diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html index fc7a3eb376bed..7f63f1eb9c241 100644 --- a/content/en/docs/reference/commands/istioctl/index.html +++ b/content/en/docs/reference/commands/istioctl/index.html @@ -2452,7 +2452,7 @@

istioctl experimental revision

Examples

-
  # View the details of a revision named 'canary'    
+
  # View the details of a revision named 'canary'
   istioctl experimental revision describe canary
 
   # View the details of a revision named 'canary' and also the pods
@@ -2460,7 +2460,7 @@ 
Examples

   istioctl experimental revision describe canary -v
 
   # Get details about a revision in json format (default format is human-friendly table format)
-  istioctl experimental revision describe canary -v -o json 
+  istioctl experimental revision describe canary -v -o json
 
 

 
istioctl experimental revision list

@@ -2518,7 +2518,7 @@ 
istioctl experimental revision list
 
 
Examples

 
  # View summary of revisions installed in the current cluster
-  # which can be overridden with --context parameter. 
+  # which can be overridden with --context parameter.
   istioctl experimental revision list
 
   # View list of revisions including customizations, istiod and gateway pods
@@ -5631,6 +5631,12 @@ 
Environment variables

 If enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures Remote Jwks to let Envoy fetch the Jwks instead of Istiod.
 
 
+PILOT_JWT_PUB_KEY_REFRESH_INTERVAL
+Time Duration
+20m0s
+The interval for istiod to fetch the jwks_uri for the jwks public key.
+
+
 PILOT_PUSH_THROTTLE
 Integer
 100
diff --git a/content/en/docs/reference/commands/operator/index.html b/content/en/docs/reference/commands/operator/index.html
index 388eb8177f6df..6ffb04d7f00ca 100644
--- a/content/en/docs/reference/commands/operator/index.html
+++ b/content/en/docs/reference/commands/operator/index.html
@@ -452,6 +452,12 @@ 
Environment variables

 If enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures Remote Jwks to let Envoy fetch the Jwks instead of Istiod.
 
 
+PILOT_JWT_PUB_KEY_REFRESH_INTERVAL
+Time Duration
+20m0s
+The interval for istiod to fetch the jwks_uri for the jwks public key.
+
+
 PILOT_PUSH_THROTTLE
 Integer
 100
diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html
index 5561efd679702..30a128db65e48 100644
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@@ -1026,6 +1026,12 @@ 
Environment variables

 If enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures Remote Jwks to let Envoy fetch the Jwks instead of Istiod.
 
 
+PILOT_JWT_PUB_KEY_REFRESH_INTERVAL
+Time Duration
+20m0s
+The interval for istiod to fetch the jwks_uri for the jwks public key.
+
+
 PILOT_PUSH_THROTTLE
 Integer
 100
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index ada58fa12f998..0373b201a3ee4 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -861,6 +861,12 @@ 
Environment variables

 If enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures Remote Jwks to let Envoy fetch the Jwks instead of Istiod.
 
 
+PILOT_JWT_PUB_KEY_REFRESH_INTERVAL
+Time Duration
+20m0s
+The interval for istiod to fetch the jwks_uri for the jwks public key.
+
+
 PILOT_PUSH_THROTTLE
 Integer
 100
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
index 5bb1269b4fea6..f1221ac4e61bf 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -118,6 +118,18 @@ 
IstioOperatorSpec

 
Identify the revision this installation is associated with.
 This option is currently experimental.

 
+
+
+No
+
+
+
+defaultRevision
+bool
+
+
Identify whether this revision is the default revision for the cluster
+This option is currently experimental.

+
 
 
 No
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index 32b7c97e061a7..7783210d790cd 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -239,9 +239,6 @@ 
DestinationRule

 the destination rule is declared in. Similarly, the value “*” is reserved and
 defines an export to all namespaces.

 
-
NOTE: in the current release, the exportTo value is restricted to
-“.” or “*” (i.e., the current namespace or all namespaces).

-
 
 
 No
@@ -694,7 +691,7 @@ 
OutlierDetection

         http2MaxRequests: 1000
         maxRequestsPerConnection: 10
     outlierDetection:
-      consecutiveErrors: 7
+      consecutive5xxErrors: 7
       interval: 5m
       baseEjectionTime: 15m
 

