaml linting errors * Link to requirements for automatic sidecar injection. * Change istio-auth to istio for rendering * Address reviewer comments. * Fix linting error. * Notify operator they need capability to install service accounts. * Fix lint error * Switch to PrismJS for syntax highlighting. (#1184) Instead of doing syntax highlighting statically in Jekyll, we now go back to the PrimsJS library we used in the 0.2-0.4 timeframe. It used to be problematic, but the cause for the problems have been addressed a while ago. This gives us highlighting for non-markdown content, such as dynamically loaded PRE blocks and PRE blocks that come from HTML generated from protos. * Adding info about new expression language methods. (#1186) Adding info about dnsName, email, and uri functions. * Fix typo liveliness -> liveness (#1188) * Fix typo liveliness -> liveness Add mdspell dependency to gem installations * Add backticks around firebase deploy command * Fix a few bugs. (#1187) - The slide-in sidenav used on mobile went all crazy when text got too long in the expanded panel. We now set a max width to trigger controlled wrapping and avoid the nasties. - The hamburger menu that replaces the link in the top header on small screens didn't render right on medium-sized screens (a.k.a. portrait-mode tablets). I had one of my breakpoints set inconsistently. - Dynamically loaded PRE blocks were not being syntax colored, now they are. - The Links endnote section created for printing pages was not dedupping identical links. - The Links endnote section contained entries for the next/previous links which are normally at the bottom of each page. These links aren't visible when printing and so shouldn't appear in the Links endnote section. * Add rocket chat to our footer & community page. (#1189) Also, update the mailing list icon on the community page to match what we use in the footer. * Add instructions to integrate Istio with existing Endpoints services. (#1164) * Add multitenancy blog (#1119) * Add multitenancy blog * Update soft-multitenancy.md * Update soft-multitenancy.md * Add multitenancy blog * Add blog entry for configuring aws nlb for istio ingress (#1165) * Don't add links from figures into endnotes. (#1192) - The prior design for avoiding links for figures was brittle and was in fact broken. Now it's more robust. * [ImgBot] optimizes images (#1193) *Total -- 683.39kb -> 440.68kb (35.52%) /_blog/2018/img/roles_summary.png -- 101.32kb -> 61.03kb (39.77%) /_blog/2018/img/policies.png -- 244.70kb -> 148.25kb (39.41%) /_blog/2018/img/attach_policies.png -- 48.65kb -> 31.59kb (35.06%) /_blog/2018/img/createpolicyjson.png -- 120.21kb -> 80.63kb (32.93%) /_blog/2018/img/create_policy.png -- 86.38kb -> 60.62kb (29.82%) /_blog/2018/img/createpolicystart.png -- 82.12kb -> 58.55kb (28.7%) * Update circuit break use existing file. (#1091) * Add proper link to Helm and Multicluster feature stages (#1196) * Update multicluster installation to match master (#1195) * Add a trailing / on an URL that was returning a 301 * Update multicluster intallation to match master Big usability improvements have been made. Document the new workflow for multicluster. * Address reviewer comments. * Fix linting problem * Fix docker run command (#1201) The command as it stands will fail with "Gemfile not found". The working directory should be set to $(pwd) as well to start execution in the istio.github.io directory and find the Gemfile. * remove installation instructions for prometheus (#1199) * remove installation instructions for prometheus * more doc fixes for 0.8 * Add request.auth.claims and update source.user, source.principal, and (#1205) request.auth.principal * Fix command to build & serve site locally using docker (bad workdir) (#1206) * Add attributes into documentation. (#1200) * add a step to define ingress gateway in bookinfo guide (#1207) * add a step to define ingress gateway in bookinfo guide following istio/istio#5113 * make ingress gateway lower case * Fix broken link in README.md (#1209) * Adding Azure support instructions (#1202) * adding docs for Azure * minor misspelling fix * adding acronyms * removing blank line * changing bash output to reflect only necessary flags * fixing grammar errors * Fix link to IBM cloud private (#1216) * Typo fix (#1208) * clarify we support more than just k8s (#1212) * Update reference docs. (#1219) * Quiet GitHub warning * v1alpha3 routing blog (#1190) * Clarify istio.io/preliminary.istio.io stuff (#1221) * add galley.enabled option to helm instructions (#1222) * Fix naming collision (#1226) ingressgateway and ingress both match the grep, resulting in incorect ingress name being produced in troubleshooting guide. * adding the recommended namespace (#1218) * adding the recommended namespace istio/old_issues_repo#312 * add the recommended namespace * add creating the namespace * correct typos * only need to create namespace for the template approach * Introduce support for new fangled PRE blocks. (#1224) Instead of having to have two PRE blocks, one for commands and one for the output, we can now have a single PRE block and we take care of rendering things to show the command vs. the output. The Copy button on such a thing only copy the command, and not the output. We now also show a $ on command-lines, but the Copy button doesn't copy that and knows to just copy the usable part of the command-line. * 0.8 release notes. (#1223) * Fix incorrect behavior of the sidenav when dealing with long non-wrapping page titles. (#1229) - When I was last fiddling with the sidenav on mobile, I messed up the sizing for non-mobile cases. This cause the sidenav to grow beyond its expected size when presented with long non-wrapping page titles. The text is now wrapped instead as it should. - Shrank the font size of the list items in the sidenav to 85% to reduce the amount of wrapping that happens. - Reduce the right margin in the side nav to again try to reduce the amount of wrapping. * Update content to help upcoming migration from Jekyll to Hugo (#1232) - In front matter, order: and overview: are now weight: and description: - In front matter, we generally don't need layout: and use config to assign layouts automatically - Remove the useless type: front-matter entries, the type is infered from the file extension. * Improves multicluster documentation (#1217) * Improves multicluster documentation Improve documentation based upon fresh eyes running through the documented process. * Address reviewer comments. * More refinement. * Exclude rule MD028 Rule 028 is: https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md028---blank-line-inside-blockquote The rationale below cut and pasted from markdownlint seems valid for the general case, however, our MD parser always produces seprate block-quotes, which is what I am after in this PR. I think other people will prefer our renders of blockquotes (separate blockquotes); Rationale: Some markdown parsers will treat two blockquotes separated by one or more blank lines as the same blockquote, while others will treat them as separate blockquotes. * Improve the doc to apply istio-auth.yaml (#1227) * Fix doc (#1228) * Task/guide updates for v1alpha3 (#1231) * Task/guide updates for v1alpha3 * fix typo * remove trailing spaces * tweaks * Corrections and clarifications (#1238) * clarify https external services support (#1239) * clarify https external services support * spelling error * Hopefully finally really fix the issues with the sidenav on small screens. (#1240) * fix manual sidecar injection docs for helm template changes (#1211) Addresses #1210 * Switch most uses of ```bash to ```command. (#1242) This takes advantage of the new rendering for command-lines and their outputs. * Fixes to the doc after testing/reviewing it with release-0.8 istio branch (#1244) * update format of a tcp ServiceEntry (#1237) * Remove broken link. (#1250) * WIP PR for v1alpha3 task corrections (#1247) * ingress task corrections * fault injection task version wrong * Fault task corrections (#1253) * update samples to align with latest proto definition (#1254) * Traffic Shifting Review - Fixed wrong links (#1259) * rbac.md: unindent yaml files (#1257) also fixed a typo Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com> * Create istio namespace before install remote cluster. (#1243) * update instructions for gke-iam (#1260) * Remove a broken link. (#1263) * Fix another broken link. (#1265) * [ImgBot] optimizes images (#1264) *Total -- 73.77kb -> 65.13kb (11.72%) /_docs/setup/kubernetes/img/dm_gcp_iam_role.png -- 38.54kb -> 33.47kb (13.15%) /_docs/setup/kubernetes/img/dm_gcp_iam.png -- 35.23kb -> 31.65kb (10.15%) * Fixes #1241 (#1258) * Added namespace when create helm template. (#1234) * Add istioctl proxy-config to the troubleshooting section (#1267) * Fix istioctl proxy-config link to not point at prelim docs (#1269) Because that would be a dumb thing to do * Update how we insert images to make a transition from Jekyll to Hugo easier. (#1275) * Change publish_date front-matter to publishdate to aid in the Jekyll to Hugo migration. (#1276) * Remove stray quotes. * Shorten long titles and descriptions. (#1278) * Fix aspect ratio of a couple images. (#1277) The incorrect aspect ratio value was leading to spurious top/bottom padding on the images. Also, delete unecessary .png version of some .svg files. * Revert "Rebase from Istio Master (#2)" (#3) This reverts commit 6122f38. * Add ,missing feature links This change adds some of the missing feature links to the feature-stages page. * Fixes the API key location API key location was wrong