@@ -717,7 +714,7 @@ 
OutlierDetection

         http2MaxRequests: 1000
         maxRequestsPerConnection: 10
     outlierDetection:
-      consecutiveErrors: 7
+      consecutive5xxErrors: 7
       interval: 5m
       baseEjectionTime: 15m
diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html index eab1742f30e8b..a790a57371fb4 100644 --- a/content/en/docs/reference/config/networking/envoy-filter/index.html +++ b/content/en/docs/reference/config/networking/envoy-filter/index.html @@ -67,9 +67,9 @@ patch: operation: INSERT_BEFORE value: - # This is the full filter config including the name and config or typed_config section. + # This is the full filter config including the name and typed_config section. name: "envoy.config.filter.network.custom_protocol" - config: + typed_config: ... - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy match: @@ -111,26 +111,30 @@ context: SIDECAR_INBOUND listener: portNumber: 8080 + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" patch: - operation: ADD - filterClass: AUTHZ # This filter will run *after* the Istio authz filter. + operation: INSERT_BEFORE value: # lua filter specification - name: envoy.filters.http.lua - typed_config: + name: envoy.lua + typed_config: "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" inlineCode: | - function envoy_on_request(request_handle) - -- Make an HTTP call to an upstream host with the following headers, body, and timeout. - local headers, body = request_handle:httpCall( - "lua_cluster", - { - [":method"] = "POST", - [":path"] = "/acl", - [":authority"] = "internal.org.net" - }, - "authorize call", - 5000) - end + function envoy_on_request(request_handle) + -- Make an HTTP call to an upstream host with the following headers, body, and timeout. + local headers, body = request_handle:httpCall( + "lua_cluster", + { + [":method"] = "POST", + [":path"] = "/acl", + [":authority"] = "internal.org.net" + }, + "authorize call", + 5000) + end # The second patch adds the cluster that is referenced by the lua code # cds match is omitted as a new cluster is being added - applyTo: CLUSTER @@ -143,12 +147,16 @@ type: STRICT_DNS connect_timeout: 0.5s lb_policy: ROUND_ROBIN - hosts: - - socket_address: - protocol: TCP - address: "internal.org.net" - port_value: 8888 - + load_assignment: + cluster_name: lua_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + protocol: TCP + address: "internal.org.net" + port_value: 8888

The following example overwrites certain fields (HTTP idle timeout @@ -177,9 +185,11 @@ patch: operation: MERGE value: - common_http_protocol_options: - idle_timeout: 30s - xff_num_trusted_hops: 5 + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" + xff_num_trusted_hops: 5 + common_http_protocol_options: + idle_timeout: 30s

The following example inserts an attributegen filter @@ -249,9 +259,9 @@ grpc_service: envoy_grpc: cluster_name: acme-ext-authz - initial_metadata: - - key: foo - value: myauth.acme # required by local ext auth server. + initial_metadata: + - key: foo + value: myauth.acme # required by local ext auth server.

A workload in the myns namespace needs to access a different ext_auth server @@ -315,8 +325,10 @@ remote: http_uri: uri: http://my-wasm-binary-uri - configuration: | - {} + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} # The second patch instructs to apply the above Wasm filter to the listener/http connection manager. - applyTo: HTTP_FILTER match: diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html index 32cef92d8a795..161b6b98e6e45 100644 --- a/content/en/docs/reference/config/networking/gateway/index.html +++ b/content/en/docs/reference/config/networking/gateway/index.html @@ -253,8 +253,7 @@ hosts: - mongosvr.prod.svc.cluster.local # name of internal Mongo service gateways: - - some-config-namespace/my-gateway # can omit the namespace if gateway is in same - namespace as virtual service. + - some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service. tcp: - match: - port: 27017 @@ -278,8 +277,7 @@ hosts: - mongosvr.prod.svc.cluster.local # name of internal Mongo service gateways: - - some-config-namespace/my-gateway # can omit the namespace if gateway is in same - namespace as virtual service. + - some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service. tcp: - match: - port: 27017 diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html index 7f0af4f90c60e..40fd26c2015cc 100644 --- a/content/en/docs/reference/config/networking/service-entry/index.html +++ b/content/en/docs/reference/config/networking/service-entry/index.html @@ -593,13 +593,13 @@ endpoints: - address: us.foo.bar.com ports: - https: 8080 + http: 8080 - address: uk.foo.bar.com ports: - https: 9080 + http: 9080 - address: in.foo.bar.com ports: - https: 7080 + http: 7080

{{}} @@ -949,9 +949,6 @@

ServiceEntry

the annotation “networking.istio.io/exportTo” to a comma-separated list of namespace names.

-

NOTE: in the current release, the exportTo value is restricted to -“.” or “*” (i.e., the current namespace or all namespaces).