@ayj

* Add attribute connection.mtls into documentation. * Revise per comment. * Add missing feature links (#1280) * Rebase from Istio Master (#2) * add example for disabling injection (#1021) * Updated reference docs. (#1045) * Add task for Istio CA health check. (#1038) * Add task for Istio CA health check. * Small fix. * Small fix. * Updates troubleshooting guide to add pilot (#1037) * Fix misnamed link (#1050) * update document generation for istioctl (#1047) * Hack to get ownership of Google analytics account for the site. * Don't need the analytics hack no more... * Make the rake test ensure that we use {{home}} consistently. (#1053) We now generate the test site into a subdirectory such that we can ensure all links are correctly using {{home}}, which makes the site work correctly once archived. Fixed a bunch of broken cases. * Reduce the visual weight of code blocks so they don't break up the page so much. (#1054) * Introduce support for building the site in "preliminary" mode. (#1052) * Notes for 0.6 (#1048) * Refresh version selection menu given 0.6. * update instructions for mesh expansion (#1056) * update instructions for mesh expansion * remove ISTIO_STAGING references * Specify --debug option to use docker.io/istio/proxy_debug image for (#1057) deployment. * Update reference docs. * Update Quick start Doc (#1059) Fix Typo * Update Istio RBAC document to relfect sample changes. (#1062) * Fix typo in Cleanup section (#1061) * clarify verification of injected proxy with automatic injection (#1024) * Fixe wrong port number (#1041) * Sidecar proxy help (#1044) * Use same instance name in Mixer config example (#1051) * Add a bunch of redirects for old pages (#1066) The Google Crawl Engine reported a bunch of broken links pointing into istio.io. This adds redirects so that these links work. Add a hack such that the gear menu logic that lets you time travel through versions of the site will insist that if a page existed in a given version, it must also exist in subsequent versions. This will ensure we always create redirects when we move site content, and thus avoid breaking links into the site. If a page is moved or removed, this will lead to rake test errors when checking the content of archive.istio.io. * Update reference docs. * Fix bad formatting. * Fix typos. * Update reference docs. * Eliminate flickering on page load. (#1068) - Fix another issue with my arch-nemesis, the Copy button. My last fix for Copy button issues resulted in screen flickering upon page loading. This is now fixed. - Pin the size of the gear and magnifying glass icons in the header to avoid flicker as the fonts for those renders a few ms too late and lead to flickering on page load. - Cleaned up the site's JavaScript for clarity, and include minimized versions in the site for improved perf. * Improve formatting. (#1070) - Remove the silly right indent used for list items. This was throwing away a lot of useful screen real estate on mobile. * Add support for dynamically inserting file content into the site. (#1069) This is useful for pulling in content straight from GitHub on the fly, rather than cut & pasting it into the site. * Update sidecar AWS verification (#1060) * Update sidecar AWS verification Add verification without ssh access on master node. Perform check directly with kubectl client. * Update sidecar injection Docs Update with @ayj remarks * Update link Update link for managing tls in a cluster, add a '/' * Fix links. (#1073) - Add a / to links pointing to directories - Switch a bunch of links from http: to https: * master branch is now server from preliminary.istio.io (#1075) * Setup 0.7. * Forgot to update releases.yml. * Update README * Consolidate cluster prerequisites for webhooks into k8s quick start (#1077) The automatic sidecar injection has its own set of k8s install instructions for webhooks. This overlaps with the general k8s install instructions. We'll also introduce server-side configuration webhooks which need the same prerequisites. * Add missing .html suffix on some links. (#1080) * A few more link fixes (#1081) * Fix handling of legacy community links. * Add missing .html extension on search page reference. * Add Certificate lifetime configuration in FAQ. (#1079) * Update reference docs. * Fix some newly broken links. (#1082) * Update reference docs. * Remove empty document. (#1085) * Update Ansible documentation to reflect change in Jaeger addon (#1049) * Update Ansible documentation to reflect change in Jaeger addon Relates to: istio/istio#3603 * Small polish to Ansible documentation * Remove extra tilde in the docs (#1087) Fixes #1004 * [WIP] Update traffic routing tasks to use v1alpha3 config (#1067) * use v1alpha3 route rules * circuit breaking task updated to v1alpha3 * convert mirroring task to v1alpha3 * convert egress task to v1alpha3 * Egress task corrections and clarifications * use simpler rule names * move new tasks to separate folder (keep old versions around for now) * update example outputs * egress tcp task * fix broken refs * more broken refs * imporove wording * add missing include home.html * remove ingress task - will create a replacement in followup PR * Improve sorting algorithm to use document title and not just document URL. (#1089) This makes it so documents in the same directory get sorted by document title instead of by the URL name (unless they have an order: directive, which takes precedence over alpha order) * Istio RBAC doc fix. (#1093) * Improve readability * Add one more faq for secret encryption (#1096) * Add note to have debug version of proxy for curl command (#1097) * Delete some old stuff we don't need anymore. * Delete some old stuff we don't need anymore. * Fix problem preventing proper section indices in the "About" section of the site. * Revise note to install curl (#1098) * Revise note to install curl * Revise note to install curl * Address comment * Fix bug with the Copy button and proto documentation. - HTML generated from protos encode preformatted blocks with <pre><code></code></pre>, while HTML generated through Jekyll's markdown converter wraps an extra <div> around the block. The logic to insert the Copy button on preformatted was assuming the presence of this DIV. If the DIV is not present on input, we now explicitly add one which makes things work. * Update reference docs. * Fix bug that was messing up all the index pages in the site. (#1100) Fix newly broken k8s link along the way... * Revise curl instruction in master branch (#1107) * Update intro.md (#1110) * Update intro.md Updating info per Wencheng's suggestion * Update intro.md * WIP - Combined ingress/gateway task for v1alpha3 (#1094) * First pass combined ingress/gateway task * Add verifying gateway section * clarifications * fix broken link * fix build broken * address review comments * fix small grammar issue (#1112) * Fix a few bugs and add a feature. (#1111) - Link injection for document headers has been broken for a while due to my misunderstanding of the "for in" syntax in JavaScript. This now works as expected. - Same problem also prevented the feature that causes every link to outside of istio.io to be opened in a separate window. This now works as intended. - Made the gear dropdown menu be right-aligned such that it doesn't go off-screen on portrait mode tablets. - Stop importing Popper.js since it's only needed for dropdown menus that aren't in the nav bar. Ours is in a nav bar... - Added link injection for <dt> terms, which makes it easy to create links to individual glossary entries. * 0.7 notes (#1101) * Add an entry about creating quality hyperlinks. (#1114) * 0.2.12 typo fix + doc link should be to docs/ directly + ... (#1115) * 0.2.12 doc link should be to docs/ directly + note about shell security * fix typo (for for) * Revise wording and linking Drop the double TOC (this page has very little traffic anyway) * Fix inconsistent header use in this doc. * Fix invalid index page. * Update servicegraph docs with new viz. (#1074) * Fix mobile navigation issues. (#1118) When on mobile, the left sidebar is hidden by default. To make navigation easier, we allow the user to browse the site entirely through the various index sections which provide links to all articles. This wasn't working for the About and Blog links at the top of the page since they send you to a direct page instead of to the relevant navigation page. So... - Made the About link point to the about section's index page. - Each blog page now contains a link to the next and previous blog post. * [ImgBot] optimizes images (#1120) /_docs/tasks/telemetry/img/servicegraph-example.png -- 41.49kb -> 28.62kb (31.03%) * Add documentation for upgrade (#1108) * Add upgrade doc and fixing a broken link. * revert one file. * Refine the doc. * Move the doc. * Fix syntax. * Fix syntax * Fix syntax * Make non-manifest based installers have similar titles and overviews (#1086) * Make the setup page a little more consistent. * Make non-manifest based installers have similar titles and overviews * Shorten the overview,tidy up the title, and add a helm.html redirect * Installation typo in both files * Fix inconsistent header use in this doc. (#1117) * Improve layout on phone. - We shrink the height of the header and footer when on mobile. - We shrink the header font based on screen width, to avoid the nav bar being split on two lines which leads to all sorts of bad things happening * Since we shrink the brand more aggressively, allow the navbar to be displayed until the next bp. * Oops, left a debugging change in accidentally, reverting. * Add Istio mTLS support for https service demo (#1121) * Add Istio mTLS support for https service demo * Address comment * Address comment * Address comment * Fix more headers. (#1126) * Update procedures to access the team drive. * Fix broken links, causing HTML proofer in circleci gates to fail (#1132) * Fix broken links, causing HTML proofer in circleci gates to fail * Add the same missing links to sidecar-injection.md * Refine Helm installation warning. (#1133) Helm charts are unstable prior to 0.7. Remove the red warning and instead add a simple notice that Helm charts =<0.7 are not functional. * Fix typo In AWS (w/Kops) section: "openned" should be "opened"? * prepare_proxy was refactored into istio-proxy (#1134) * In Note 1: Consul modified to Eureka (#1122) * Revamped nav header for better mobile experience. (#1129) - We now only use the skinny version of the navbar instead of dynamically switching based on viewport size. This looks cleaner, giving more screen space to the content rather than our chrome. - The search textbox is replaced with a search button. Clicking the button brings up the search textbox. This looks less cluttered and works considerably better on smaller screens. - When on a phone and the nav links are collapsed into a hamburger menu, cleanly show the search box in the menu that comes up when you click the hamburger. - Remove the down arrow next to the cog, it's superfluous and things look cleaner without it. * Add one faq item for istio on https service (#1127) * Add one faq item for istio on https service * Address comment * Address comment * Simplify the demo of plugin ca cert. (#1138) * Update IBM Cloud Container Service (IKS) k8s setup instructions (#1136) Copy IKS specific instructions from #1072 to general k8s setup page. * Revamp the footer. (#1137) - Remove all the redundant stuff and emphasize community resource via icons. - Move the "Report a doc bug" and "Edit this page on GitHub" options to the gear menu. - Use Jekyll "include" support to store the landing page's artwork in external SVG files instead of directly embedded in the HTML. Much nicer. * Switching to 0.8. * Update README * Add placeholder 0.8 file to fix rake tests * Create Owners * Fix markdown (#1140) * Cleans up the readability of the Ansible Installation (#1130) * Cleans up the readability of the Ansible Installation Run through a yaml linter Run through spell | sort | uniq Reorganized to semi-match the Helm installation page as they have similar functionality There are things I like about how this document is structured now and will carry those over to the Helm documentation in the future as time permits. * Remove customization example as suggested during the review * Change Openshift->OpenShift * Add labels over community icons in the footer. (#1142) * Remove $ sign in command since it breaks the copy button (#1143) * Update 0.7.md (#1144) helm is working in master branch but not in 0.7.1 * Fix bug caused by #1138 (#1145) * Switch back to normal html-proofer (#1146) As my pr was merged Fixes #849 * Setup for linting markdown files. (#1147) - linters.sh will run spell-checking and a style checker on markdown files. - Fix a whole bunch of typos and bad markdown content throughout. There are many more fixes to come before we can enable the linters as a checkin gate, but this takes care of a majority of items. More to come later. * Finish fixing remaining lint errors * Make spell checking and style checking part of our doc checkin gate. (#1154) * Update * Inline the TOC on mobile. - For small screens that don't have room for the righthand TOC, we now display the TOC inline in the main document. This substantially improves navigation on mobile. - Fix the scroll offset which was off by a bit since the switch to the skinny header. * Update reference docs. * Improve mobile experience. (#1158) - The two call to action buttons on the landing page are now displayed one of top of the other on small screens instead of next to one another. - On mobile, when you scroll down a page, an arrow shows up in the top right of the screen to let you scroll back to the top of the page. This is mighty handy since on mobile there isn't a TOC available to click on. - Add some convenient links on the docs' section landing page. * Accessibility improvements. (#1159) * www.yaml.org went missing - yaml.org seems to work. (#1166) sdake@falkor-08:~/go/src/istio.io/istio.github.io/_docs$ dig www.yaml.org ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.yaml.