- No diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html index fdbb400f46a0f..5501b7e2b1bce 100644 --- a/content/en/docs/reference/config/networking/sidecar/index.html +++ b/content/en/docs/reference/config/networking/sidecar/index.html @@ -667,7 +667,7 @@

IstioEgressListener

WorkloadSelector

WorkloadSelector specifies the criteria used to determine if the -Gateway, Sidecar, or EnvoyFilter or ServiceEntry +Gateway, Sidecar, EnvoyFilter, or ServiceEntry configuration can be applied to a proxy. The matching criteria includes the metadata associated with a proxy, workload instance info such as labels attached to the pod/VM, or any other info that diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html index 0a1a93fa4bcc6..fd112aef18569 100644 --- a/content/en/docs/reference/config/networking/virtual-service/index.html +++ b/content/en/docs/reference/config/networking/virtual-service/index.html @@ -512,7 +512,7 @@

Destination

name: example-http protocol: HTTP resolution: DNS - +--- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -544,7 +544,7 @@

Destination

name: example-http protocol: HTTP resolution: DNS - +--- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -950,7 +950,7 @@

Headers

- headers: request: set: - test: true + test: "true" route: - destination: host: reviews.prod.svc.cluster.local @@ -981,7 +981,7 @@

Headers

- headers: request: set: - test: true + test: "true" route: - destination: host: reviews.prod.svc.cluster.local @@ -2274,7 +2274,7 @@

HTTPRetry

perTryTimeout Duration -

Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms. +

Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is same value as request timeout of the HTTP route, which means no timeout.

diff --git a/content/en/docs/reference/config/networking/workload-group/index.html b/content/en/docs/reference/config/networking/workload-group/index.html index 8990ddaf80d17..6797e88414615 100644 --- a/content/en/docs/reference/config/networking/workload-group/index.html +++ b/content/en/docs/reference/config/networking/workload-group/index.html @@ -52,7 +52,7 @@ path: /foo/bar host: 127.0.0.1 port: 3100 - scheme: https + scheme: HTTPS httpHeaders: - name: Lit-Header value: Im-The-Best diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html index 84162b6725b58..b74b3f41e19c4 100644 --- a/content/en/docs/reference/config/security/authorization-policy/index.html +++ b/content/en/docs/reference/config/security/authorization-policy/index.html @@ -59,26 +59,26 @@ 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
- name: httpbin
- namespace: foo
+  name: httpbin
+  namespace: foo
 spec:
- action: ALLOW
- rules:
- - from:
-   - source:
-       principals: ["cluster.local/ns/default/sa/sleep"]
-   - source:
-       namespaces: ["test"]
-   to:
-   - operation:
-       methods: ["GET"]
-       paths: ["/info*"]
-   - operation:
-       methods: ["POST"]
-       paths: ["/data"]
-   when:
-   - key: request.auth.claims[iss]
-     values: ["https://accounts.google.com"]
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        principals: ["cluster.local/ns/default/sa/sleep"]
+    - source:
+        namespaces: ["test"]
+    to:
+    - operation:
+        methods: ["GET"]
+        paths: ["/info*"]
+    - operation:
+        methods: ["POST"]
+        paths: ["/data"]
+    when:
+    - key: request.auth.claims[iss]
+      values: ["https://accounts.google.com"]

The following is another example that sets action to “DENY” to create a deny policy. @@ -88,17 +88,17 @@ 

apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
- name: httpbin
- namespace: foo
+  name: httpbin
+  namespace: foo
 spec:
- action: DENY
- rules:
- - from:
-   - source:
-       namespaces: ["dev"]
-   to:
-   - operation:
-       methods: ["POST"]
+  action: DENY
+  rules:
+  - from:
+    - source:
+        namespaces: ["dev"]
+    to:
+    - operation:
+        methods: ["POST"]

The following authorization policy sets the action to “AUDIT”. It will audit any GET requests to the path with the @@ -113,7 +113,7 @@ selector: matchLabels: app: myapi - action: audit + action: AUDIT rules: - to: - operation: @@ -138,12 +138,12 @@ 

apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
- name: policy
- namespace: bar
+  name: policy
+  namespace: bar
 spec:
- selector:
-   matchLabels:
-     app: httpbin
+  selector:
+    matchLabels:
+      app: httpbin

The following authorization policy applies to all workloads in namespace foo.

diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html index d531995e22932..b027a5769708c 100644 --- a/content/en/docs/reference/config/security/request_authentication/index.html +++ b/content/en/docs/reference/config/security/request_authentication/index.html @@ -79,19 +79,19 @@

RequestAuthentication

selector: matchLabels: app: httpbin - rules: - - from: - - source: - requestPrincipals: ["issuer-foo/*"] - to: - - operation: - hosts: ["example.com"] - - from: - - source: - requestPrincipals: ["issuer-bar/*"] - to: - - operation: - hosts: ["another-host.com"] + rules: + - from: + - source: + requestPrincipals: ["issuer-foo/*"] + to: + - operation: + hosts: ["example.com"] + - from: + - source: + requestPrincipals: ["issuer-bar/*"] + to: + - operation: + hosts: ["another-host.com"]