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.yaml.org. IN A ;; Query time: 917 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Apr 08 09:10:51 MST 2018 * Authn policy concept and tutorial. (#1128) * fix service account names in the instructions for OpenShift (#1083) This commit replaces the service account names for grafana and prometheus in the instructions to set the security context constraints for OpenShift. * Improve plugin cert task for better UX. (#1150) * Update Security section in Istio overview (#1170) * Update Security section in Istio overview * Fix comment * Update documentation for automatic sidecar injection webhook. (#1169) * Add multicluster deployment documentation to Istio (#1139) * Add multicluster deployment documentation to Istio * Change *Ip to *Endpoint a per request * Fix a typo * Address all reviewer comments Note, SVG diagram will be handled as a follow-on PR. * Fix legitimate spelling errors found by gate * Some backticks to fix spelling errors and other misc cleanups * some spelling and backticks. * Expand spelling exemptions dictionary slightly * Correctly spell routable. * Address reviewer comments. Needed a rebase in the process. * A minor consistency change * Address reviewer comments. * Add a caveats and known issue tracker to the documentation Early on during review of this PR, I believe there was a review asking for caveats, but it has disappeared from the github comments. * Make istio.io support quality print output. (#1163) - Get rid of all the chrome when printing a page. So no headers, sidebars, etc. - Ensure that PRE blocks are fully expanded when printing instead of showing a scroll bar. - Generate endnotes for each page printed which lists the URLs of the various links on the page. Each link site is annotated with a superscript number referencing this table. * Update doc for TCP periodical report. (#1095) * Update doc for TCP periodical report. * Add report response arrow into svg. * Reference: https://istio.io/docs/reference/config/istio.routing.v1alpha1.html#StringMatch (#1180) * Fix broken links caused by changes in istio/istio. * Update reference docs. * Improve sidenav behavior on mobile. (#1173) The sidenav now hovers over the main text instead of pushing the main text sideways. The rendering of the sidenav toggler button now matches the "back to top" button I added last week. * Bunch of improvements (#1181) - New visuals for the sailboat in the header. It now overflows the header. - The TOC now highlights the currently displayed portion of the current page. As you scroll through the doc, the selected entry updates accordingly. - Add previous/next page links in every doc page. These used to be present only in blog posts, but they're useful everywhere. - Fix a few off-by-one formatting errors that stemed from using a mixed of min-width and max-width throughout the stylesheet. This caused some strange formatting to happen at specific window widths. Now, we're consistently using min-width and everything lines up properly. - Improved footer formatting so it looks better on mobile. - Only display the TOC on XL screens, otherwise it wraps too much. Screens smaller than XL now all get the inlined TOC instead. - Add support for pages to request that the TOC be generated inline instead of in a sidebar. This is useful for pages that have headings which cause too much wrapping in the TOC, such as the Troubleshooting Guide. - Add some blank space between an inlined TOC and the main text so that things don't look so crowded, especially when printing. - Inline the sailboat SVG into each page. This avoids a network roundtrip and allows the SVG to be controlled with the same CSS as everything else. - Eliminate a huge amount of redundancy in the four main layout file for the site. They now share a single primary.html include file which carries most of the weight. This will avoid having to constantly make the same change in four different files. - Improve the generated HTML for <figure> elements which makes things better for screen readers. - Simplify the HTML & CSS for the footer. * Fix indent issue (#1182) * Rename Isito CA to Citadel. (#1179) * Update feature-stages.md (#1183) Updates to features as of 0.7 release * Update Helm Documentation (#1168) * Modify minimum pin of Istio version with Helm and improve prereqs * Add section describing briefly how to use helm without tiller * Change heading description for Helm method and add upgrade warning * Make common customization options table match current master * Subsection the two methods for installing with Helm * Remove Helm keys from .spelling. Add FQDNs as an acronym. * Backtick the keys and defaults, values.yaml, and fix 1 spelling error * Add uninstall instructions for both kubectl and helm with tiller * Place backticks around architecture platforms and correctly list them * Show both uninstall methods (kubectl & Helm) * Remove two extra CRs * Fix yaml linting errors * Link to requirements for automatic sidecar injection. * Change istio-auth to istio for rendering * Address reviewer comments. * Fix linting error. * Notify operator they need capability to install service accounts. * Fix lint error * Switch to PrismJS for syntax highlighting. (#1184) Instead of doing syntax highlighting statically in Jekyll, we now go back to the PrimsJS library we used in the 0.2-0.4 timeframe. It used to be problematic, but the cause for the problems have been addressed a while ago. This gives us highlighting for non-markdown content, such as dynamically loaded PRE blocks and PRE blocks that come from HTML generated from protos. * Adding info about new expression language methods. (#1186) Adding info about dnsName, email, and uri functions. * Fix typo liveliness -> liveness (#1188) * Fix typo liveliness -> liveness Add mdspell dependency to gem installations * Add backticks around firebase deploy command * Fix a few bugs. (#1187) - The slide-in sidenav used on mobile went all crazy when text got too long in the expanded panel. We now set a max width to trigger controlled wrapping and avoid the nasties. - The hamburger menu that replaces the link in the top header on small screens didn't render right on medium-sized screens (a.k.a. portrait-mode tablets). I had one of my breakpoints set inconsistently. - Dynamically loaded PRE blocks were not being syntax colored, now they are. - The Links endnote section created for printing pages was not dedupping identical links. - The Links endnote section contained entries for the next/previous links which are normally at the bottom of each page. These links aren't visible when printing and so shouldn't appear in the Links endnote section. * Add rocket chat to our footer & community page. (#1189) Also, update the mailing list icon on the community page to match what we use in the footer. * Add instructions to integrate Istio with existing Endpoints services. (#1164) * Add multitenancy blog (#1119) * Add multitenancy blog * Update soft-multitenancy.md * Update soft-multitenancy.md * Add multitenancy blog * Add blog entry for configuring aws nlb for istio ingress (#1165) * Don't add links from figures into endnotes. (#1192) - The prior design for avoiding links for figures was brittle and was in fact broken. Now it's more robust. * [ImgBot] optimizes images (#1193) *Total -- 683.39kb -> 440.68kb (35.52%) /_blog/2018/img/roles_summary.png -- 101.32kb -> 61.03kb (39.77%) /_blog/2018/img/policies.png -- 244.70kb -> 148.25kb (39.41%) /_blog/2018/img/attach_policies.png -- 48.65kb -> 31.59kb (35.06%) /_blog/2018/img/createpolicyjson.png -- 120.21kb -> 80.63kb (32.93%) /_blog/2018/img/create_policy.png -- 86.38kb -> 60.62kb (29.82%) /_blog/2018/img/createpolicystart.png -- 82.12kb -> 58.55kb (28.7%) * Update circuit break use existing file. (#1091) * Add proper link to Helm and Multicluster feature stages (#1196) * Update multicluster installation to match master (#1195) * Add a trailing / on an URL that was returning a 301 * Update multicluster intallation to match master Big usability improvements have been made. Document the new workflow for multicluster. * Address reviewer comments. * Fix linting problem * Fix docker run command (#1201) The command as it stands will fail with "Gemfile not found". The working directory should be set to $(pwd) as well to start execution in the istio.github.io directory and find the Gemfile. * remove installation instructions for prometheus (#1199) * remove installation instructions for prometheus * more doc fixes for 0.8 * Add request.auth.claims and update source.user, source.principal, and (#1205) request.auth.principal * Fix command to build & serve site locally using docker (bad workdir) (#1206) * Add attributes into documentation. (#1200) * add a step to define ingress gateway in bookinfo guide (#1207) * add a step to define ingress gateway in bookinfo guide following istio/istio#5113 * make ingress gateway lower case * Fix broken link in README.md (#1209) * Adding Azure support instructions (#1202) * adding docs for Azure * minor misspelling fix * adding acronyms * removing blank line * changing bash output to reflect only necessary flags * fixing grammar errors * Fix link to IBM cloud private (#1216) * Typo fix (#1208) * clarify we support more than just k8s (#1212) * Update reference docs. (#1219) * Quiet GitHub warning * v1alpha3 routing blog (#1190) * Clarify istio.io/preliminary.istio.io stuff (#1221) * add galley.enabled option to helm instructions (#1222) * Fix naming collision (#1226) ingressgateway and ingress both match the grep, resulting in incorect ingress name being produced in troubleshooting guide. * adding the recommended namespace (#1218) * adding the recommended namespace istio/old_issues_repo#312 * add the recommended namespace * add creating the namespace * correct typos * only need to create namespace for the template approach * Introduce support for new fangled PRE blocks. (#1224) Instead of having to have two PRE blocks, one for commands and one for the output, we can now have a single PRE block and we take care of rendering things to show the command vs. the output. The Copy button on such a thing only copy the command, and not the output. We now also show a $ on command-lines, but the Copy button doesn't copy that and knows to just copy the usable part of the command-line. * 0.8 release notes. (#1223) * Fix incorrect behavior of the sidenav when dealing with long non-wrapping page titles. (#1229) - When I was last fiddling with the sidenav on mobile, I messed up the sizing for non-mobile cases. This cause the sidenav to grow beyond its expected size when presented with long non-wrapping page titles. The text is now wrapped instead as it should. - Shrank the font size of the list items in the sidenav to 85% to reduce the amount of wrapping that happens. - Reduce the right margin in the side nav to again try to reduce the amount of wrapping. * Update content to help upcoming migration from Jekyll to Hugo (#1232) - In front matter, order: and overview: are now weight: and description: - In front matter, we generally don't need layout: and use config to assign layouts automatically - Remove the useless type: front-matter entries, the type is infered from the file extension. * Improves multicluster documentation (#1217) * Improves multicluster documentation Improve documentation based upon fresh eyes running through the documented process. * Address reviewer comments. * More refinement. * Exclude rule MD028 Rule 028 is: https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md028---blank-line-inside-blockquote The rationale below cut and pasted from markdownlint seems valid for the general case, however, our MD parser always produces seprate block-quotes, which is what I am after in this PR. I think other people will prefer our renders of blockquotes (separate blockquotes); Rationale: Some markdown parsers will treat two blockquotes separated by one or more blank lines as the same blockquote, while others will treat them as separate blockquotes. * Improve the doc to apply istio-auth.yaml (#1227) * Fix doc (#1228) * Task/guide updates for v1alpha3 (#1231) * Task/guide updates for v1alpha3 * fix typo * remove trailing spaces * tweaks * Corrections and clarifications (#1238) * clarify https external services support (#1239) * clarify https external services support * spelling error * Hopefully finally really fix the issues with the sidenav on small screens. (#1240) * fix manual sidecar injection docs for helm template changes (#1211) Addresses #1210 * Switch most uses of ```bash to ```command. (#1242) This takes advantage of the new rendering for command-lines and their outputs. * Fixes to the doc after testing/reviewing it with release-0.8 istio branch (#1244) * update format of a tcp ServiceEntry (#1237) * Remove broken link. (#1250) * WIP PR for v1alpha3 task corrections (#1247) * ingress task corrections * fault injection task version wrong * Fault task corrections (#1253) * update samples to align with latest proto definition (#1254) * Traffic Shifting Review - Fixed wrong links (#1259) * rbac.md: unindent yaml files (#1257) also fixed a typo Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com> * Create istio namespace before install remote cluster. (#1243) * update instructions for gke-iam (#1260) * Remove a broken link. (#1263) * Fix another broken link. (#1265) * [ImgBot] optimizes images (#1264) *Total -- 73.77kb -> 65.13kb (11.72%) /_docs/setup/kubernetes/img/dm_gcp_iam_role.png -- 38.54kb -> 33.47kb (13.15%) /_docs/setup/kubernetes/img/dm_gcp_iam.png -- 35.23kb -> 31.65kb (10.15%) * Fixes #1241 (#1258) * Added namespace when create helm template. (#1234) * Add istioctl proxy-config to the troubleshooting section (#1267) * Fix istioctl proxy-config link to not point at prelim docs (#1269) Because that would be a dumb thing to do * Update how we insert images to make a transition from Jekyll to Hugo easier. (#1275) * Change publish_date front-matter to publishdate to aid in the Jekyll to Hugo migration. (#1276) * Remove stray quotes. * Shorten long titles and descriptions. (#1278) * Fix aspect ratio of a couple images. (#1277) The incorrect aspect ratio value was leading to spurious top/bottom padding on the images. Also, delete unecessary .png version of some .svg files. * Revert "Rebase from Istio Master (#2)" (#3) This reverts commit 6122f38. * Add ,missing feature links This change adds some of the missing feature links to the feature-stages page. * Fixes the API key location API key location was wrong

googlebot added the cla: yes label Mar 31, 2018

wenchenglu reviewed Apr 2, 2018

View reviewed changes

diemtvu force-pushed the master branch from 69aa8f6 to 109f26a Compare April 2, 2018 18:25

wenchenglu reviewed Apr 2, 2018

View reviewed changes

istio-testing requested a review from lei-tang April 2, 2018 20:15

lei-tang reviewed Apr 2, 2018

View reviewed changes

liminw reviewed Apr 2, 2018

View reviewed changes

liminw reviewed Apr 3, 2018

View reviewed changes

diemtvu changed the title ~~[WIP] Authn policy concept and tutorial.~~ Authn policy concept and tutorial. Apr 3, 2018

wenchenglu approved these changes Apr 3, 2018

View reviewed changes

wattli approved these changes Apr 3, 2018

View reviewed changes

diemtvu force-pushed the master branch from 4a017e6 to ddbb783 Compare April 3, 2018 16:56

istio-testing assigned geeknoid Apr 3, 2018

liminw reviewed Apr 3, 2018

View reviewed changes

geeknoid reviewed Apr 3, 2018

View reviewed changes

geeknoid reviewed Apr 4, 2018

View reviewed changes

wattli reviewed Apr 4, 2018

View reviewed changes

istio-testing added the needs-rebase label Apr 6, 2018

diemtvu force-pushed the master branch from 538cea8 to 6d00841 Compare April 6, 2018 21:05

istio-testing removed the needs-rebase label Apr 6, 2018

geeknoid reviewed Apr 6, 2018

View reviewed changes

geeknoid reviewed Apr 8, 2018

View reviewed changes

geeknoid approved these changes Apr 9, 2018

View reviewed changes

diemtvu added 19 commits April 9, 2018 10:22

First draft for authn policy concept and tutorial.

bb34d84

Add attributes description

86471e5

Address review comments

9b59257

Simplify tasks.

ed13ad0

Reviews

ee8b747

Update per reviews.

2102453

Remove repeated note.

df380ce

Change example issuer to use email

f72ff4c

Change image png to svg format. Fix reviews.

7ae62af

More reviews update

23689d5

More reviews.

469a030

Reviews

b59e09d

Remviews

415d9e0

Reviews

5cbd844

Review

87cabbe

Fix spelling

25f8bdb

Reviews.

5ee8f43

Spelling.

5437a42

Spelling

8a5f91b

diemtvu force-pushed the master branch from bf44f69 to 8a5f91b Compare April 9, 2018 17:23

Style

af2ac7a

geeknoid merged commit 5f8e97c into istio:master Apr 9, 2018


		* Peer: verifies the party that make the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible to manage both client and server sides to enforce the policy.

		* Origin: verifies the party that make the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio will config server side to perform authentication, but will not enforce the client side to send the required certificate.


		* Peer: verifies the party, the direct client, that makes the connection. The common authentication mechanism for this is [mutual TLS]({{home}}/docs/concepts/security/mutual-tls.html). Istio will be responsible to manage both client and server sides to enforce the policy.

		* Origin: verifies the party, the original client, that makes the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio will config server side to perform authentication, but will not enforce the client side to send the required certificate.

		* Origin: verifies the party, the original client, that makes the request (e.g end-users, devices etc). JWT is the only supported mechanism for origin authentication at the moment. Istio will config server side to perform authentication, but will not enforce the client side to send the required certificate.


		Identities from both authentication parts, if applicable, will be output to the next layer (e.g authorization, mixer). To simplify the authorization rules, the policy can also specifies which identity (peer or origin) should be used as 'the principal'. By default, it is set to peer's identity.


		## Architecture

		Authentication policies are saved in Istio config store (in 0.7, the storage implementation using Kubernetes CRD), and distributed by Pilot. Pilot continously monitors the config store. Upon any change, it fetches the new policy and translates it into appropriate (sidecar) configs that are needed to enforce the policy. These configs are sent down to sidecar via regular discovery service APIs. Depends on the size of the mesh, this process may take few seconds to few minutes. During the transition, it might expect traffic lost or inconsistent authentication results.

		Policy is scoped at namespace level, with (optional) target selector rules to narrow down the set of services (within the same namespace as the policy) on which the policy should be applied. This aligns with the ACL model based on Kubernetes RBAC. More specifically, only admin of the namespace can set policies for services in that namespace.


		Authentication engine is implemented on sidecar. For example, with Envoy sidecar, it is a combination of SSL settings and HTTP filters. If authentication fails, request will be rejected (either with SLL handshake error code, or http 401, depends on the type of authencation mechanism). If success, following authenticated attributes will be generated:


		### Target selectors

		Defines rule to find service(s) on which policy should be applied. If no rule provided, the policy will be matched to all services in the namespace, so call namespace-level policy (as opposed to service-level policy are those that have non-empty selector rules). Istio (pilot) will pick the service-level policy if available, otherwise fallback to namespace-level policy. If none define, it uses the default policy based on service mesh config.

		Defines rule to find service(s) on which policy should be applied. If no rule provided, the policy will be matched to all services in the namespace, so call namespace-level policy (as opposed to service-level policy are those that have non-empty selector rules). Istio (pilot) will pick the service-level policy if available, otherwise fallback to namespace-level policy. If none define, it uses the default policy based on service mesh config.


		Operators are responsible to avoid conflict, e.g create more than one service-level policy that match to the same service(s) (or more than one namespace-level policy on the same namespace).

		### Peer authentication


		Defines authentication methods (and associated parameters) that are supported for for peer authentication. It can list more than one methods; only one of them need to be satisfied for the authentication pass. However, in the early releases, only mutual TLS is supported. Omitting this if peer authentication is not needed.


		### Origin authentication

		Defines authentication methods (and associated parameters) that are supported for for origin authentication. Only JWT is supported for this, however, the policy can list multiple JWTs by diffrent issuers. Same as peers authentication, only one of the listed methods need to be satisfied for the authenticaiton pass.


		## Having both namespace-level and service-level policy.

		Assuming we already add the namespace-level policy that enable mTLS for all services in namespace foo and observe that request from sleep.legacy to httpbin.foo are failing (see above). Now add another policy for httpbin service directly. This poicy doesn't define any method for peer authentication, which equivalent to disable mTLS.


		Defines rule to find service(s) on which policy should be applied. If no rule provided, the policy will be matched to all services in the namespace, so call namespace-level policy (as opposed to service-level policies which have non-empty selector rules). Istio (pilot) will pick the service-level policy if available, otherwise fallback to namespace-level policy. If neither is defined, it uses the default policy based on service mesh config and/or service annotation, which can only set mutual TLS setting (these are pre-0.7 mechanisms to config mutual TLS for Istio service mesh). See [testing Istio nutual TLS]({{home}}/docs/tasks/security/mutual-tls.html) and [per-service mutual TLS enablement]({{home}}/docs/tasks/security/per-service-mtls.html) for more details.

		Operators are responsible for avoiding conflicts, e.g create more than one service-level policy that match to the same service(s) (or more than one namespace-level policy on the same namespace).

		@@ -0,0 +1,300 @@
		---
		title: Basic Istio authentication policy


		Through this task, you will learn how to:

		* Using authentication policy to setup mutual TLS.




		Policy is scoped to namespaces, with (optional) target selector rules to narrow down the set of services (within the same namespace as the policy) on which the policy should be applied. This aligns with the ACL model based on Kubernetes RBAC. More specifically, only admin of the namespace can set policies for services in that namespace.

		Policy is scoped to namespaces, with (optional) target selector rules to narrow down the set of services (within the same namespace as the policy) on which the policy should be applied. This aligns with the ACL model based on Kubernetes RBAC. More specifically, only admin of the namespace can set policies for services in that namespace.


		Authentication is implemented by the Istio sidecars. For example, with Envoy sidecar, it is a combination of SSL settings and HTTP filters. If authentication fails, requests will be rejected (either with SSL handshake error code, or http 401, depending on the type of authencation mechanism). If authentication succeeds, the following authenticated attributes will be generated:

		```


		You may want to try to modify token and/or policy (e.g change issuer, audiences, expiry date etc) to observe other aspect of JWT validation.


		### Principal binding

		Defines what is the principal from the authentiation. By default, this will be the peer's principal (and if peer authentication is not applied, it would be left unset). Policy writer can choose to overwrite it with USE_ORIGIN. In future, we will also support conditional-binding (e.g USE_PEER when peer is X, otherwise USE_ORIGIN)


		kubectl create ns legacy
		kubectl apply -f samples/sleep/sleep.yaml -n legacy


		* For demo, create two namespaces `foo` and `bar`, and deploy [httpbin](https://github.com/istio/istio/tree/master/samples/httpbin) and [sleep](https://github.com/istio/istio/tree/master/samples/sleep) with sidecar on both of them. Also, run another sleep app without sidecar (to keep it separate, run it in `legacy` namespace)

		```bash


		* Verifying setup by sending an http request (using curl command) from any sleep pod (among those in namespace `foo`, `bar` or `legacy`) to either `httpbin.foo` or `httpbin.bar`. All requests should success with http code 200.

		For example, here is a command to check `sleep.bar` to `httpbin.foo` reachability:

Authn policy concept and tutorial. #1128

Authn policy concept and tutorial. #1128

Uh oh!

Conversation

diemtvu commented Mar 31, 2018

Uh oh!

wenchenglu Apr 2, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

wenchenglu commented Apr 2, 2018

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

wenchenglu Apr 2, 2018 •

edited

Loading